Wireless Access

Hi AirHeads,

Under UDR (User derivation rules) is there any recored limit , up to XXXX lines can be added under single list?

Please advise.

Would that be under controller's internal DB limit?  

I'm curious. What are you looking to do that you want/need a long list of User Rule conditions?

We have a client that need to use mac-authentication.  We told them to used user-derivation rules to set role for the mac-addresses.  The bunch of mac-addresses and condition is under one rule.  This user derivation rule is added to the aaa-profile of the SSID.  

Okay, so based on what you want to do, let's look at the following.

There are two ways to validate MAC addresses. One way is through conditions in User rules, which is technically just setting up a MAC filter, not technically authenticating. The other way is to have the MAC address authenticated against a database, which is MAC authentication.

The first method has a long list of rules, as you know by your question. If the device connecting is at the bottom of the rules list, then every rule must be processed before you would finally get to the rule that would then assign them their role. It is cumbersome, and more prone to typos. Also, any management means changes to the configuration itself, which is again more prone to errors and an administrator to the OS must make those changes.

The other method is to do MAC authentication. On the AAA profile you would enable a MACauth profile, and a database where the MAC addresses would be searched (same way a username would be searched in a user database). Some differences is the MAC address would be entered in the database as both the username and password. However you enter the MAC address in the database, you need to specify that in the MACauth profile. For example, if you enter it as xx:xx:xx:xx:xx:xx: then you would select colon delimited in the profile. If you entered it as xxxxxxxxxxxx then you would select none. You see, the controller is taking the MAC address using the profile delimiting rules and sending it to the authentication server, which then just looks it up as a string/username. As for the database, you can use the internal database on the controller, or an external RADIUS server. Any additions or deletions would be just adding or deleting entries to the database, not making changes to the running config.

Another benefit of MAC authentication is that Role Based Access Control (RBAC) can be deployed, so different MAC addresses could get different roles. If you used an external server that could return Vendor Specific Attributes (VSAs) or IETF attributes (such as filter-id), the the attribute can assign the role.

Some thoughts for you to consider.

In the meanwhile, if you want to try to understand how roles are derived (assigned), I wrote an Aruba OS 6.x book and made 15 PDFs available for anyone to download (sorry I don't give the book away, that you have to purchase. The 8.x book should be available in about 2 months). Anyway, if you go to www.westcott-consulting.com and click on download, you can get the files. One of the files is a role derivation flowchart that I created. The website has you sign up for my mailing list to validate that you are a real person. You can remove yourself from it if you want (I rarely send anything out).

I hope this helps,

Hi David,

For User derivation rules, would you know if it has a limit per rule?  If we will used it against the internal DB mac-authentication, would there be any limitations?  I believe for 7205 controller, it can store up to 8000 mac-address in the internal DB.  

Sorry, I don't know the technical limits. I'll have to defer that to someone else.

Both methods will work. I think the MACauth as I described it will be cleaner to manage and process the connections more efficiently, but you need to assess your own environment and needs.

Thanks David.  In our case, we already recorded 700 mac-addresses in one user derivation rule.  Hope someone could enlighten us if there is any limitation on this setup or we already need to use the internal DB mac-authentication.  

With some creative copy, edit, and pasting, it wouldn't be difficult to grab the lines with the rules, yank out everything except for the MAC address, and then put database add commands with the MAC addresses to put them in the database. If you wanted to or needed to go that route.