Aruba Downloadable Role Enforcement Profiles

Policy Manager includes support for centralized policy definition and distribution. When ClearPass Policy Manager successfully authenticates a user, the user is assigned a role by ClearPass Policy Manager. However, if the role is not defined on the Aruba controller or switch, the role attributes can also be downloaded automatically. The following validations are performed for a Aruba Downloadable User Role (DUR):

Standard Mode elements are validated based on schema contents (syntax validation) prior to saving the DUR.

After a schema update, existing DURs remain unchanged until the admin user edits the DUR profile.

When an admin user edits an existing DUR profile, the syntax/configuration is re-validated, and an alert is shown to the admin to verify the changes.

 

A DUR is not supported in AOS 10.

Basic Profile Settings

Use the Profiles tab on the Downloadable User Role Enforcement Profile dialog to configure the template, type of the profile, and the device group list, and specify the Role Configuration Mode as either Standard or Advanced.

Standard mode: User-provided options to configure individual components of a role (for example, Policer Profile, Stateless ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. configuration, etc.). The user role is generated based on components added to the configuration.

Advanced mode: You can enter the entire role configuration as a text under a single attribute.

Events are logged in the Audit Viewer for create, update, and delete operations in the Captive Portal, Policy, and Class configurations. Events are also logged for generated user roles and import/export operations in enforcement profiles.

To configure the Aruba Downloadable Role Enforcement Profile:

1. Navigate to Configuration > Enforcement > Profiles. The Enforcement Profiles page opens.

2. Click the Add link. The Add Enforcement Profile page opens.

3. From the Template drop-down, select Aruba Downloadable Role Enforcement.

Figure 1  Aruba Downloadable Role Enforcement > Profile Page (Standard Mode)

4. Specify the Aruba Downloadable Role Enforcement > Profile parameters as described in the following table:

Table 1: Aruba Downloadable Role Enforcement > Profile Parameters

Parameter

Action/Description

Template

Select the Aruba Downloadable Role Enforcement template.

Name

Enter the name of the enforcement profile.

Description

Enter a description of the enforcement profile.

Type

This field is automatically populated with: Aruba_DUR.

Action

Click Accept, Reject, or Drop to define the action taken on the request. The default action is Accept.

Device Group List

Select a device group from the drop-down list. The list displays all configured device groups. All configured device groups are listed in the Configuration > Network > Device Groups page. After adding one or more device group(s), you can select a group and perform one of the following actions:

To delete the selected Device Group List entry, click Remove.

To see the device group parameters, click View Details.

To change the parameters of the selected device group, click Modify.

NOTE: To add a new a device group, click the Add New Device Group link and see Adding and Modifying Device Groups.

Role Configuration Mode

Select one of the following modes:

Standard (the default)

Advanced

Product

Specify one of the following products:

ArubaOS-Switch

Mobility Access Switch (MAS)

Mobility Controller

AOS-CX

Role Configuration: Standard Mode

When the Role Configuration Mode setting on the Profile tab is set to Standard (the default), the Role Configuration tab appears. In Standard mode, the Role Configuration tab includes only the options that are appropriate for the selected product.

The fields within the Role Configuration tab vary according to which product you specify.

The following tables describe the Role Configuration parameters for the Aruba Downloadable Role Enforcement Profile for Mobility Access Switch, Mobility Controller, ArubaOS-Switch and AOS-CX:

Table 2: Mobility Access Switch Role Configuration Parameters

Parameter

Action/Description

Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. Profile

Select the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile from the drop-down list if already configured.

To add a new captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile, click the Add Captive Portal Profile link. For more information, see Captive Portal Profiles.

Policer Profile

This parameter defines a Policer profile to manage the transmission rate of a class of traffic based on user-defined criteria. Select the Policer profile from the drop-down list if already configured. Click Add Policer Profile link to add a new Policer profile. For more information, see Policer Profiles.

QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. Profile

This parameter defines a QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. profile to assign Traffic-Class/Drop-Precedence, Differentiated Services Code Point (DSCP Differentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. ), and 802.1p values to an interface or Policer profile of a Mobility Access Switch. Select the QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. profile from the drop-down list if already configured. Click Add QoS Profile link to add a new QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. profile. For more information, see QoS Profiles.

