Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Aruba Downloadable Role Enforcement Profiles
Policy Manager includes support for centralized policy definition and distribution. When ClearPass Policy Manager successfully authenticates a user, the user is assigned a role by ClearPass Policy Manager. However, if the role is not defined on the Aruba controller or switch, the role attributes can also be downloaded automatically. The following validations are performed for a Aruba Downloadable User Role (DUR):
Standard Mode elements are validated based on schema contents (syntax validation) prior to saving the DUR.
After a schema update, existing DURs remain unchanged until the admin user edits the DUR profile.
When an admin user edits an existing DUR profile, the syntax/configuration is re-validated, and an alert is shown to the admin to verify the changes.
|
A DUR is not supported in AOS 10. |
Basic Profile Settings
Use the
tab on the dialog to configure the template, type of the profile, and the device group list, and specify the as either or .ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. configuration, etc.). The user role is generated based on components added to the configuration.
: User-provided options to configure individual components of a role (for example, Policer Profile, Stateless: You can enter the entire role configuration as a text under a single attribute.
Events are logged in the Captive Portal, Policy, and Class configurations. Events are also logged for generated user roles and import/export operations in enforcement profiles.
for create, update, and delete operations in theTo configure the Aruba Downloadable Role Enforcement Profile:
1. Navigate to > > . The page opens.
2. Click the link. The page opens.
3. From the Template drop-down, select .
Figure 1 Aruba Downloadable Role Enforcement > Profile Page (Standard Mode)
4. Specify the > parameters as described in the following table:
Parameter |
Action/Description |
Template |
Select the template. |
Name |
Enter the name of the enforcement profile. |
Description |
Enter a description of the enforcement profile. |
Type |
This field is automatically populated with: . |
Action |
Click , , or to define the action taken on the request. The default action is . |
Device Group List |
Select a device group from the drop-down list. The list displays all configured device groups. All configured device groups are listed in the Configuration > Network > Device Groups page. After adding one or more device group(s), you can select a group and perform one of the following actions: To delete the selected Device Group List entry, click Remove. To see the device group parameters, click View Details. To change the parameters of the selected device group, click Modify. To add a new a device group, click the link and see Adding and Modifying Device Groups. |
Role Configuration Mode |
Select one of the following modes: Standard (the default) |
Product |
Specify one of the following products: ArubaOS-Switch Mobility Access Switch (MAS) Mobility Controller AOS-CX |
Role Configuration: Standard Mode
When the
setting on the tab is set to (the default), the tab appears. In mode, the tab includes only the options that are appropriate for the selected product.The fields within the
tab vary according to which product you specify.The following tables describe the Mobility Access Switch, Mobility Controller, ArubaOS-Switch and AOS-CX:
parameters for the Aruba Downloadable Role Enforcement Profile for
The
tab also allows you to associate other profile types with your selected user role, or to create these profiles if they are not yet defined. Refer to the following sections for information on creating those profiles.To define the Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. Profile for a downloadable Role Enforcement profile for any supported device type:
1. From the tab, click the Add Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. Profile link. The Add Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. Profile dialog opens:
2. Enter a name of the profile and configure the required attributes. Note that the available parameters for configuring a Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile vary by device type. The following tables describe the Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. Attributes available for Mobility Controller and Mobility Access Switch, ArubaOS-Switch, and AOS-CX.
This profile limits inbound transmission rate of a class of traffic on the basis of user-defined criteria. To define a Policer Profile for an Aruba Mobility Access Switch:
