Aruba Downloadable Role Enforcement Profiles

Policy Manager includes support for centralized policy definition and distribution. When ClearPass Policy Manager successfully authenticates a user, the user is assigned a role by ClearPass Policy Manager. However, if the role is not defined on the Aruba controller or switch, the role attributes can also be downloaded automatically. The following validations are performed for a Aruba Downloadable User Role (DUR):

Standard Mode elements are validated based on schema contents (syntax validation) prior to saving the DUR.

After a schema update, existing DURs remain unchanged until the admin user edits the DUR profile.

When an admin user edits an existing DUR profile, the syntax/configuration is re-validated, and an alert is shown to the admin to verify the changes.

Basic Profile Settings

Use the Profiles tab on the Downloadable User Role Enforcement Profile dialog to configure the template, type of the profile, and the device group list, and specify the Role Configuration Mode as either Standard or Advanced.

Standard mode: User-provided options to configure individual components of a role (for example, Policer Profile, Stateless ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. configuration, etc.). The user role is generated based on components added to the configuration.

Advanced mode: You can enter the entire role configuration as a text under a single attribute.

Events are logged in the Audit Viewer for create, update, and delete operations in the Captive Portal, Policy, and Class configurations. Events are also logged for generated user roles and import/export operations in enforcement profiles.

To configure the Aruba Downloadable Role Enforcement Profile:

1. Navigate to Configuration > Enforcement > Profiles. The Enforcement Profiles page opens.

2. Click the Add link. The Add Enforcement Profile page opens.

3. From the Template drop-down, select Aruba Downloadable Role Enforcement.

Figure 1  Aruba Downloadable Role Enforcement > Profile Page (Standard Mode)

4. Specify the Aruba Downloadable Role Enforcement > Profile parameters as described in the following table:

Table 1: Aruba Downloadable Role Enforcement > Profile Parameters

Parameter

Action/Description

Template

Select the Aruba Downloadable Role Enforcement template.

Name

Enter the name of the enforcement profile.

Description

Enter a description of the enforcement profile.

Type

This field is automatically populated with: Aruba_DUR.

Action

Click Accept, Reject, or Drop to define the action taken on the request. The default action is Accept.

Device Group List

Select a device group from the drop-down list. The list displays all configured device groups. All configured device groups are listed in the Configuration > Network > Device Groups page. After adding one or more device group(s), you can select a group and perform one of the following actions:

To delete the selected Device Group List entry, click Remove.

To see the device group parameters, click View Details.

To change the parameters of the selected device group, click Modify.

NOTE: To add a new a device group, click the Add New Device Group link and see Adding and Modifying Device Groups.

Role Configuration Mode

Select one of the following modes:

Standard (the default)

Advanced

Product

Specify one of the following products:

ArubaOS-Switch

Mobility Access Switch (MAS)

Mobility Controller

AOS-CX

Role Configuration: Standard Mode

When the Role Configuration Mode setting on the Profile tab is set to Standard (the default), the Role Configuration tab appears. In Standard mode, the Role Configuration tab includes only the options that are appropriate for the selected product.

The fields on the Role Configuration tab vary according to which product you specify. The example below displays the Role Configuration page when you specify the Aruba-OS Switch product. This page provides support for class configuration for the ArubaOS-Switch, and the Role Configuration tab includes a Manage Classes link that does not appear when you configure enforcement profile roles for Mobility Access switch or Mobility Controller Aruba products.

Figure 2  Role Configuration Page: ArubaOS-Switch

The following tables describe the Role Configuration parameters for the Aruba Downloadable Role Enforcement Profile for Mobility Access Switch, Mobility Controller, ArubaOS-Switch and AOS-CX:

Table 2: Mobility Access Switch Role Configuration Parameters

Parameter

Action/Description

Captive PortalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. Profile

Select the captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile from the drop-down list if already configured.

To add a new captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile, click the Add Captive Portal Profile link. For more information, see Captive Portal Profiles.

Policer Profile

This parameter defines a Policer profile to manage the transmission rate of a class of traffic based on user-defined criteria. Select the Policer profile from the drop-down list if already configured. Click Add Policer Profile link to add a new Policer profile. For more information, see Policer Profiles.

QoSQuality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. Profile

This parameter defines a QoSQuality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. profile to assign Traffic-Class/Drop-Precedence, Differentiated Services Code Point (DSCPDifferentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. ), and 802.1p values to an interface or Policer profile of a Mobility Access Switch. Select the QoSQuality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. profile from the drop-down list if already configured. Click Add QoS Profile link to add a new QoSQuality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. profile. For more information, see QoS Profiles.

