Concept Guide
aaa derivation-rules
aaa derivation-rules user <name>
no ...
set {aaa-profile|role|vlan} condition <rule-type> <attribute> <value> set-value
{<role>|<vlan>} [description <rule description>][position <number>]
Description
This command configures rules which assigns a AAA profile, user role or VLAN to a client based upon the client’s
association with an AP.
A user role cannot be assigned by an AAA derivation rule unless the controller has an installed PEFNG license.
Syntax
Parameter Description
<name>
Name that identifies this set of user derivation rules.
no
Negates a configured rule.
set {role|vlan}
Specify whether the action of the rule is to set the role or the VLAN.
condition
Condition that should be checked to derive role/VLAN
<rule-type>
For a rule that sets an AAA profile, use the user-vlan rule type.
For a role or VLAN user derivation rule, select one of the following rules:
l bssid: BSSID of access point.
l dhcp-option: Use DHCP signature matching to assign a role or VLAN.
l dhcp-option-77: Enable DHCP packet processing.
l encryption-type: Encryption method used by station.
l essid: ESSID of access point.
l location: user location (ap name).
l macaddr: MAC address of user.
NOTE: If you use the dhcp-option rule type, best practices are to enable
the
enforce-dhcp option in the AAA profile referenced by AP group’s
Virtual AP profile.
<attribute><value>
Specify one of the following conditions:
l contains: Check if attribute contains the string in the <value>
parameter.
l ends-with: Check if attribute ends with the string in the <value>
parameter.
l equals: Check if attribute equals the string in the <value> parameter.
l not-equals: Check if attribute is not equal to the string in the <value>
parameter.
Dell Networking W-Series ArubaOS 6.5.x | Reference Guide aaa derivation-rules | 80