You are here: Home > CLI Commands > Just_CLI_Topics > show aaa derivation-rules

show aaa derivation-rules

show aaa derivation-rules [server-group <group-name>|user <name>]

Syntax

Parameter

Description

<group-name>

Name of a server group

<name>

Name of a user rule group

Description

Show derivation rules based on user information or configured for server groups.

Example

The output of the following command shows that the server group group1 has the internal database configured as its authentication server, and that there is a single rule assigned to that group. You can omit the <group-name> parameter to show a table of all your server groups.

(host) #show aaa derivation-rules server-group group1

 

Server Group

 

Name Inservice trim-FQDN match-FQDN

---- --------- --------- ----------

Internal Yes No

 

Server Rule Table

-----------------

Priority Attribute Operation Operand Action Value Total Hits New Hits

-------- --------- --------- ------- ------ ----- ---------- --------

1 Filter-Id equals nsFilter set vlan 111 24 0

Rule Entries: 1

 

The following data columns appear in the output of this command:

Parameter

Description

Name

Name of the authentication server assigned to this server group

Inservice

Specifies if the server is in service or out-of-service.

trim-FDQN

If enabled, user information in an authentication request is edited before the request is sent to the server.

match-FDQN

If enabled, the authentication server is associated with a specified domain.

Priority

The priority in which the rules are applied. Rules at the top of the list are applied before rules at the bottom.

Attribute

This is the attribute returned by the authentication server that is examined for Operation and Operand match

Operation

This is the match method by which the string in Operand is matched with the attribute value returned by the authentication server.

contains – The rule is applied if and only if the attribute value contains the string in parameter Operand.

starts-with – The rule is applied if and only if the attribute value returned starts with the string in parameter Operand.

ends-with – The rule is applied if and only if the attribute value returned ends with the string in parameter Operand.

equals – The rule is applied if and only if the attribute value returned equals the string in parameter Operand.

not-equals – The rule is applied if and only if the attribute value returned is not equal to the string in parameter Operand.

value-of – This is a special condition. What this implies is that the role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. is set to the value of the attribute returned. For this to be successful, the role and the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID returned as the value of the attribute selected must be already configured on the controller when the rule is applied.

Operand

This is the string to which the value of the returned attribute is matched.

Action

This parameter identifies whether the rule sets a server group role (set role) or a VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. (set vlan).

Value

Sets the user role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID to be assigned to the client if the condition is met.

Total Hits

Number of times the rule has been applied since the last server reboot.

New Hits

Number of times the rule has been applied since the show aaa derivation-rules command was last issued.

To display derivation rules for a user group, include the user <name> parameter. You can also display a table of all user rules by including the user parameter, but omitting the <name> parameter

(host) #show aaa derivation-rules user user44

User Rule Table

---------------

Priority Attribute Operation Operand Action Value Total Hits New Hits Description

-------- --------- --------- ------- ------ ----- ---------- -------- -----------

1 location equals ap23 set role guest 56 18 guestrole1

The following data columns appear in the output of this command:

Parameter

Description

Priority

The priority in which the rules are applied. Rules at the top of the list are applied before rules at the bottom.

Attribute

This is the attribute returned by the authentication server that is examined for Operation and Operand match.

Operation

This is the match method by which the string in Operand is matched with the attribute value returned by the authentication server.

contains – The rule is applied if and only if the attribute value contains the string in parameter Operand.

starts-with – The rule is applied if and only if the attribute value returned starts with the string in parameter Operand.

ends-with – The rule is applied if and only if the attribute value returned ends with the string in parameter Operand.

equals – The rule is applied if and only if the attribute value returned equals the string in parameter Operand.

not-equals – The rule is applied if and only if the attribute value returned is not equal to the string in parameter Operand.

value-of – This is a special condition. What this implies is that the role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. is set to the value of the attribute returned. For this to be successful, the role and the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID returned as the value of the attribute selected must be already configured on the controller when the rule is applied.

Operand

This is the string to which the value of the returned attribute is matched.

Action

This parameter identifies whether the rule sets a server group role (set role) or a VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. (set vlan).

Value

Sets the user role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID to be assigned to the client if the condition is met.

Total Hits

Number of times the rule has been applied since the last server reboot.

New Hits

Number of times the rule has been applied since the show aaa derivation-rules command was last issued.

Description

This optional parameter describes the rule. If no description was configured then it does not appear when you view the User Table.

Related Commands

Command

Description

aaa derivation-rules

This command configures rules which assigns a AAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile, user role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to a client based upon the client’s association with an AP.

Command History

Command

Description

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

Licensing

Command Mode

All platforms

Base operating system.

Enable or Config mode on Mobility Master.

/*]]>*/