Alcatel-Lucent AOS-W 6.5.3.x

To Next Page

To Previous Page

390| Roles and Policies AOS-W 6.5.3.x| User Guide

2. Click Add to add a new set of derivation rules. Enter a name for the set of rules, and click Add. The name

appears in the User Rules Summary list.

3. In the User Rules Summary list, select the name of the rule set to configure rules.

4. Click Add to add a rule. For Set Type, select the VLAN name or ID from the VLAN the drop-down menu.

(You can select VLAN to create d>erivation rules for setting the VLAN assigned to a client.)

5. Configure the condition for the rule by setting the Rule Type, Condition, Value parameters and optional

description of the rule. See Table 88 for descriptions of these parameters.

6. Select the role assigned to the client when this condition is met.

7. Click Add.

8. You can configure additional rules for this rule set. When you have added rules to the set, use the up or

down arrows in the Actions column to modify the order of the rules. (The first matching rule is applied.)

9. Click Apply.

10.(Optional) If the rule uses the DHCP-Option condition, best practices is to enable the Enforce DHCP

parameter in the AP group’s AAA profile, which requires users to complete a DHCP exchange to obtain an IP

address. For details on configuring this parameter in an AAA profile, seeWLAN Authentication on page 438.

Configuring a User-derived Role or VLAN in the CLI

(host)(config) #aaa derivation-rules user <name>

User-Derived Role Example

The example rule shown in Figure 53 below sets a user role for clients whose host name (DHCP option 12) has

a value of 6C6170746F70, which is the hexadecimal equivalent of the ASCII string laptop. The first two digits in

the Value field are the hexadecimal value of 12 (which is 0C), followed by the specific signature to be matched.

There are many online tools available for converting ASCII text to a hexadecimal string.

Figure 53 DHCP Option Rule

To identify DHCP strings used by an individual device, access the command-line interface in config mode and

issue the command logging level debugging network process dhcpd to include DHCP option values for

DHCP-DISCOVER and DHCP-REQUEST frames in the switch’s log files:

Now, connect the device you want to identify to the network, and issue the CLI command show log network

to view the DHCP strings.

Be aware that each device type may not have a unique DHCP fingerprint signature. For example, devices from

different manufacturers may use vendor class identifiers that begin with similar strings. If you create a DHCP-

Alcatel-Lucent AOS-W 6.5.3.x - Page 390