You are here: Home > CLI Commands > Just_CLI_Topics > aaa derivation-rules

aaa derivation-rules

aaa derivation-rules user <name>

no ...

set {role|vlan} condition <rule-type> <attribute> <value> set-value {<role>|<vlan>} [description <rule description>][position <number>]

Description

This command configures rules which assigns a AAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile, user role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to a client based upon the client’s association with an AP.

A user role cannot be assigned by an AAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. derivation rule unless the managed device has a PEFNGPolicy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license.

Syntax

Parameter

Description

<name>

Name that identifies this set of UDRsUser Derivation Rule. UDR is a role assignment model used by the controllers running ArubaOS to assign roles and VLANs to the WLAN users based on MAC address, BSSID, DHCP-Option, encryption type, SSID, and the location of a user. For example, for an SSID with captive portal in the initial role, a UDR can be configured for scanners to provide a role based on their MAC OUI..

no

Negates a configured rule.

set {role|vlan}

Specify whether the action of the rule is to set the role or the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

condition

Condition that should be checked to derive role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

<rule-type>

For a rule that sets an AAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile, use the user-vlan rule type.

For a role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. UDRUser Derivation Rule. UDR is a role assignment model used by the controllers running ArubaOS to assign roles and VLANs to the WLAN users based on MAC address, BSSID, DHCP-Option, encryption type, SSID, and the location of a user. For example, for an SSID with captive portal in the initial role, a UDR can be configured for scanners to provide a role based on their MAC OUI., select one of the following rules:

bssid: BSSIDBasic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly. of access point.

dhcp-option: Use DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  signature matching to assign a role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

dhcp-option-77: Enable DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  packet processing.

encryption-type: Encryption method used by station.

essid: ESSIDExtended Service Set Identifier. ESSID refers to the ID used for identifying an extended service set. of access point.

location: user location (AP name).

macaddr: MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of user.

NOTE: If you use the dhcp-option rule type, best practices are to enable the enforce-dhcp option in the AAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile referenced by Virtual AP profile of the AP group.

<attribute><value>

Specify one of the following conditions:

contains: Check if attribute contains the string in the <value> parameter.

ends-with: Check if attribute ends with the string in the <value> parameter.

equals: Check if attribute equals the string in the <value> parameter.

not-equals: Check if attribute is not equal to the string in the <value> parameter.

starts-with: Check if attribute starts with the string in the <value> parameter.

set-value <role>|<vlan>

Specify the user role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID to be assigned to the client if the above condition is met.

description

Describes the UDRUser Derivation Rule. UDR is a role assignment model used by the controllers running ArubaOS to assign roles and VLANs to the WLAN users based on MAC address, BSSID, DHCP-Option, encryption type, SSID, and the location of a user. For example, for an SSID with captive portal in the initial role, a UDR can be configured for scanners to provide a role based on their MAC OUI.. This parameter is optional and has a 128 character maximum.

position

Position of this rule relative to other rules that are configured.

Usage Guidelines

The user role can be derived from attributes from the client’s association with an AP. UDRsUser Derivation Rule. UDR is a role assignment model used by the controllers running ArubaOS to assign roles and VLANs to the WLAN users based on MAC address, BSSID, DHCP-Option, encryption type, SSID, and the location of a user. For example, for an SSID with captive portal in the initial role, a UDR can be configured for scanners to provide a role based on their MAC OUI. are executed before the client is authenticated.

You configure the user role to be derived by specifying condition rules; when a condition is met, the specified user role is assigned to the client. You can specify more than one condition rule; the order of rules is important as the first matching condition is applied. You can also add a description of the rule.

The table below describes the conditions for which you can specify a user role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

Rule Type

Condition

Value

bssid: Assign client to a role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. based upon the BSSIDBasic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly. of AP to which client is associating.

One of the following:

contains

ends with

equals

does not equal

starts with

MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address (xx:xx:xx:xx:xx:xx)

dhcp-option: Assign client to a role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. based upon the DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  signature ID.

One of the following:

equals

starts with

DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  signature ID.

NOTE: This string is not case sensitive.

dhcp-option-77: Assign client to a role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. based upon the user class identifier returned by DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  server.

equals

string

encryption-type: Assign client to a role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. based upon the encryption type used by the client.

One of the following:

equals

does not equal

Open (no encryption)

WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. or WPA2Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES. AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.

WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.-TKIPTemporal Key Integrity Protocol. A part of the WPA encryption standard for wireless networks. TKIP is the next-generation Wired Equivalent Privacy (WEP) that provides per-packet key mixing to address the flaws encountered in the WEP standard. (static or dynamic)

Dynamic WEPWired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN.

WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. or WPA2Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES. AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. PSKPre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access.

Static WEPWired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN.

xSec

essid: Assign client to a role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. based upon the ESSIDExtended Service Set Identifier. ESSID refers to the ID used for identifying an extended service set. to which the client is associated.

One of the following:

contains

ends with

equals

does not equal

starts with

value of (does not take string; attribute value is used as role)

string

location: Assign client to a role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. based upon the AP name to which the client is associated.

