Aruba 3600
6.4.2.14
My guest VAP uses the internal DB with the default server group with the 'attribute -> role -> value of -> set role' rule.
I'm creating a new VAP for a select group of users that will be placed in a different role and VLAN. This role also needs to use the local DB for auth. I'd use the Guest VAP for these users, but it sets the VLAN in the VAP config for captive portal to work. If these users use L3 auth, their VLAN won't change when their role is assigned based by the 'set role' rule in the default server group.
Anyway, the issue I'm having is that if I use the internal DB for authentication, my guest users can login on this new VAP and vice versa. I've created a new server group using the internal DB and set the following rule:
attribute: user-role
operation: equals
operand: my-role
type: string
action: set role
value: my-role
The problem is that the guest role users still pick up the role because there is no explicit exclusion and they get the role from the AAA profile 802.1x Default Role.
Also, my-role can log in via guest - which gives them the correct role and policy, but they'll be on the wrong VLAN.
Is there any cleaner way of handling this scenario?
Note: I set the default 802.1x role to denyall and the server group rule to set the role doesn't seem to work. It instead puts the client in denyall.