VoIP Voice over IP. VoIP allows transmission of voice and multimedia content over an IP network. Profile

This parameter defines a VoIP Voice over IP. VoIP allows transmission of voice and multimedia content over an IP network. profile that can be applied to any interface, interface group, or a port-channel of a Mobility Access Switch. Select the VoIP Voice over IP. VoIP allows transmission of voice and multimedia content over an IP network. profile from the drop-down list if already configured. Click Add VoIP Profile link to add a new VoIP Voice over IP. VoIP allows transmission of voice and multimedia content over an IP network. profile. For more information, see VoIP Profiles.

Reauthentication Interval Time (0-4096)

Enter the number of minutes between reauthentication intervals. You can select the range between 0 to 4096 minutes.

VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. To Be Assigned (1-4904)

Enter a number between 1 and 4094 that defines when the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. is to be assigned.

NetService Configuration

Select the Manage NetServices link to add, edit, and delete the NetService definitions. For more information, see NetService Profiles.

NetDestination Configuration

Select the Manage NetDestinations link to add, edit, and delete the NetDestinations definitions. For more information, see NetDestination Configuration.

Time Range Configuration

Select the Manage Time Ranges link to add, edit, and delete time range definitions. For more information, see Time Range Profiles.

NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. Pool Configuration

Select the Manage NAT Pool link to add, edit and delete NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. Pool definitions. For more information, see NAT Pools.

ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. Type

Select from the following ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. types:

Ethertype: Ethertype ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. filter based on the Ethertype field in the frame header.

MAC: MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. filter traffic on a specific source MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address or range of MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses.

Session: Session ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. define traffic and firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policies.

Stateless: Stateless ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. define stateless packet filtering and quality of service (QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies.). A stateless ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. statically evaluates packet contents

ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. Name

Click the name of the ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. type.

To move the ACL Name to the ACL field, click Add.

To modify the order of names in the ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. list, click Move Up, Move Down.

To delete an ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. from the list, click Remove.

User Role Configuration

Check the Summary tab for the generated role configuration.

 

Table 3: Mobility Controller Role Configuration Parameters

Parameter

Action/Description

Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. Profile

Select the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile from the drop-down list if already configured.

Click the Add Captive Portal Profile link to add a new captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile. For more information, see Captive Portal Profiles.

Reauthentication Interval Time (0-4096)

Enter the number of minutes between reauthentication intervals. You can select the range between 0 to 4096 minutes.

VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.

Select either the ID, Name, Parameterized ID, or Parameterized Name radio button to set how the assigned VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. is provided. Define the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. as follows based on the selected option:

If using an ID, the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID <1-4094> parameter displays by default to set the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID from 1 to 4094.

If assigning a Name, enter the characters comprising the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. Name.

If using a Parameterized ID, select a Parameterized VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID from the drop-down menu.

If using a Parameterized Name, select it from the Parameterized VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. Name drop-down menu.

NetService Configuration

Select the Manage NetServices link to add, edit, and delete the NetService definitions. For more information, see NetService Profiles.

NetDestination Configuration

Select the Manage NetDestinations link to add, edit, and delete the NetDestinations definitions. For more information, see NetDestination Profiles.

Time Range Configuration

Select the Manage Time Ranges link to add, edit, and delete time range definitions. For more information, see Time Range Profiles.

NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. Pool Configuration

Select the Manage NAT Pool link to add, edit and delete NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. Pool definitions. For more information, see NAT Pools.

ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. Type

Select from the following ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. types:

Ethertype: Ethertype ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. filter based on the Ethertype field in the frame header.

MAC: MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. filter traffic on a specific source MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address or range of MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses.

Session: Session ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. define traffic and firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policies.

Stateless: Stateless ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. define stateless packet filtering and quality of service (QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies.). A stateless ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. statically evaluates packet contents

ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. Name

Click the name of the ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. type.

To move the ACL Name to the ACL field, click Add.

To modify the order of the names in the ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. list, click Move Up, Move Down.

