Table of Contents
Advertisement
Primary user role: Configured on switch
Secondary user role: Configured on controller
•
Both primary and secondary role can be either statically configured or downloaded from the ClearPass.
NOTE: This feature is only available for:
•
•
The Aruba switch downloads user policies from ClearPass using downloadable user roles. This makes the
ClearPass a centralized point to administer user policy to the access switch and minimize user configuration on
the Aruba switch. For downloadable user roles to work appropriately, the signing Certificate Authority (CA) of the
ClearPass HTTPS certificate must be added to the Aruba switch and marked as trusted. With ArubaOS-Switch
16.08, there is an automated way to download the CA certificate of ClearPass. Please refer to the Access
Security Guide on using this feature.
ClearPass Sample Configuration
aaa authorization user-role name "<role-name>"
vlan-id <vlan id> tunneled-node-server-redirect VSA
When the primary user role is downloaded onto the switch and the secondary user role is downloaded onto the
controller:
Chapter 18 Dynamic Segmentation
ClearPass 6.7.0 onward
Aruba Controller Version 8.3.0 onward
◦
To support Downloadable User Roles on controller, a new VSA (HP-CPPM-Seconday-Role)
is introduced in ClearPass 6.7.0, which contains the secondary user role name.
◦
To use the Reserved VLAN mode in 16.08, a minimum version of 8.4 is required on the
Controller.
637
Advertisement
Table of Contents
Troubleshooting