1. From the tab, click the Add Policer Profile link. The Add Policer Profile dialog opens:
Figure 2 Add Policer Configuration Profile
2. Enter a name of the profile and configure the required attributes.
Parameter |
Action/Description |
CBS (bytes) |
Specify the Committed Burst Size (CBS) for this enforcement policy. Traffic rates below CIR or bursts below CBS limits are considered “conforming” and are allowed to pass through. |
Specify the Committed Information Rate (CIR) for this enforcement policy. Traffic rates below CIR or bursts below CBS limits are considered “conforming” and are allowed to pass through. |
|
EBS (bytes) |
Specify the burst size, in bytes, considered to be an Excessive Burst Size (EBS) |
Exceed Action |
Select an action for traffic rate exceeding CIR and CBS, yet bursting below the EBS limit. ( , , ). By default, this traffic is permitted. |
Select a QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. profile to be assigned to traffic that exceeds CIR and CBS, yet bursts below the EBS limit. |
|
Violate Action |
Select an action for traffic rate exceeding CIR and CBS, and also bursting above the EBS limit. ( , , ). By default, this traffic is dropped. |
Select a QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. profile to be assigned to traffic that exceeds CIR and CBS and also bursts above the EBS limit. |
To define a QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. Profile for an Aruba Mobility Access Switch:
1. Click the Add QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. Profile link. The Add QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. Profile opens:
Figure 3 Add QoS Profile Configuration Profile
2. Enter a name of the profile and configure the required attributes.
Parameter |
Action/Description |
Traffic Class (0-7) |
Enter a value from 0 to 7 to specify which of the eight traffic classes (TCs), map to the corresponding queue. |
Drop Precedence |
Select Low or High to select the drop precedence for controlling tail-drop. Traffic that is at a lower precedence will encounter a higher drop rate, and is more likely to be throttled. |
DSCP Differentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. value mapped to traffic matching this enforcement profile. |
|
802.1p (0-7) |
Value of the 802.1p priority for trafic this matching this enforcement profile. |
To define a VoIP Voice over IP. VoIP allows transmission of voice and multimedia content over an IP network. Profile for an Aruba Mobility Access Switch:
1. From the tab, click the Add VoIP Voice over IP. VoIP allows transmission of voice and multimedia content over an IP network. Profile link. The Add VoIP Voice over IP. VoIP allows transmission of voice and multimedia content over an IP network. Profile dialog opens:
Figure 4 Add VoIP Configuration Profile
2. Enter a name for the profile and configure the required attributes.
The NetService settings in a Downloadable Enforcement Profile vary, dependng upon whether you are definingNetService settings for an ArubaOS-Switch, or for a Mobiilty Controller or Mobiity Access Switch. To define a NetService Configuration profile for an Aruba Mobility Access Switch or ArubaOS-Switch:
1. From the tab, click the Manage NetServices link. The NetService dialog opens:
Figure 5 NetService Configuration Profile
2. Enter a name for the profile and configure the required attributes.
Protocol |
Action/Description |
Protocol |
Select a protocol: IP |
IP Protocol Number |
If you selected IP in the Protocol field, enter an IP protocol number (0-255) |
Port Selection |
If you selected UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. or TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. in the Protocol field, click this drop-down menu and select List or Range to identify how you will select the ports for that protocol. |
Port List |
If you selected List in the Port Selection field, enter a comma-separated list of ports. If you are defining NetService settings for an ArubaOS-Switch, the Port List field is in sync with the maximum number of ports supported by the switch, and only accepts six entries. An error message is displayed if more than six ports are entered. |
Port (1-65535) Max Port (1-65535) |
If you selected Range in the Port Selection field, enter the starting port in the range in the Port field, and the ending port in the range in the Max Port field. |
Application Level Gateway Gateway is a network node that allows traffic to flow in and out of the network. |
Click this drop-down menu and select one of the following options: SCCP SIPS Vocera |
To define a NetDestination Configuration profile for an Aruba Mobility Access Switch or ArubaOS-Switch:
1. Click the Manage NetDestinations link. The NetDestinations dialog opens:
Figure 6 Net Destinations Configuration Profile
2. Enter a name for the profile and configure the required attributes then click .
Parameter |
Action/Description |
Invert |
Specifies that the inverse of the network addresses configured are used. For example, if a network of 172.16.0.0 is configured, this parameter specifies that the alias matches everything except this IP address. |
Rule type |
Select whether this netdestination rule type is defined by a netmask Netmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses.) or a (identified by starting and ending IPv4/IPv6 addresses). (identified by hostname or domain), a (identified by an IPv4 or Ipv6 address) a (identified by an IPv4 or IPv6 address and a |
Host Name or Domain |
If you selected the option in the field, enter a host or domain name. This field supports a single wildcard character (*) at the beginning of a host or domain name for an Aruba Mobility Access Switch or controller. |
IP address |
If you selected the , or option in the field, enter the IP address of the host or network, or the starting IP address of the IP range. |
If you selected the netmask Netmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses.. option in the field, enter the subnetwork |
|
End IP address |
If you selected the option in the field, enter the end of an IP range. |
To define a Time Range Configuration profile for an Aruba Mobility Controller or Mobility Access Switch:
1. From the tab, click the Manage Time Ranges link. The Time Range Configuration dialog opens:
Figure 7 Time Range Configuration Profile
2. Enter a name for the profile and configure the required attributes.
Parameter |
Action/Description |
Type |
Select the type of time range profile.
|
|
|
Start Date (mm/dd/yyyy) |
Enter the start date in format, or use the calendar function to browse to and select a date. |
Start Time (HH:mm): |
Enter the start time in format, or use the time dropdown menu to select a time. |
End Date (mm/dd/yyyy) |
Enter the end date in format, or use the calendar function to browse to and select a date. |
End Time (HH:mm): |
Enter the end time in format, or use the time dropdown menu to select a time. |
|
|
Start Day |
Click the drop-down menu and select any of the options:daily weekend weekday Sunday Monday Tuesday Wednesday Thursday Friday Saturday |
Start Time (HH:mm) |
Enter the start time date in format, or use the time drop-down menu to select a time. |
End Time (HH:mm) |
Enter the end time in format, or use the time drop-down menu to select a time. |
You can create a NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. pool associated with source NAT Source NAT changes the source address of the packets passing through the router. Source NAT is typically used when an internal (private) host initiates a session to an external (public) host. option or dual NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. option. When a pool is created with dual NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. option, both source IP and destination IP of the packet are changed. To define a NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. (Network Address Translation) Pool Configuration profile for an Aruba Mobility Controller or Mobility Access Switch:
1. From the tab, click the Manage NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. Pool Configuration link. The NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. Pool Configuration dialog opens:
Figure 8 NAT Pool Configuration Profile
2. Enter a name for the profile and configure the required attributes.
Parameter |
Action/Description |
IP address at the start of the NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. range |
|
IP address at the end of the NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. range |
|
Destination IP address |
If this parameter is configured, the destination IP changes to the IP from the NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. pool. |
This setting appears on the
tab when you configure an enforcement profile for an ArubaOS-Switch or AOS-CX device. When you select the link on the tab, the following configuration dialog opens:Figure 9 Policy Configuration Page
Enter the appropriate values for each of the fields in the Table 16 describes the parameters for an ArubaOS Switch, and Table 17 describes the parameters for AOS-CX.
> dialog, then click .