To delete an ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. from the list, click Remove.

User Role Configuration

Check the Summary tab for the generated role configuration.

 

Table 4: ArubaOS-Switch Role Configuration Parameters

Parameter

Action/Description

Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. Profile

Select the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile from the drop-down list if already configured. Click the Add Captive Portal Profile link to add a new captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile. For more information, see Captive Portal Profiles.

Policy

Select the Enforcement Policy from the drop-down list if already configured. To add a new enforcement policy, click the Add Policy link. or more information, see Policies.

Secondary Role Type

Specify one of the following secondary role types:

None

Static: When selected, the Controller Static Role field appears.

Dynamic: When selected, the Controller Downloadable Role field appears.

VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.

Specify one of the following VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. identifiers:

None

ID: When selected, the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID Tagged <number> field appears. Enter the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID Tagged number.

Name: When selected, the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. Name Tagged field appears. Enter the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. tagged name.

VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. Tagged

Specify one of the following VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. Tagged identifiers:

None

ID: When selected, the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID Tagged <number> field appears. Enter the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID Tagged number.

Name: When selected, the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. Name Tagged field appears. Enter the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. tagged name.

Re-Authentication Period

Specify the ArubaOS switch reauthentication period in seconds.

Logoff Period

Enter the Logoff Period in one of the following formats:

O (mac-pin): This is the Mac system lock PIN Personal Identification Number. PIN is a numeric password used to authenticate a user to a system. code.

In seconds, from 60 to n seconds.

Cached Re-Authentication Period

Enter the Cached Re-Authentication Period in seconds from 60 to n.

Cached reauthentication allows 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority., web-based, or MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. reauthentications to succeed when the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server is unavailable. Users already authenticated retain their currently-assigned RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attributes. Uninterrupted service is provided for authenticated users with RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. -assigned VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. if the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server becomes temporarily unavailable during periodic reauthentications.

Device Configuration

Select the Enable checkbox to enable device configuration. This option allows you to allocate a PoE Power over Ethernet. PoE is a technology for wired Ethernet LANs to carry electric power required for the device in the data cables. The IEEE 802.3af PoE standard provides up to 15.4 W of power on each port. priority of low, high or critical for the class, and enable the Admin Edge Port or Port Mode options. When enabled, the following additional parameters are configurable:

Use the Dot1x Limit <1-32> attribute to set how the 802.1x client limit configured on the port can be overridden.

Use the Mac Auth Limit <1-256> attribute to set ow the Mac authentication address-limit configured on the port can be overridden.

Class Configuration

Select the Manage Classes link to add, edit, or delete Class definition.

NetDestination

Select the Manage NetDestinations link to add, edit, and delete the NetDestinations definition. For more information, see NetDestination Profiles.

NetService

Select the Manage NetServices link to add, edit, and delete the NetService definitions. For more information, see NetService Profiles.

User Role Configuration

Select the Summary tab for the generated role configuration.

 

Table 5: AOS-CX Role Configuration Parameters

Parameter

Action/Description

Role Name

Name assigned to this role.

Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.

Select the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile from the drop-down list if it is already configured.

To add a new captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile, click the Add Captive Portal Profile link. For more information, see Captive Portal Profiles.

Class Configuration

Select the Manage Classes link to add, edit, or delete class definitions. For more information, see Classes.

Policy

Select the Enforcement Policy from the drop-down list if already configured.

To add a new enforcement policy, click the Add Policy link. For more information, see Policies.

Secondary Role Type

Policy Manager supports setting a controller Downloadable User Role (DUR) as a Secondary Role. Options are none if you do not want a secondary role, static for a static role, or dynamic for a dynamic role.

The secondary role option allows network admins to configure roles that are not allowed on a Layer 3 switch by creating a User Based Tunnel (UBT) to the controller associated with the AOS-CX switch, and allowing the controller to download the secondary role from ClearPass.

If you select the static option, roles and policies must be manually configured on the controller. Clearpass just passes the role name to the AOS-CX switch, which in turn sends it to the controller.

