Aruba Central allows you to download pre-existing user roles when you create network profiles.
The feature is available only for networks that include APs that run a minimum of Aruba Instant 8.4.0.0 firmware version with a minimum of ClearPassClearPass is an access management system for creating and enforcing policies across a network to all devices and applications. The ClearPass integrated platform includes applications such as Policy Manager, Guest, Onboard, OnGuard, Insight, Profile, QuickConnect, and so on. server version 6.7.8.
Aruba Instant and ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. include support for centralized policy definition and distribution.
When ClearPass Policy Manager successfully authenticates a user, the user is assigned a role by ClearPass Policy Manager. If the role is not defined on the Instant AP, the role attributes can also be downloaded automatically. In order to provide highly granular per-user level access, user roles can be created when a user has been successfully authenticated. During the configuration of a policy enforcement profile in ClearPass Policy Manager, the administrator can define a role that should be assigned to the user after successful authentication. In RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. authentication, when ClearPass Policy Manager successfully authenticates a user, the user is assigned a role by ClearPass Policy Manager.
If the role is not defined on the Instant AP, the role attributes can also be downloaded automatically. This feature supports roles obtained by the following authentication methods:
802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. (WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. and wired users)
MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication
This section describes the following topics:
ClearPass Policy Manager Certificate Validation for Downloadable Role
Enabling Downloadable Role Feature for Wireless Networks in Aruba Central
Enabling Downloadable Role Feature for Wired Networks in Aruba Central
ClearPass Policy Manager Certificate Validation for Downloadable Role
When a ClearPass Policy Manager server is configured as the domain for RADIUS authentication for downloading user roles, in order to validate the ClearPass Policy Manager customized CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate., Instant APs are required to publish the root CA for the HTTPSHypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. server to the well-known URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet. (). The Instant AP must ensure that an FQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. is defined in the above URL for the RADIUS server and then attempt to fetch the trust anchor by using the RADIUS FQDN. Upon configuring the domain of the ClearPass Policy Manager server for RADIUS authentication along with a username and password, the Instant AP tries to retrieve the CA from the above well-known URL and store it in flash memory. However, if there is more than one ClearPass Policy Manager server configured for authentication, the CA must be uploaded manually.
Enabling Downloadable Role Feature for Wireless Networks in Aruba Central
To enable the feature, complete the following steps:
1. In the app, set the filter to a group that contains at least one AP.
The dashboard context for the group is displayed.
2. Under , click > .
A list of access points is displayed in the view.
3. Click the icon.
The tabs to configure the access points are displayed.
4. Click the tab.
The WLANs details page is displayed.
5. In the tab, click . To modify an existing SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network., select a wireless SSID from the table and then click the edit icon.
6. In the tab, select the server in field.
At least one radius server must be configured to apply the Downloadable User Roles feature. For more information on configuring radius server, see External RADIUS Server
7. Click .
8. The tab is displayed.
9. Turn on the toggle switch to allow downloading of pre-existing user roles. The table with , , and columns related to the radius servers are displayed.
The feature is available only for networks that include APs that run a minimum of Aruba Instant 8.4.0.0 firmware version with a minimum of ClearPass server version 6.7.8.
At least one radius server must be configured to apply the feature. For more information on configuring radius server, see External RADIUS Server
10. Click the action corresponding to the radius server listed in the table. The page is displayed.
The page displays the name of the radius server name. The field is non-editable.
11. Enter the following details:
—Enter the ClearPass Policy Manager admin username.
—Enter the password.
—Retype the password.
12. Click .
Enabling Downloadable Role Feature for Wired Networks in Aruba Central
To enable the feature, perform the following steps:
1. In the app, set the filter to a group that contains at least one AP.
The dashboard context for the group is displayed.
2. Under , click > .
A list of access points is displayed in the view.
3. Click the icon.
The tabs to configure the access points are displayed.
4. Click , and click the tab.
The Interfaces details page is displayed.
5. Click the accordion.
6. Under , click . To modify an existing profile, select the network that you want to edit in the pane, and then click the edit icon.
7. In the tab, select the server in field.
At least one radius server must be configured to apply the feature. For more information on configuring radius server, see External RADIUS Server
8. Click .
9. The tab is displayed.
10. Enable the option to allow downloading of pre-existing user roles. The table with , , and columns related to the radius servers are displayed.
The feature is available only for networks that include APs that run a minimum of Aruba Instant 8.4.0.0 firmware version with a minimum of ClearPass server version 6.7.8.
At least one radius server must be configured to apply the feature. For more information on configuring radius server, see External RADIUS Server
11. Click the action corresponding to the radius server listed in the table. The page with the radius server name is displayed.
The page displays the radius server name. The field is non-editable.
12. Enter the following details:
—Enter the ClearPass Policy Manager admin username.
—Enter the password.
—Retype the password.
13. Click .