VoIPVoice over IP. VoIP allows transmission of voice and multimedia content over an IP network. Profile

This parameter defines a VoIPVoice over IP. VoIP allows transmission of voice and multimedia content over an IP network. profile that can be applied to any interface, interface group, or a port-channel of a Mobility Access Switch. Select the VoIPVoice over IP. VoIP allows transmission of voice and multimedia content over an IP network. profile from the drop-down list if already configured. Click Add VoIP Profile link to add a new VoIPVoice over IP. VoIP allows transmission of voice and multimedia content over an IP network. profile. For more information, see VoIP Profiles.

Reauthentication Interval Time (0-4096)

Enter the number of minutes between reauthentication intervals. You can select the range between 0 to 4096 minutes.

VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. To Be Assigned (1-4904)

Enter a number between 1 and 4094 that defines when the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. is to be assigned.

NetService Configuration

Select the Manage NetServices link to add, edit, and delete the NetService definitions. For more information, see NetService Profiles.

NetDestination Configuration

Select the Manage NetDestinations link to add, edit, and delete the NetDestinations definitions. For more information, see NetDestination Configuration.

Time Range Configuration

Select the Manage Time Ranges link to add, edit, and delete time range definitions. For more information, see Time Range Profiles.

NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. Pool Configuration

Select the Manage NAT Pool link to add, edit and delete NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. Pool definitions. For more information, see NAT Pools.

ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. Type

Select from the following ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. types:

Ethertype: Ethertype ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. filter based on the Ethertype field in the frame header.

MAC: MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. filter traffic on a specific source MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address or range of MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses.

Session: Session ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. define traffic and firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. policies.

Stateless: Stateless ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. define stateless packet filtering and quality of service (QoSQuality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies.). A stateless ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. statically evaluates packet contents

ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. Name

Click the name of the ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. type.

To move the ACL Name to the ACL field, click Add.

To modify the order of the names in the ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. list, click Move Up, Move Down.

To delete an ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. from the list, click Remove.

User Role Configuration

Check the Summary tab for the generated role configuration.

 

Table 3: Mobility Controller Role Configuration Parameters

Parameter

Action/Description

Captive PortalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. Profile

Select the captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile from the drop-down list if already configured.

Click the Add Captive Portal Profile link to add a new captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile. For more information, see Captive Portal Profiles.

Reauthentication Interval Time (0-4096)

Enter the number of minutes between reauthentication intervals. You can select the range between 0 to 4096 minutes.

VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.

Select either ID or Name to identify the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to be assigned by VLAN ID (any number from 1 to 4094) or by VLAN Name.

NetService Configuration

Select the Manage NetServices link to add, edit, and delete the NetService definitions. For more information, see NetService Profiles.

NetDestination Configuration

Select the Manage NetDestinations link to add, edit, and delete the NetDestinations definitions. For more information, see NetDestination Profiles.

Time Range Configuration

Select the Manage Time Ranges link to add, edit, and delete time range definitions. For more information, see Time Range Profiles.

NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. Pool Configuration

Select the Manage NAT Pool link to add, edit and delete NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. Pool definitions. For more information, see NAT Pools.

ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. Type

Select from the following ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. types:

Ethertype: Ethertype ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. filter based on the Ethertype field in the frame header.

MAC: MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. filter traffic on a specific source MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address or range of MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses.

Session: Session ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. define traffic and firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. policies.

Stateless: Stateless ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. define stateless packet filtering and quality of service (QoSQuality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies.). A stateless ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. statically evaluates packet contents

ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. Name

Click the name of the ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. type.

To move the ACL Name to the ACL field, click Add.

To modify the order of the names in the ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. list, click Move Up, Move Down.

To delete an ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. from the list, click Remove.

User Role Configuration

Check the Summary tab for the generated role configuration.

Table 4: ArubaOS-Switch Role Configuration Parameters

Parameter

Action/Description

Captive PortalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. Profile

Select the captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile from the drop-down list if it is already configured.

To add a new captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile, click the Add Captive Portal Profile link. For more information, see Captive Portal Profiles.

Policy

Select the Enforcement Policy from the drop-down list if already configured.

To add a new enforcement policy, click the Add Policy link. For more information, see Policies.

Secondary Role Type

Specify one of the following secondary role types:

None

Static: When selected, the Controller Static Role field appears.

Dynamic: When selected, the Controller Downloadable Role field appears.

VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.

Specify one of the following VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. identifiers:

None

ID: When selected, the VLAN ID Tagged <number> field appears. Enter the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID number.

Name: When selected, the VLAN Name field appears. Enter the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. name.

VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. Tagged

Specify one of the following VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. Tagged identifiers:

None

ID: When selected, the VLAN ID Tagged <number> field appears. Enter the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID Tagged number.

Name: When selected, the VLAN Name Tagged field appears. Enter the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. tagged name.