If you select the dynamic option, roles can be configured in Policy Manager, and no additional role configuration is necessary the controller side. Support for dynamic secondary roles in AOS-CX was introduced in Policy Manager 6.10.2 for switches running AOS-CX 10.08 and later releases.

Gateway Gateway is a network node that allows traffic to flow in and out of the network. Zone

If you selected the Static or Dynamic secondary role type, specify the per-role gateway Gateway is a network node that allows traffic to flow in and out of the network. zone needed for user-based tunneling (UBT)

Gateway Gateway is a network node that allows traffic to flow in and out of the network. Static Role

If you selected the Static secondary role type, specify the gateway Gateway is a network node that allows traffic to flow in and out of the network. static role.

Gateway Gateway is a network node that allows traffic to flow in and out of the network. Downloadable Role

If you selected the Dynamic secondary role type, specify the gateway Gateway is a network node that allows traffic to flow in and out of the network. dynamic role.

Support for dynamic secondary roles in AOS-CX was introduced in Policy Manager 6.10.2 for switches running AOS-CX 10.08 and later releases.

PoE Power over Ethernet. PoE is a technology for wired Ethernet LANs to carry electric power required for the device in the data cables. The IEEE 802.3af PoE standard provides up to 15.4 W of power on each port. Priority

Select the priority level High, Low or Critical.

Trust Mode

Configures QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. trust mode for the role:

None: Do not trust any priority fields.

COS: Trust DSCP Differentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. and preserve the 802.1p priority.

DHCP: Trust 802.1p priority and retain DSCP Differentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. or IP-ToS Type of Service. The ToS field is part of the IPv4 header, which specifies datagrams priority and requests a route for low-delay, high-throughput, or a highly reliable service..

Session Timeout

Number of seconds the enforcement profile should assign the role before the device session ends

Authentication Mode

Select an Authentication mode:

Client-mode: Access control on a per-user basis

Device-mode: Access only on ports where a 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority.-capable device has entered authorized user credentials.

MTU Maximum Transmission Unit. MTU is the largest size packet or frame specified in octets (eight-bit bytes) that can be sent in networks such as the Internet. <68-9198>

Sets the MTU Maximum Transmission Unit. MTU is the largest size packet or frame specified in octets (eight-bit bytes) that can be sent in networks such as the Internet. (maximum transmission unit) for an interface. This defines the maximum size of a layer 2 (Ethernet Ethernet is a network protocol for data transmission over LAN.) frame. Packets larger than the MTU Maximum Transmission Unit. MTU is the largest size packet or frame specified in octets (eight-bit bytes) that can be sent in networks such as the Internet. are dropped and cause an ICMP Internet Control Message Protocol. ICMP is an error reporting protocol. It is used by network devices such as routers, to send error messages and operational information to the source IP address when network problems prevent delivery of IP packets. fragmentation-needed message to be sent back to the originator.

Allowed VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. on Trunk <1-4094>

Assigns a VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID to an trunk interface. This VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID defines which VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. traffic is allowed across the trunk interface.

Allowed VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. Names on Trunk (one per line)

Assigns a VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to a trunk interface based on the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. name.

Native Trunk VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. <1-4094>

Assigns a native VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID to a trunk interface.

Native Trunk VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. Name

Assigns a native VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to a trunk interface based on the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. name

Access VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.

Defines an access VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. with the specified VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID.

Access VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. Name:

Defines an access VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. with the specified VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. name.

Cached Re-authentication period <30-4294967295>

Cached reauthentication allows 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority., web-based, or MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. reauthentications to succeed when the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server is unavailable. The supported value for this parameter is 30-4294967295 seconds.

NOTE: This feature is not supported in AOS-CX switches running AOS-CX 10.5 or earlier releases.

Re-authentication Period Setting

Time, in seconds, after which the device is required to reauthenticate. In Policy Manager 6.10.0-6.10.3, this parameter supports a range of 1-4294967295 seconds. Starting with Policy Manager 6.10.4, this parameter supports the following two options:

Manual: If you select this option, use the Re-authentication Period <1-4294967295> setting to define a static re-authentication intervals for AOS‑CX switches.

