• All Files
Aruba Central Online Help

Creating a Role Derivation Rules for AP Clients

Aruba Central (on-premises) allows you to configure role and VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. derivation-rules. You can configure these rules to assign a user role or VLAN to the clients connecting to an SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. or a wired profile.

Creating a Role Derivation Rule

You can configure rules for determining the role that is assigned for each authenticated client.

When creating more than one role assignment rule, the first matching rule in the rule list is applied.

To create a role assignment rule, complete the following steps:

  1. In the Network Operations app, set the filter to a group containing at least one AP.

    The dashboard context for the group is displayed.

  2. Under Manage, click Devices > Access Points.

    A list of APs is displayed in the List view.

  3. Click the Config icon.

    The tabs to configure the APs are displayed.

  4. Click the WLANs tab.

    The WLANsWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. details page is displayed.

  5. In the Wireless SSIDs table, select a network profile and then click the edit icon.
  6. Click the Access tab.
  7. Under Access rules, select Role Based to enable access based on user roles.
  8. Under Role Assignment Rules, click +Add Role Assignment. In New Role Assignment Rule, define a match method by which the string in Operand is matched with the attribute value returned by the authentication server.
  9. Select the attribute from the Attribute list that the rule it matches against. The list of supported attributes includes RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attributes, dhcp-option, dot1x-authentication-type, mac-address, and mac-address-and-dhcp-options. For information on a list of RADIUS attributes, see RADIUS Server Authentication with VSA.
  10. Select the operator from the Operator list. The following types of operators are supported:
    • contains—The rule is applied only if the attribute value contains the string specified in Operand.
    • Is the role—The rule is applied if the attribute value is the role.
    • equals—The rule is applied only if the attribute value is equal to the string specified in Operand.
    • not-equals—The rule is applied only if the attribute value is not equal to the string specified in Operand.
    • starts-with—The rule is applied only if the attribute value starts with the string specified in Operand.
    • ends-with—The rule is applied only if the attribute value ends with string specified in Operand.
    • matches-regular-expression—The rule is applied only if the attribute value matches the regular expression pattern specified in Operand. This operator is available only if the mac-address-and-dhcp-options attribute is selected in the Attribute list. The mac-address-and-dhcp-options attribute and matches-regular-expression are applicable only for WLAN clients.
  11. Enter the string to match in the String box.
  12. Select the appropriate role from the Role list.
  13. Click Save.

Configuring VLAN Derivation Rules

The users are assigned to a VLAN based on the attributes returned by the RADIUS server after users authenticate.

To configure VLAN derivation rules for an SSID profile:

  1. In the Network Operations app, set the filter to a group containing at least one AP.

    The dashboard context for the group is displayed.

  2. Under Manage, click Devices > Access Points.

    A list of APs is displayed in the List view.

  3. Click the Config icon.

    The tabs to configure the APs are displayed.

  4. Click the WLANs tab.

    The WLANs details page is displayed.

  5. In the Wireless SSIDs table, select a network profile and then click the edit icon.
  6. Under VLANs, select Dynamic under Client VLAN Assignment.
  7. Click +Add Rule to create a VLAN assignment rule. The New VLAN Assignment Rule window is displayed. In this window, you can define a match method by which the string in Operand is matched with the attribute values returned by the authentication server.
  8. Select an attribute from the Attribute list.
  9. Select an operator from the Operator list. The following types of operators are supported:
    • contains—The rule is applied only if the attribute value contains the string specified in Operand.
    • equals—The rule is applied only if the attribute value is equal to the string specified in Operand.
    • not-equals—The rule is applied only if the attribute value is not equal to the string specified in Operand.
    • starts-with—The rule is applied only if the attribute value starts with the string specified in Operand.
    • ends-with—The rule is applied only if the attribute value ends with string specified in Operand.
    • matches-regular-expression—The rule is applied only if the attribute value matches the regular expression pattern specified in Operand. This operator is available only if the mac-address-and-dhcp-options attribute is selected in the Attribute list. The mac-address-and-dhcp-options attribute and matches-regular-expression are applicable only for the WLAN clients.
  10. Enter the string to match in the String field.
  11. Select the appropriate VLAN ID from VLAN. Ensure that all other required parameters are configured.
  12. Click OK.