An administrator creates a user role that department A in a company uses. Various other roles exist for other departments. All employees connect to the same
ESSID, which authenticates to an external AAA server.
How should the administrator configure the controller to assign the appropriate roles to the employees?
In this scenario, the administrator needs to assign specific roles to employees based on which department they belong to, even though they all connect to the same ESSID and authenticate via an external AAA server. The appropriate way to achieve this is by implementing server-derived roles. These roles can be assigned dynamically based on attributes returned by the authentication server or client attributes, allowing for the correct role to be assigned to each employee based on the department they are in.
Answer is D
should be D
why D? server-derivation rules are executed after client authentication, i think that C is correct response
if I'm not wrong they want to assign a different role for each department, lets asume that they have department B,C,D and E, if you can only use 1 AAA profile per ESSID and only 2 roles per AAA profile (Pre-authentication and Post-Authentication) How would you assign the roles for the other departments if every user is connecting to the same ESSID? For me The only way would be Server-Derivation rules. Please let me know if I am wrong , the porpuse of my comment is to learn. Best Regards.
Answer should be D
Answer should be D. Implement server-derived roles. The user role can be derived from attributes returned by the authentication server and certain client attributes (this is known as a server-derived role). If the client is authenticated via an authentication server, the user role for the client can be based on one or more attributes returned by the server during authentication, or on client attributes such as SSID (even if the attribute is not returned by the server). Server-derivation rules are executed after client authentication.
Answer should be D. Implement server-derived roles. The user role can be derived from attributes returned by the authentication server and certain client attributes (this is known as a server-derived role). If the client is authenticated via an authentication server, the user role for the client can be based on one or more attributes returned by the server during authentication, or on client attributes such as SSID (even if the attribute is not returned by the server). Server-derivation rules are executed after client authentication.
Answer is D, e.g use an external RADIUS server solution such as ClearPass
D seems to be the right answer