Random: If you select this option, use the Minimum re-authentication period field to specify the minimum random time period for re-authentication intervals for AOS‑CX switches. This can be used to prevent scenarios where a sudden burst of very heavy traffic from other systems might otherwise cause ClearPass to stop working. If the random option is configured, then when a user is authenticated, a random value is generated for the re-authentication period and downloaded to them. Each time the user re-authenticates, a new random value is generated and downloaded.

Client Inactivity Timeout <300-4294967295> Or None

Configures the time the switch waits for client activity before removing an inactive client from the port. Supported times are 300-4294967295 seconds. Enter the text string none to disable the client activity timeout.

Description

Enter a description of this AOS-CX role.

User Role Configuration

Select the Summary tab to view the generated user role configuration.

Parameter

Action/Description

Role Name

Enter a name for this AOS-CX role.

Description

Enter a description of this AOS-CX role.

Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.

Select the Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile from the drop-down list if it is already configured.

To add a new Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile, click the Add Captive Portal Profile link. For more information, see Captive Portal Profiles.

Authentication Mode

Select an authentication mode:

client-mode: Supports access control on a per-user basis.

device-mode: Supports access only on ports where a 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority.-capable device has entered authorized user credentials.

multi-domain-mode: In this mode, only one voice device is allowed to be authenticated in addition to the any data devices authenticated on a port. By default, only one voice device and one data device can be authenticated in multi-domain mode.

Device Traffic Class

Specify the traffic class for the device:

None: No traffic class is configured for the device.

Voice: Specifies that the client to associate with the role is a voice device. This attribute is applicable only to the critical-voice-role role in AOS-CX. It is not applicable to other special AOS-CX roles such as preauth-role, reject-role, and fallback-role. In multi-domain mode, a client with a role that does not have the device-traffic-class set to voice is considered a data device.

Session Timeout Type

The session timeout type can either of the following:

Static: Timeout value is a static number of seconds defined in the Session Timeout field.

Parameterized: Policy Manager passes a configuration variable as a timeout value.

Parameterized Session Timeout

Select a parameter from the list, and the value of the parameter will be passed as the session-timeout value. This field is only avilable when the Session Timeout Type field is set to Parameterized.

Session Timeout
<1-4294967295>

Number of seconds the enforcement profile should assign the role before the device session ends. This field is only avilable when the Session Timeout Type field is set to Static.

Parameterized Session Timeout

Click the drop-down menu and select a configuration variable to be used as a session timeout value. This field is only avilable when the Session Timeout Type field is set to Parameterized.

Cached Re-Authentication period <30-4294967295>

Cached reauthentication allows 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority., Web-based, or MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. reauthentication to succeed when the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server is unavailable. The supported range for this parameter is 30-4294967295 seconds.

NOTE: This feature is not supported in AOS-CX switches running AOS-CX 10.5 or earlier releases.

Re-Authentication Period Type

Select one of the following options:

Manual: All devices using this enforcement profile will use the reauthentication period specified in the Re-authentication period <1-4294967295> field.

Random: Allow ClearPass to create a downloadable role with a randomized-reauthentication timer. When enabled, Policy Manager sends a Radius:IETF session-timeout message with the value of %{Authorization:[Time Source]:Random Time. This feature prevents Policy Manager from becoming overloaded by a very large number of clients using the same 802.1x reauthentication timer.
Use the Minimum Re-Authentication Period <1-4294967295> field to define the shortest allowed random reauthentication period.

Parameterized: Policy Manager passes a selected configuration variable as a reauthentication period value.

Re-Authentication Period <1-4294967295>

Number of seconds after which the device is required to reauthenticate. This parameter supports a range of 1-4294967295 seconds. This field is only available if the Re-Authentication Period Type option is set to Manual.

Minimum Re-Authentication period
<1-4294967295>

Minimum amount of time before a device using a random reauthentication period is required to authenticate. The maximum random reauthentication period is the <Minimum Re-Authentication Period> time plus 24 hours. This field is only available if the Re-Authentication Period Type option is set to Random.

Parameterized Re-Authentication

Click the drop-down menu and select a variable to be used as a reauthentication period value.