Re-Authentication Period

Specify the ArubaOS switch reauthentication period in seconds.

Logoff Period

Enter the Logoff Period in one of the following formats:

O (mac-pin): This is the Mac system lock PINPersonal Identification Number. PIN is a numeric password used to authenticate a user to a system. code.

In seconds, from 60 to n seconds

Cached Re-Authentication Period

Enter the Cached Re-Authentication Period in seconds from 60 to n.

Cached reauthentication allows 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority., web-based, or MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. reauthentications to succeed when the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server is unavailable. Users already authenticated retain their currently-assigned RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attributes. Uninterrupted service is provided for authenticated users with RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. -assigned VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. if the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server becomes temporarily unavailable during periodic reauthentications.

Device Configuration

Click the Enable check box to enable device configuration. This option allows you to allocate a PoEPower over Ethernet. PoE is a technology for wired Ethernet LANs to carry electric power required for the device in the data cables. The IEEE 802.3af PoE standard provides up to 15.4 W of power on each port. priority of low, high or critical for the class, and enable the admin edge port or port mode options.

Class Configuration

Select the Manage Classes link to add, edit, or delete Class definitions. For more information, see Classes.

NetService Configuration

Select the Manage NetServices link to add, edit, and delete the NetService definitions. For more information, see NetService Profiles.

NetDestination Configuration

Select the Manage NetDestinations link to add, edit, and delete the NetDestinations definitions. For more information, see NetDestination Profiles.

User Role Configuration

Select the Summary tab to view the generated user role configuration.

Table 5: AOS-CX Role Configuration Parameters

Parameter

Action/Description

Captive PortalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. Profile

Select the captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile from the drop-down list if it is already configured.

To add a new captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile, click the Add Captive Portal Profile link. For more information, see Captive Portal Profiles.

Class Configuration

Select the Manage Classes link to add, edit, or delete class definitions. For more information, see Classes.

Policy

Select the Enforcement Policy from the drop-down list if already configured.

To add a new enforcement policy, click the Add Policy link. For more information, see Policies.

Secondary Role Type

Policy Manager supports setting a controller Downloadable User Role (DUR) as a Secondary Role. Options are none if you do not want a secondary role, static for a static role, or dynamic for a dynamic role.

The secondary role option allows network admins to configure roles that are not allowed on a Layer 3 switch by creating a User Based Tunnel (UBT) to the controller associated with the AOS-CX switch, and allowing the controller to download the secondary role from ClearPass.

If you select the static option, roles and policies must be manually configured on the controller. Clearpass just passes the role name to the AOS-CX switch, which in turn sends it to the controller.

If you select the dynamic option, roles can be configured in Policy Manager, and no additional role configuration is necessary the controller side. Support for dynamic secondary roles in AOS-CX was introduced in Policy Manager 6.10.2 for switches running AOS-CX 10.08 and later releases.

GatewayGateway is a network node that allows traffic to flow in and out of the network. Zone

If you selected the Static or Dynamic secondary role type, specify the per-role gatewayGateway is a network node that allows traffic to flow in and out of the network. zone needed for user-based tunneling (UBT)

GatewayGateway is a network node that allows traffic to flow in and out of the network. Static Role

If you selected the Static secondary role type, specify the gatewayGateway is a network node that allows traffic to flow in and out of the network. static role.

GatewayGateway is a network node that allows traffic to flow in and out of the network. Downloadable Role

If you selected the Dynamic secondary role type, specify the gatewayGateway is a network node that allows traffic to flow in and out of the network. dynamic role.

NOTE: Support for dynamic secondary roles in AOS-CX was introduced in Policy Manager 6.10.2 for switches running AOS-CX 10.08 and later releases.

PoEPower over Ethernet. PoE is a technology for wired Ethernet LANs to carry electric power required for the device in the data cables. The IEEE 802.3af PoE standard provides up to 15.4 W of power on each port. Priority

Select the priority level High, Low or Critical.

Trust Mode

Configures QoSQuality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. trust mode for the role:

None: Do not trust any priority fields.

COS: Trust DSCPDifferentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. and preserve the 802.1p priority.

DHCP: Trust 802.1p priority and retain DSCPDifferentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. or IP-ToSType of Service. The ToS field is part of the IPv4 header, which specifies datagrams priority and requests a route for low-delay, high-throughput, or a highly reliable service..

Session Timeout

Number of seconds the enforcement profile should assign the role before the device session ends

Authentication Mode

Select an Authentication mode:

Client mode: Access control on a per-user basis

Device mode: Access only on ports where a 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority.-capable device has entered authorized user credentials.