One of the following:

equals

does not equal

string

macaddr: MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the client.

One of the following:

contains

ends with

equals

does not equal

starts with

MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address (xx:xx:xx:xx:xx:xx)

The device identification feature allows you to assign a user role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to a specific device type by identifying a DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  option and signature for that device. If you create a user rule with the DHCP-Option rule type, the first two characters in the Value field must represent the hexadecimal value of the DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  option that this rule should match, while the rest of the characters in the Value field indicate the DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  signature the rule should match. To create a rule that matches DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  option 12 (host name), the first two characters of the in the Value field must be the hexadecimal value of 12, which is 0C. To create a rule that matches DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  option 55, the first two characters in the Value field must be the hexadecimal value of 55, which is 37.

The following table describes some of the DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  options that are useful for assigning a user role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

DHCP Option

Description

Hexidecimal Equivalent

12

Host name

0C

55

Parameter Request List

37

60

Vendor Class Identifier

3C

81

Client FQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet.

51

To identify DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  strings used by an individual device, access the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. in config mode and issue the following command to include DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  option values for DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. -DISCOVER and DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. -REQUEST frames in the log file of the managed device:

logging level debugging network process dhcpd

Now, connect the device you want to identify to the network, and issue the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command show log network. The sample below is an example of the output that may be generated by this command.

 

Be aware that each device type may not have a unique DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  fingerprint signature. For example, devices from different manufacturers may use vendor class identifiers that begin with similar strings. If you create a DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. -Option rule that uses the starts-with condition instead of the equals condition, the rule may assign a role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to more than one device type.

(host) ^[md] (config) #show log network all | include DISCOVER

Feb 26 02:50:34 :202534: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1: DISCOVER 00:19:d2:01:0b:84 Options 74:01 3d:010019d2010b84 0c:736861626172657368612d39393730 3c:4d53465420352e30 37:010f03062c2e2f1f21f92b

Feb 26 02:50:42 :202534: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1: DISCOVER 00:19:d2:01:0b:84 Options 74:01 3d:010019d2010b84 0c:736861626172657368612d39393730 3c:4d53465420352e30 37:010f03062c2e2f1f21f92b

Feb 26 02:50:42 :202534: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1: DISCOVER 00:19:d2:01:0b:84 Options 74:01 3d:010019d2010b84 0c:736861626172657368612d39393730 3c:4d53465420352e30 37:010f03062c2e2f1f21f92b

Feb 26 02:53:03 :202534: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan10: DISCOVER 00:26:c6:52:6b:7c Options 74:01 3d:010026c6526b7c 0c:41525542412d46416c73653232 3c:4d53465420352e30 37:010f03062c2e2f1f21f92b 2b:dc00

...

 

(host) ^[md] (config) #show log network all| include REQUEST

Feb 26 02:53:04 :202536: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan10: REQUEST 00:26:c6:52:6b:7c reqIP=10.10.10.254 Options 3d:010026c6526b7c 36:0a0a0a02 0c:41525542412d46416c73653232 51:00000041525542412d46416c736532322e73757279612e636f6d 3c:4d53465420352e30 37:010f03062c2e2f1f21f92b 2b:dc0100

Feb 26 02:53:04 :202536: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan10: REQUEST 00:26:c6:52:6b:7c reqIP=10.10.10.254 Options 3d:010026c6526b7c 36:0a0a0a02 0c:41525542412d46416c73653232 51:00000041525542412d46416c736532322e73757279612e636f6d 3c:4d53465420352e30 37:010f03062c2e2f1f21f92b 2b:dc0100

Feb 26 02:56:02 :202536: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan10: REQUEST 00:26:c6:52:6b:7c reqIP=10.10.10.254 Options 3d:010026c6526b7c 0c:41525542412d46416c73653232 51:00000041525542412d46416c736532322e73757279612e636f6d 3c:4d53465420352e30 37:010f03062c2e2f1f21f92b 2b:dc0100

Examples

The following command sets the client’s user role to “guest” if the client associates to the “Guest” ESSIDExtended Service Set Identifier. ESSID refers to the ID used for identifying an extended service set.. The rule description indicates that is was created for special customers.

(host) ^[md] (config) aaa derivation-rules user derive1

set role condition essid equals Guest set-value guest description createdforspecialcustomers

 

The example rule shown below sets a user role for clients whose host name (DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  option 12) has a value of 6C6170746F70, which is the hexadecimal equivalent of the ASCIIAmerican Standard Code for Information Interchange. An ASCII code is a numerical representation of a character or an action. string “laptop”. The first two digits in the Value field are the hexadecimal value of 12 (which is 0C), followed by the specific signature to be matched.

(host) ^[md] (config) aaa derivation-rules user device-role

set role condition dhcp-option equals 0C6C6170746F70 set-value laptop_role

Command History

Release

Modification

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platform

License

Command Mode

All platforms

Base operating system. The PEFNGPolicy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license must be installed for a user role to be assigned.

Config mode on Mobility Master.

/*]]>*/