Parameter |
Action/Description |
Number |
Enter a number. |
Class |
Select one of the following: IPv4 IPv6 |
Class Name |
Specify the appropriate class name from the drop-down menu. |
Action |
Select the desired action from the drop-down list. |
Enter a number from 0 to 63 to indicate the IP DSCP Differentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. (Differentiated Services Code Point). |
|
IP Precedence <0-7> |
Specify the IP precedence by entering a number from 0 to 7. |
Priority |
Enter a number from 0 to 7 to indicate QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. priority. |
Rate Limit Kpbs |
Specify the rate limit in kilobits per second. |
Parameter |
Action/Description |
Number |
Enter a number. |
Class |
Select one of the following: IPv4 IPv6 |
Class Name |
Specify the appropriate class name from the drop-down menu. |
Action |
Select the desired action from the drop-down list. |
IP Precedence <0-7> |
Specify the IP precedence by entering a number from 0 to 7. |
Enter a number from 0 to 63 to indicate the IP DSCP Differentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. (Differentiated Services Code Point). |
|
Committed Information Rate <1-4294967295> |
Specify the Committed Information Rate (CIR) for this policy. Traffic rates below CIR or bursts below CBS limits are considered “conforming” and are allowed to pass through. |
Committed Burst Size <1-4294967295> |
Specify the Committed Burst Size (CBS) in bytes for this enforcement policy. Traffic rates below CIR or bursts below CBS limits are considered “conforming” and are allowed to pass through |
Local Priority |
Enter a number from 0 to 7 to indicate QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. priority. |
Priority Code Point |
Priority Code Point (PCP) value for traffic matching this policy. |
The
link appears on the tab when you configure an enforcement profile for an ArubaOS-Switch or AOS-CX device. You can create and configure traffic classes and you can map the enforcement policy to the traffic classes.1. Select the link on the tab. The following configuration dialog opens:
Figure 10 Class Configuration Dialog
2. Specify the parameters as described in the following table.
Parameter |
Action/Description |
Select Class Name |
Select the class name from the drop-down list if it is already configured. |
Name |
Enter the Class name. |
Traffic |
Specify one of the following traffic types:
|
3. Click the tab. The rule configuration dialog opens. The parameters displayed this dialog vary, depending upon whether you are creating a rule for ArubaOS-Switch or an AOS-CX device.
4. Specify the parameters to create a rule for traffic that matches the selected conditions. The following tables describe the class rule parameters available for ArubaOS-Switch and AOS-CX.
Parameter |
Action/Description |
Number |
(Optional) Specify a sequence number for the rule in the access control list. |
Packet Match |
Select whether the rule should or the specified packet characteristics in this rule. |
Protocol |
Specify the appropriate traffic protocol from the drop-down. |
Source |
Select Any as the source option supported for ArubaOS. |
Source Port |
Select one of the following options:
|
Source Port Value |
Specify the source port value. |
Destination |
Select one of the following destinations:
subnet Subnet is the logical division of an IP network. address). . When you select , you are prompted for the (the IP |
Destination Port |
Select one of the following options:
|
Destination Port Value |
Specify the destination port value. |
Specify the Differentiated Services Code Point (DSCP Differentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. ) value. |
|
IP Precedence |
Specify the IP precedence: Routine Priority Immediate Flash Flash Override Critical Internet Network |
IP Type of Service |
Specify one of the following for the type of service: Normal Max Reliability Max Throughput Minimum Delay |
Select one of the following: : The FIN flag indicates the end of data transmission to finish a : Sets the Reset flag. : The SYN flag synchronizes sequence numbers to initiate a |
Stateless Access Control Lists (ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port.) are used to define stateless packet filtering and quality of service (QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies.). A stateless ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. statically evaluates packet contents. The traffic in the reverse direction will be allowed unconditionally. To add a Stateless Access Control List to a Mobility Access Controller:
1. From the tab, click the Add Stateless Access Control List link. The Stateless Access Control List Configuration dialog opens:
