Radius Vsa Attributes; Mac-Address Attribute; Roles Based On Client Authentication; Dhcp Option And Dhcp Fingerprinting - Aruba IAP-335 User Manual

RADIUS VSA Attributes

The user role can be derived from Aruba Vendor-Specific Attributes (VSA) for RADIUS server authentication.
The role derived from an Aruba VSA takes precedence over roles defined by other methods.

MAC-Address Attribute

The first three octets in a MAC address are known as Organizationally Unique Identifier (OUI), and are
purchased from the Institute of Electrical and Electronics Engineers, Incorporated (IEEE) Registration Authority.
This identifier uniquely identifies a vendor, manufacturer, or other organization (referred to by the IEEE as the
"assignee") globally and effectively reserves a block of each possible type of derivative identifier (such as MAC
addresses) for the exclusive use of the assignee.
IAPs use the OUI part of a MAC address to identify the device manufacturer and can be configured to assign a
desired role for users who have completed 802.1X authentication and MAC authentication. The user role can
be derived from the user attributes after a client associates with an IAP. You can configure rules to assign a user
role to clients that match a MAC-address-based criteria. For example, you can assign a voice role to any client
with a MAC address starting with a0:a1:a2.

Roles Based on Client Authentication

The user role can be the default user role configured for an authentication method, such as 802.1X
authentication. For each authentication method, you can configure a default role for the clients who are
successfully authenticated using that method.

DHCP Option and DHCP Fingerprinting

The DHCP fingerprinting allows you to identify the operating system of a device by looking at the options in
the DHCP frame. Based on the operating system type, a role can be assigned to the device.
For example, to create a role assignment rule with the DHCP option, select equals from the Operator drop-
down list and enter 370103060F77FC in the String text box. Since 370103060F77FC is the fingerprint for
Apple iOS devices such as iPad and iPhone, IAP assigns Apple iOS devices to the role that you choose.
Table 41: Validated DHCP Fingerprint
Device
Apple iOS
Android
Blackberry
Windows 7/Vista Desktop
Windows XP (SP3, Home,
Professional)
Windows Mobile
Windows 7 Phone
Apple Mac OS X
Creating a Role Derivation Rule
You can configure rules for determining the role that is assigned for each authenticated client.
Aruba Instant 6.5.0.0-4.3.0.0 | User Guide
DHCP Option DHCP Fingerprint
Option 55 370103060F77FC
Option 60 3C64686370636420342E302E3135
Option 60 3C426C61636B4265727279
Option 55 37010f03062c2e2f1f2179f92b
Option 55 37010f03062c2e2f1f21f92b
Option 60 3c4d6963726f736f66742057696e646f777320434500
Option 55 370103060f2c2e2f
Option 55 370103060f775ffc2c2e2f
Roles and Policies | 202