Option rule that uses the starts-with condition instead of the equals condition, the rule may assign a role or
VLAN to more than one device type.
RADIUS Override of User-Derived Roles
This feature introduces a new RADIUS vendor specific attribute (VSA) named “Aruba-No-DHCP-Fingerprint,”
value 14. This attribute signals the RADIUS Client (switch) to ignore the DHCP Fingerprint user role and VLAN
change post L2 authentication. This feature applies to both CAP and RAP in tunnel mode and for the L2
authenticated role only.
Configuring a Default Role for Authentication Method
For each authentication method, you can configure a default role for clients who are successfully authenticated
using that method. To configure a default role for an authentication method:
In the WebUI
1. Navigate to the Configuration > Security > Authentication page.
2. To configure the default user role for MAC or 802.1X authentication, select the AAA Profiles tab. Select the
AAA profile. Enter the user role for MAC Authentication Default Role or 802.1X Authentication Default Role.
3. To configure the default user role for other authentication methods, select the L2 Authentication or L3
Authentication tab. Select the authentication type (Stateful 802.1X or stateful NTLM for L2
Authentication, Captive Portal or VPN for L3 Authentication), and then select the profile. Enter the user role
for Default Role.
4. Click Apply.
For additional information on configuring captive portal authentication, see Captive Portal Authentication on
page 306.
In the CLI
To configure the default user role for MAC or 802.1X authentication:
(host)(config) #aaa profile <profile>
To configure the default user role for other authentication methods:
(host)(config) #aaa authentication captive-portal|stateful-dot1x|stateful-ntlm|vpn
Configuring a Server-Derived Role
If the client is authenticated through an authentication server, the user role for the client can be based on one
or more attributes returned by the server during authentication. You configure the user role to be derived by
specifying condition rules; when a condition is met, the specified user role is assigned to the client. You can
specify more than one condition rule; the order of rules is important as the first matching condition is applied.
You can also define server rules based on client attributes such as ESSID, BSSID, or MAC address, even though
these attributes are not returned by the server.
For information about configuring a server-derived role, see Configuring Server-Derivation Rules on page 203.
Configuring a VSA-Derived Role
Many Network Address Server (NAS) vendors, including Alcatel-Lucent, use VSAs to provide features not
supported in standard RADIUS attributes. For Alcatel-Lucent systems, VSAs can be employed to provide the
user role and VLAN for RADIUS-authenticated clients, however the VSAs must be present on your RADIUS
server. This involves defining the vendor (Alcatel-Lucent) and/or the vendor-specific code (14823), vendor-
assigned attribute number, attribute format (such as string or integer), and attribute value in the RADIUS
AOS-W 6.5.3.x | User Guide Roles and Policies | 391
To Next Page
Loading...