Specifications
OmniAccess Reference: AOS-W System Reference
422 Part 031652-00 May 2005
Role Derivation
The simplest way to assign a role is to create a default role for the
authentication method being used, then assign that role to all or most of the
users when they are authenticated.
Create a role using the aaa captive-portal command. See “AAA Commands” on
page 823.
How Role Derivation Works
Roles are derived in the following order:
1. The default role for a new user is always logon.
2. Prior to authentication, derivation rules based on user attributes (SSID,
BSSID, user MAC, location and encryption type) can change the role. This
will override the default logon role. User derivation rules are configured with
the aaa derivation-rules user command.
3. After a successful authentication, if there is a default role assigned for the
authentication method, AOS-W will override the role derived from step 1 or
step 2 with it.
4. Derivation rules based on returned attributes from the authentication server
(and some user attributes) can change the role after successful
authentication. Server rules are configured with the aaa derivation-rules
server command. This will override all previous roles. Starting with AOS-W
2.3.2.0, rules based on SSID and location (user attributes) can also be
created under server rules even though these attributes are not returned by
server.
5. Alcatel VSA. If authentication server returns Alcatel VSA for role (Vendor id
14823, Attribute id 1) it takes highest precedence. In fact, server rules are
not even checked if Alcatel role VSA is present.