Wireless Access

Hello!

I am doing some lab testing with ArubaOS 8.2.0.2 on a C7005 controller.

Is it possible to assign roles for 802.1x authenticated clients with User Rules instead of Server Rules? There are rule types available in User Roles that are not in the server rules, for example MAC address.

When I have User Rules configured in my AAA profile, the device will initially get the role (in this case "laptop") but then the system will assign a new role based on the authentication type being 802.1x:

Jun 8 09:22:07 authmgr3752: <522019> <4609> <INFO> |authmgr| MAC=3c:15:c2:e7:1a:72 IP=N/A Derived role 'laptop' at pos 2 from user rules

Jun 8 09:22:21 authmgr3752: <522049> <3752> <INFO> |authmgr| MAC=3c:15:c2:e7:1a:72,IP=N/A User role updated, existing Role=laptop/none, new Role=authenticated/none, reason=station Authenticated with auth type: 802.1x

I can't find anywhere in the GUI or CLI to override this and allow User Rules to be used.

Thanks!

Alex

Hi,

If i understand it correctly you have a SSID with 802.1x and you want to be able to assign a role based on mac-address? But why use 802.1x? With 802.1x you also need to pass the 802.1x part succesfully. If you use ClearPass you can mix 802.1x with mac-address as ClearPass gets the mac-address in the radius request.

As i found people online answering differently, SDR take precedence over UDR or UDR always takes over SDR. I want back to the course guides to make sure.

This is what the courseware states :

The methods of assigning user roles are, from lowest to highest precedence:

1. The initial user role or VLAN for unauthenticated clients is configured in the AAA profile for a virtual AP

2. The user role can be derived from user attributes upon the client’s association with an AP (this is known as a user-derived role).User-derivation rules are executed before client authentication.

3. The user role can be the default user role configured for an authentication method.

4. The user role can be derived from attributes returned by the authentication server and certain
client attributes (this is known as a server-derived role).

5. The user role can be derived from Aruba Vendor-Specific Attributes (VSA) for RADIUS server
authentication. A role derived from an Aruba VSA takes precedence over any other user roles. 

So as it now works for you it is matching the courseware.

I would look at a setup with ClearPass or another Radius server which can also use the mac adress in the 802.1x, and that way only use server devired rules.

Good luck.

Hi Frank,

Thanks for your detailed response! With the courseware explanations, it makes more sense why things are acting like they are.

I was doing this as part of a lab test where I needed to do role assignment, for a few clients - just using the MAC seemed like the easiest way to go about it. I was curious to see whether I could get it to work.

I'll find another way using Server Rules.

Thanks again,

Alex

Hi,

As many people online give different answers I went back to the courseware for the correct answer.

The courseware states :

The methods of assigning user roles are, from lowest to highest precedence:

1. The initial user role or VLAN for unauthenticated clients is configured in the AAA profile for a virtual AP
2. The user role can be derived from user attributes upon the client’s association with an AP (this is known as a user-derived role).User-derivation rules are executed before client authentication.
3. The user role can be the default user role configured for an authentication method.
4. The user role can be derived from attributes returned by the authentication server and certain client attributes (this is known as a server-derived role).
5. The user role can be derived from Aruba Vendor-Specific Attributes (VSA) for RADIUS server authentication. A role derived from an Aruba VSA takes precedence over any other user roles.  

So i would use a radius server capable of using the mac address in the 802.1x to set the correct role. ClearPass is able to do this.

Good Luck