Figure 11 Stateless Access Control List Configuration Profile
2. On the tab, enter a name for the Stateless ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port..
3. Click the link. The dialog opens.
4. Specify the rule attributes as described in the table below, then click .
Parameter |
Action/Description |
Source Traffic Match |
Select one of the following options: : Match an IP network resource : Match any source traffic : Match a single host address : Match an IP |
Source IP address | IP address of the source host or network. |
Source Netmask Netmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses. | If you selected the netmask Netmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses. of the source network. | option in the field, enter the
Destination Traffic Match |
Select one of the following options: : Match an IP network resource : Match any source traffic : Match a single host address : Match an IP |
Destination IP address | IP address of the destination host or network. |
Destination Netmask Netmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses. | If you selected the netmask Netmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses. of the destination network. | option in the field, enter the
Service Type |
Specify the name of the service to match the rule. : Match any traffic : Match Policy Manager NetService Profiles : Match a service defined by a Match Match |
Action |
Choose one of the following actions to take on matching traffic: : Reject packets. : Forward packets. : Specify the location to which packets are redirected. If you select this option, you are prompted to specify one of the following redirect types: : Specify the name of an IPSec map to redirect matching traffic over a : Specify a tunnel ID to redirect packets over an L3 |
Denylist user if ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. gets applied | If the ACE Access Control Entry. ACE is an element in an ACL that includes access control information. entry is matched, the traffic from that particular user is denied and the user is added to a blocked list for 3600 seconds. |
Log if ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. is applied | If enabled, log information is displayed when the ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. is applied. |
Position (1-2000) | Manages the position of the rule within the Acces Control List (ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port.). |
Policer Profile |
This parameter defines a policer profile to manage the transmission rate of a class of traffic based on user-defined criteria. For more information, see Policer Profiles. |
QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. Profile |
Click the QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. profile dropdown menu to select a set of Traffic-Class/Drop-Precedence, DSCP Differentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. , and 802.1p values for a Mobility Access Switch. For more information, see QoS Profiles. |
Time Range | Select the Time Range Profiles. | dropdown menu to create a rule matching time range definitions. For more information, see
To add a Session Access Control List to a downloadable role enforcement profile for a mobility controller or mobility access switch:
1. From the tab, click the Add Session Access Control List link. The Session Access Control List Configuration dialog opens.
2. Enter a name for the Session ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port..
3. On the tab, click the link. The dialog opens.
Figure 12 Session Access Control List Rule Configuration Profile
4. Enter the required attributes in the dialog then click . Note that this dialog can display different fields depending on the selected options. For example, if you select the action type, you can view the field to specify the action.
Parameter |
Action/Description |
Source Traffic Match: |
Source of the traffic, which can be one of the following: : Refers to using an alias for a host or network. You configure the alias by navigating to the Configuration > Roles & Policies > Policies tab. Select a policy created and click + to create a Rule. Select the Access Control option in the Rule Type. Select Alias from the Destination drop-down list and the alias name from the Destination alias drop-down list. Select a Source from the traffic Source drop-down list. : Acts as a wildcard and applies to any source address. : Refers to traffic from a specific host. When this option is chosen, you must configure the IP address of the host. subnet Subnet is the logical division of an IP network. of IP addresses. When this option is chosen, you must configure the IP address and network mask of the subnet Subnet is the logical division of an IP network.. : Refers to a traffic that has a source IP from a: Refers to traffic from the wireless client. |
Destination Traffic Match: |
Destination of the traffic, which can be configured in the same manner as . |
Service Type: |
Type of traffic, which can be one of the following: : This option specifies that this rule applies to any type of traffic. : Enter a protocol number (0-255) to apply this rule to a specific protocol. Netservice configuration. : Select aTCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. port(s) to match for the rule to be applied. : Using this option, you configure a range ofUDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port(s) to match for the rule to be applied. : Using this option, you configure a range of |
Action: |
