Configuring Role Derivation Rules for AP Clients
Aruba Central allows you to configure role and VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. derivation-rules. You can configure these rules to assign a user role or VLAN to the clients connecting to an SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. or a wired profile.
Creating a Role Derivation Rule
You can configure rules for determining the role that is assigned for each authenticated client.
When creating more than one role assignment rule, the first matching rule in the rule list is applied.
To create a role assignment rule, complete the following steps:
1. In the app, set the filter to a group that contains at least one AP.
The dashboard context for the group is displayed.
2. Under , click > .
A list of access points is displayed in the view.
3. Click the icon.
The tabs to configure the access points are displayed.
4. Click the tab.
The WLANsWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. details page is displayed.
5. In the table, select a network profile and then click the edit icon.
6. Click the tab.
7. Under , select to enable access based on user roles.
8. Under Role Assignment Rules, click Add Role Assignment. In , define a match method by which the string in Operand is matched with the attribute value returned by the authentication server.
9. Select the attribute from the Attribute list that the rule it matches against. The list of supported attributes includes RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. attributes, dhcp-option, dot1x-authentication-type, mac-address, and mac-address-and-dhcp-options.
10. Select the operator from the Operator list. The following types of operators are supported:
contains—The rule is applied only if the attribute value contains the string specified in Operand.
Is the role—The rule is applied if the attribute value is the role.
equals—The rule is applied only if the attribute value is equal to the string specified in Operand.
not-equals—The rule is applied only if the attribute value is not equal to the string specified in Operand.
starts-with—The rule is applied only if the attribute value starts with the string specified in Operand.
ends-with—The rule is applied only if the attribute value ends with string specified in Operand.
—The rule is applied only if the attribute value matches the regular expression pattern specified in Operand. This operator is available only if the attribute is selected in the list. The attribute and are applicable only for WLAN clients.
11. Enter the string to match in the String box.
12. Select the appropriate role from the Role list.
13. Click Save.
Configuring VLAN Assignment Rule
To configure VLAN assignment rules for an SSID profile:
1. In the app, set the filter to a group that contains at least one AP.
The dashboard context for the group is displayed.
2. Under , click > .
A list of access points is displayed in the view.
3. Click the icon.
The tabs to configure the access points are displayed.
4. Click the tab.
The WLANs details page is displayed.
5. In the table, select a network profile and then click the edit icon.
6. Click the tab.
7. Select the access rule from .
8. In the , click to add a new rule. The page is displayed.
The option is also listed in the page when you create or edit a rule for wired port profiles in the > tab.
9. From the drop-down list, select option.
10. Enter the VLAN ID in the field under section. Alternatively, you can select the VLAN ID or the VLAN name from the drop-down list provided next to the VLAN ID field.
11. Click .
Configuring VLAN Derivation Rules
The users are assigned to a VLAN based on the attributes returned by the RADIUS server after users authenticate.
To configure VLAN derivation rules for an SSID profile:
1. In the app, set the filter to a group that contains at least one AP.
The dashboard context for the group is displayed.
2. Under , click > .
A list of access points is displayed in the view.
3. Click the icon.
The tabs to configure the access points are displayed.
4. Click the tab.
The WLANs details page is displayed.
5. In the table, select a network profile and then click the edit icon.
6. Under , select under Client VLAN Assignment.
7. Click Add Rule to create a VLAN assignment rule. The window is displayed. In this window, you can define a match method by which the string in Operand is matched with the attribute values returned by the authentication server.
8. Select an attribute from the Attribute list.
9. Select an operator from the Operator list. The following types of operators are supported:
contains—The rule is applied only if the attribute value contains the string specified in Operand.
equals—The rule is applied only if the attribute value is equal to the string specified in Operand.
not-equals—The rule is applied only if the attribute value is not equal to the string specified in Operand.
starts-with—The rule is applied only if the attribute value starts with the string specified in Operand.
ends-with—The rule is applied only if the attribute value ends with string specified in Operand.
—The rule is applied only if the attribute value matches the regular expression pattern specified in Operand. This operator is available only if the attribute is selected in the list. The attribute and are applicable only for the WLAN clients.
10. Enter the string to match in the String field.
11. Select the appropriate VLAN ID from VLAN. Ensure that all other required parameters are configured.
12. Click .
