Configuring Downloadable Roles

Aruba Central (on-premises) allows you to download pre-existing user roles when you create network profiles.

Aruba Instant and ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. include support for centralized policy definition and distribution.

When ClearPass Policy Manager successfully authenticates a user, the user is assigned a role by ClearPass Policy Manager. If the role is not defined on the IAP, the role attributes can also be downloaded automatically. In order to provide highly granular per-user level access, user roles can be created when a user has been successfully authenticated. During the configuration of a policy enforcement profile in ClearPass Policy Manager, the administrator can define a role that should be assigned to the user after successful authentication. In RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication, when ClearPass Policy Manager successfully authenticates a user, the user is assigned a role by ClearPass Policy Manager.

If the role is not defined on the IAP, the role attributes can also be downloaded automatically. This feature supports roles obtained by the following authentication methods:

• 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. (WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. and wired users)
• MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication
• Captive PortalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.

This section describes the following topics:

• ClearPass Policy Manager Certificate Validation for Downloadable Role
• Enabling Downloadable Role Feature for Wireless Networks in Aruba Central
• Enabling Downloadable Role Feature for Wired Networks in Aruba Central

ClearPass Policy Manager Certificate Validation for Downloadable Role

When a ClearPass Policy Manager server is configured as the domain for RADIUS authentication for downloading user roles, in order to validate the ClearPass Policy Manager customized CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate., IAPs are required to publish the root CA for the HTTPSHypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. server to the well-known URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet. (http://<clearpass-fqdn>/.wellknown/ aruba/clearpass/https-root.pem). The IAP must ensure that an FQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. is defined in the above URL for the RADIUS server and then attempt to fetch the trust anchor by using the RADIUS FQDN. Upon configuring the domain of the ClearPass Policy Manager server for RADIUS authentication along with a username and password, the IAP tries to retrieve the CA from the above well-known URL and store it in flash memory. However, if there is more than one ClearPass Policy Manager server configured for authentication, the CA must be uploaded manually.

Enabling Downloadable Role Feature for Wireless Networks in Aruba Central

To enable the Downloadable Role feature, complete the following steps:

1. In the Network Operations app, set the filter to a group that contains at least one AP.

   The dashboard context for the group is displayed.

2. Under Manage, click Devices > Access Points.

   A list of access points is displayed in the List view.

3. Click the Config icon.

   The tabs to configure the access points are displayed.

4. Click the WLANs tab.

   The WLANs details page is displayed.

5. In the WLANs tab, click + Add SSID.

   To modify an existing SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network., select a wireless SSID from the Wireless SSIDs table and then click the edit icon.

6. In the Security tab, select the RADIUS server in Primary Server field.

   At least one radius server must be configured to apply the Downloadable User Roles feature. For more information on configuring radius server, see Authentication Servers for IAPs

7. Click Next.
8. The Access tab is displayed.
9. Turn on the Downloadable Role toggle switch to allow downloading of pre-existing user roles. The CPPM Settings table with Name, CPPM Username, and Actions columns related to the radius servers are displayed.
   • The Downloadable Role feature is available only for networks that include APs that run a minimum of Aruba InstantOS 8.4.0.0 firmware version with a minimum of ClearPass server version 6.7.8.
   • At least one radius server must be configured to apply the Downloadable Role feature. For more information on configuring radius server, see Authentication Servers for IAPs
10. Click the action corresponding to the radius server listed in the CPPM Settings table. The Edit Server page is displayed.

    The Edit Server page displays the name of the radius server name. The Name field is non-editable.

11. Enter the following details:

    1. CPPM Username—Enter the ClearPass Policy Manager admin username.

    2. Password—Enter the password.

    3. Retype—Retype the password.

12. Click OK.

Enabling Downloadable Role Feature for Wired Networks in Aruba Central

To enable the Downloadable Role feature, perform the following steps:

1. In the Network Operations app, set the filter to a group that contains at least one AP.

   The dashboard context for the group is displayed.

2. Under Manage, click Devices > Access Points.

   A list of access points is displayed in the List view.

3. Click the Config icon.

   The tabs to configure the access points are displayed.

4. Click Show Advanced, and click the Interfaces tab.

   The Interfaces details page is displayed.

5. Click the Wired accordion.

6. Under Wired, click + Add Port Profile.

   To modify an existing profile, select the network that you want to edit in the Wired Port Profiles pane, and then click the edit icon.

7. In the Security tab, select the RADIUS server in Primary Server field.

   At least one radius server must be configured to apply the Downloadable Role feature. For more information on configuring radius server, see Authentication Servers for IAPs

8. Click Next.

9. The Access tab is displayed.

10. Enable the Downloadable Role option to allow downloading of pre-existing user roles. The CPPM Settings table with Name, CPPM Username, and Actions columns related to the radius servers are displayed.

    • The Downloadable Role feature is available only for networks that include APs that run a minimum of Aruba InstantOS 8.4.0.0 firmware version with a minimum of ClearPass server version 6.7.8.
    • At least one radius server must be configured to apply the Downloadable Role feature. For more information on configuring radius server, see Authentication Servers for IAPs
11. Click the action corresponding to the radius server listed in the CPPM Settings table. The Edit Server page with the radius server name is displayed.

    The Edit Server page displays the radius server name. The Name field is non-editable.

12. Enter the following details:

    • CPPM Username—Enter the ClearPass Policy Manager admin username.
    • Password—Enter the password.
    • Retype—Retype the password.
13. Click OK.