MTUMaximum Transmission Unit. MTU is the largest size packet or frame specified in octets (eight-bit bytes) that can be sent in networks such as the Internet. <68-9198>

Sets the MTUMaximum Transmission Unit. MTU is the largest size packet or frame specified in octets (eight-bit bytes) that can be sent in networks such as the Internet. (maximum transmission unit) for an interface. This defines the maximum size of a layer 2 (EthernetEthernet is a network protocol for data transmission over LAN.) frame. Packets larger than the MTUMaximum Transmission Unit. MTU is the largest size packet or frame specified in octets (eight-bit bytes) that can be sent in networks such as the Internet. are dropped and cause an ICMPInternet Control Message Protocol. ICMP is an error reporting protocol. It is used by network devices such as routers, to send error messages and operational information to the source IP address when network problems prevent delivery of IP packets. fragmentation-needed message to be sent back to the originator.

Allowed VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. on Trunk <1-4094>

Assigns a VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID to an trunk interface. This VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID defines which VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. traffic is allowed across the trunk interface.

Allowed VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. Names on Trunk (one per line) Assigns a VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to a trunk interface based on the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. name.

Native Trunk VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.

Assigns a native VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID to a trunk interface.

Native Trunk VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. name Assigns a native VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to a trunk interfacebased on the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. name

Access VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.

Creates an access interface and assigns an VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID to it.

Cached Re-authentication period <30-4294967295>

Cached reauthentication allows 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority., web-based, or MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. reauthentications to succeed when the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server is unavailable. The supported value for this parameter is 30-4294967295 seconds.

NOTE: This feature is not supported in AOS-CX switches running AOS-CX 10.5 or earlier releases.

Re-authentication period <1-4294967295>

Time, in seconds, after which the device is required to reauthenticate. This parameter supports a range of 1-4294967295 seconds

Client Inactivity Timeout <300-4294967295> Or None

Configures the time the switch waits for client activity before removing an inactive client from the port. Supported times are 300-4294967295 seconds. Enter the text string none to disable the client activity timeout.

Description

Enter a description of this AOS-CX role.

User Role Configuration

Select the Summary tab to view the generated user role configuration.

The Role Configuration tab also allows you to associate other profile types with your selected user role, or to create these profiles if they are not yet defined. Refer to the following sections for information on creating those profiles.

Role Configuration: Advanced Mode

When you set Role Configuration Mode to Advanced, the Enforcement Profile page displays the Attributes tab (see Figure 15 below).

 

In Advanced mode, a validation check is not available for downloadable role names that are greater than 64 characters. This is due to a limitation on the switch. Thus, if a downloadable role name configured on the Policy Manager server exceeds 64 characters, the enforcement profile may fail on the switch.

In Advanced mode, the Aruba Downloadable Role Enforcement profile provides two dictionaries and two attributes.

Mobility Controllers, and Mobility Access Switches and AOS-CX devices use the Aruba dictionary and the Aruba-CPPM-Role and Aruba-UBT-Gateway-CPPM-Role attributes.

ArubaOS-Switch devices use the Hewlett-Packard-Enterprise dictionary and the HPE-CPPM-Role and HPE-CPPM-Secondary-Role attributes. The HPE-CPPM-Secondary-Role attribute adds support for a downloadable secondary role that can be used with Per User Tunneled Node (PUTN). When the attribute is added to the enforcement profile, Policy Manager can send the controller role for the ArubaOS switch.

 

You can use only one of the Advanced mode dictionaries at any given time; these dictionaries can't both be used at the same time.

To configure the Aruba Downloadable Role Enforcement > Advanced attributes:

1. Navigate to Configuration > Enforcement > Profiles > Add.

2. Select Aruba Downloadable Role Enforcement from the Template drop-down list.

3. Configure the settings on the Profile tab as described in Role Configuration: Standard Mode, but select the Advanced option for the Role Configuration Mode setting.

Figure 15  Downloadable Role Enforcement > Profile Tab (Advanced Mode)

4. Next, select the Attributes tab. The appropriate RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  dictionary for the selected device type is enabled by default.

Figure 16  Configuring HPE-CPPM-Role Attribute

5. In the Value field, enter the appropriate commands.

a. For RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  dictionary type Radius: Hewlett-Packard Enterprise, select HPE-CPPM-Role (27) or HPE-CPPM-Secondary-Role (28), then enter a value in the Value field.

b. For RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  dictionary type Radius: Aruba select Aruba-CPPM-Role (23) or Aruba-UBT-Gateway-CPPM-Role (59), then enter a value in the Value field.

6. Click Save.

Summary Information

For a profile in Standard Role configuration mode, the Summary tab summarizes the parameters configured in the Profile and Role Configuration tabs. For a profile in Advanced role configuration mode, the Summary tab summarizes the parameters configured in the Profile and Attribute tabs.

/*]]>*/