AOS: ACMX

Module6: Advanced Authentication

Fail through: When using 802.1x, Fail Through only works with AAA FasterConnect(EAP termination) enabled.
AAA Profile-> 802.1x authentication profile.

Dynamic Server Selection: the controller dynamically select an authentication server from a server group based on the user information.

contains, begins, and equals.
<domain>\<user>, <user>@<domain>

Machin Authentication
host/<pc-name>.<domain>
Machine Authentication:Default Machine Role <-Machine Auth Pass & User Auth Fail
Machine Authentication: Default User Role <-Machine Auth Fail & User Auth Pass


Blacklist due to failed authenticaiton:
virtual AP->
Authentication Failure Blacklist Time Default 3600 secs
Blacklist Time (manually blacklisting or firewall blacklisting)

Module7:Firewall Policies 
pre-configured aliases:
controller: refer to controller's IP address's lowest numbered VLAN interface
localip - to identify the local ip address on the RAP
mswitch is the loopback address or mgmt ip

Firewall Derivation Rule:
aaa derivation-rules user MobileDevice
   set role condition dhcp-option equals "0C576969" set-value nintendo-wii
   set role condition dhcp-option equals "3701032A0406070C0F1A2C33363A3BBE" set-value
lexmark-x4580
   set role condition dhcp-option equals "370103060F77FC" set-value Apple-IOS

Validuser ACL:
The valid user acl is already pre-populated with an acl to block users with 169 IP address so that
they do not show up in the valid user table

Module8:Role
Role derivation:
1. Initial Role(pre-authentication role)::
This role is assigned to every user before authentication. Aruba provides a template for an initial role but
2. User-Derived Roles:
The user role can be derived from attributes from client attributes or the AP the client uses for network entry. For example a role or VLAN may be assigned to a client depending upon the BSS of the AP the client is using.
aaa profile "default"
   user-derivation-rules scanners
(Aruba3200) (config) #aaa derivation-rules user test-1
(Aruba3200) (user-rule) #?
no                      Delete Command
set                     The action for the rule

(Aruba3200) (user-rule) #set ?
role                    The action of the rule is to set to role
vlan                    The action of the rule is to set to vlan

(Aruba3200) (user-rule) #set role ?
condition               Condition that should be checked to derive role/VLAN

(Aruba3200) (user-rule) #set role condition ?
bssid                   BSSID of access point
dhcp-option             Enable DHCP option processing
dhcp-option-77          Enable DHCP option 77 processing
encryption-type         Encryption method used by station
essid                   ESSID of access point
location                user location (ap name)
macaddr                 MAC address of user

(Aruba3200) (user-rule) #set role condition

3. Server Derived Roles: VSA and server derived roles
4. Default role of CP, 802.1x, VPN, MAC

Bandwidth Contract(optional):
You can assign a bandwidth contract to provide an upper limit to upstream or downstream
bandwidth utilized by clients in this role. You can select the Per User option to apply the
bandwidth contracts on a per-user basis instead of to all clients in the role.

In CLI
aaa bandwidth-contract ":test-1" kbits "512”

edit it in User-role:
(Aruba3200) (config-role) #bw-contract ?
STRING                  Name of bandwidth contract

(Aruba3200) (config-role) #bw-contract test-1 ?
downstream              Assign bandwidth contract to downstream traffic
per-apgroup             Assign bandwidth contract per-apgroup (default is
                        per-role)
per-user                Assign bandwidth contract per-user (default is
                        per-role)
upstream                Assign bandwidth contract to upstream traffic

BW Contract Exception:
VRRP, LACP,OSPF,PVST,STP
note:01:00:53:xx:xx:xx multicast

Bandwidth allocation vs. Bandwidth Allocation:
An administrator can set a hard limit on Over the Air (OTA) bandwidth for a specific Service Set
Identifier (SSID). Currently, the bandwidth allocation process is activated, when the
bandwidth is completely saturated. The new enhancement allows you to limit an SSID to consume
more bandwidth, when some unused bandwidth is available from other SSIDs. You can limit the
bandwidth allocation to low priority SSIDs and allot the bandwidth to other high priority SSIDs.

Module 17: Mobility

VLAN Mobility is Inter-Controller in L2 connectivity.
L3 Mobility is Inter-Controller in L3 connectivity. VLANs may differ.
Inter-Controler L3 Mobility: Configure Domains and each domain has IP of Home Agent(Controller).