The action that you want to perform on a packet that matches the specified criteria. This can be one of the following: : Drops packets matching this rule. : This option redirects traffic to the IP address and destination port defined in the and fields. NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. on packets matching the rule. If you select this option, you are prompted to select a NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. pool in the field. For more information, see NAT Pools : This option performs both source and destination: Permits traffic matching this rule. GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel specified in the field. : This option redirects traffic into aNAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. on packets matching the rule. When this option is selected, you need to select a NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. pool in the field. For more information, see NAT Pools : Performs: Permits traffic matching this rule. |
Denylist user if ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. gets applied |
Automatically adds to a blocked list any client that is the source or destination of traffic matching this rule. This option is recommended for rules that indicate a security breach where the option to add to a blocked list can be used to prevent access to clients that are attempting to breach the security. |
802.1p Priority (0-7) |
When this parameter is enabled, the value of 802.1p priority bits are marked in the frame of a packet matching this rule when it leaves the managed device. 0 is the lowest priority (background traffic) and 7 is the highest (network control). |
Log if ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. is applied |
Logs a match to this rule. This is recommended when a rule indicates a security breach, such as a data packet on a policy that is meant only to be used for voice calls. |
Mirror |
Mirrors session packets to datapath or remote destination. |
Position (1-2000): |
Use this field to select a position for this rule in the Session Access Control List. The rule in position 1 is executed first. |
Queue Priority |
Select the queue in which a packet matching this rule should be placed. Select for higher priority data, such as voice, and for lower priority traffic. |
Time Range |
Click the dropdown menu and select a time range. You can create an absolute time range with a single fixed start and end date and time, or create a periodic (recurring) time range that starts and ends at a specified time on a weekday, weekend, or selected day. For more information, see Time Range Profiles |
TOS (0-63) |
Select the value of the TOS bits in the IP header of a packet, |
Ethertype ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. are used to filter based on the field in the frame header. These ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. can be used to permit IP while blocking other non-IP protocols, such as IPX or AppleTalk. To add an Ethernet Ethernet is a network protocol for data transmission over LAN./MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. Access Control List to a downloadable role enforcement profile for a mobility controller or mobility access switch:
1. From the tab, click the Add Ethertype/MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. Access Control List link. The Access Control List Configuration dialog opens. The ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. Type is set to .
Figure 13 Ethertype/MAC Access Control List Configuration Profile
2. Enter a name for the Ethertype/MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. Access Control List.
3. Enter the required attributes in the section of the page and click Reset, then click Save Rule.
4. When finished, click Save.
Parameter |
Action/Description |
Action |
The action that you want to perform on a packet that matches the specified criteria. This can be one of the following: : Drops packets matching this rule. : Permits traffic matching this rule. |
Ethertype number | Select subnet Subnet is the logical division of an IP network. bits (0-65535) | to apply the access control list to any Ethertype value, or select to specify a ethernet value (0-65535) and
Role Configuration: Advanced Mode
When you set Figure 14 below).
to , the Enforcement Profile page displays the tab (see
|
In Advanced mode, a validation check is not available for downloadable role names that are greater than 64 characters. This is due to a limitation on the switch. Thus, if a downloadable role name configured on the Policy Manager server exceeds 64 characters, the enforcement profile may fail on the switch. |
In
mode, the profile provides two dictionaries and two attributes.Mobility Controllers, and Mobility Access Switches and AOS-CX devices use the
dictionary and the and Aruba-UBT-Gateway-CPPM-Role attributes.ArubaOS-Switch devices use the Policy Manager can send the controller role for the ArubaOS switch.
dictionary and the and attributes. The attribute adds support for a downloadable secondary role that can be used with Per User Tunneled Node (PUTN). When the attribute is added to the enforcement profile,
|
You can use only one of the Advanced mode dictionaries at any given time; these dictionaries can't both be used at the same time. |
To configure the
> attributes:1. Navigate to > > >
2. Select from the drop-down list.
3. Configure the settings on the tab as described in Role Configuration: Standard Mode, but select the option for the setting.
Figure 14 Downloadable Role Enforcement > Profile Tab (Advanced Mode)
4. Next, select the tab. The appropriate RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. dictionary for the selected device type is enabled by default.
Figure 15 Configuring HPE-CPPM-Role Attribute
5. In the field, enter the appropriate commands.
a. For RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. dictionary type Radius: Hewlett-Packard Enterprise, select or , then enter a value in the field
b. For RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. dictionary type Radius: Aruba select or Aruba-UBT-Gateway-CPPM-Role (59), then enter a value in the Value field.
6. Click .
Summary Information
For a profile in
Role configuration mode, the tab summarizes the parameters configured in the and tabs. For a profile in role configuration mode, the tab summarizes the parameters configured in the and tabs.