This field is only available if the Re-Authentication Period Type option is set to Parameterized.

Client Inactivity Timeout Type

Select one of the following options:

Value: Enable a client inactivity timeout period with the value defined in the Client Inactivity Timeout <300-4294967295> field.

None: Disable the client activity timeout.

Parameterized: Policy Manager passes a selected configuration variable as a client inactivity timeout value.

Client Inactivity Timeout <300-4294967295>

Configures the time the switch waits for client activity before removing an inactive client from the port. Supported times are 300-4294967295 seconds. This field is only available if you select the value option in the Client Inactivity Timeout Type field.

Parameterized Client Inactivity Timeout

Click the drop-down menu and select a variable to be used as a client inactivity timeout value. This field is only available if the Client Inactivity Timeout Type option is set to Parameterized.

Allowed VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. on Trunk <1-4094>

Specify a VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID defines to indicate which VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. has traffic allowed across the trunk interface.

Allowed VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. Names on Trunk (one per line)

Assigns a VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to a trunk interface based on the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. name. This fields supports multiple VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. names.

Parameterized Allowed VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. Type

To define an allowed VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. type through a configuration variable, select one of the following options:

ID: The variable parameter is passed as a VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID.

Name: The variable parameter is passed as a VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. name.

Parameterized Allowed VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.

Click the drop-down menu and select a variable to be used as an allowed VLAN. This value can be passed as either a VLAN ID or VLAN name, depending upon the selection option in the Parameterized Allowed VLAN Type field.

Native Trunk VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. Type

Assigns a native VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to a trunk interface based on a VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID, VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. name, or the value of a configuration variable.

Select one of the following options:

ID: Assigns a native VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to a trunk interface based on a VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID.

Name: Assigns a native VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to a trunk interface based on a VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. name.

Parameterized: Policy Manager passes a selected configuration variable as a native trunk VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

Native Trunk VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID <1-4094>

Enter an VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID to assign a native VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to a trunk interface with the specified VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID.

Native Trunk VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. Name

Enter an VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. name to assign a native VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to a trunk interface with the specified VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. name.

Parameterized Native Trunk VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.

Click the drop-down menu to assign a native VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to a trunk interface based on the value of the selected configuration variable.

Access VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. Type

Select one of the following options:

ID: Defines an access VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. based on a VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID.

Name: Defines an access VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. based on a VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. name.

Parameterized: Policy Manager passes a selected configuration variable as an access VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

Access VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID <1-4094>

Defines an access VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. with the specified VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID.

Access VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. Name

Defines an access VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. with the specified VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. name.

Parameterized Native Trunk VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.

Click the drop-down menu to define an access VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. based on the value of the selected configuration variable.

Gateway Gateway is a network node that allows traffic to flow in and out of the network. Zone

If you selected the Static or Dynamic secondary role type, specify the per-role gateway Gateway is a network node that allows traffic to flow in and out of the network. zone needed for user-based tunneling (UBT).

Secondary Role Type

Policy Manager supports setting a controller Downloadable User Role (DUR) as a Secondary Role. Options are none if you do not want a secondary role, static for a static role, or dynamic for a dynamic role.

The secondary role option allows network admins to configure roles that are not allowed on a Layer 3 switch by creating a User Based Tunnel (UBT) to the controller associated with the AOS-CX switch, and allowing the controller to download the secondary role from ClearPass.

If you select the static option, roles and policies must be manually configured on the controller. Clearpass just passes the role name to the AOS-CX switch, which in turn sends it to the controller.

If you select the dynamic option, roles can be configured in Policy Manager, and no additional role configuration is necessary the controller side. Support for dynamic secondary roles in AOS-CX was introduced in AOS-CX 10.08.

Gateway Gateway is a network node that allows traffic to flow in and out of the network. Static Role

If you selected the Static secondary role type, specify the gateway Gateway is a network node that allows traffic to flow in and out of the network. static role.

Gateway Gateway is a network node that allows traffic to flow in and out of the network. Downloadable Role

If you selected the Dynamic secondary role type, specify the gateway Gateway is a network node that allows traffic to flow in and out of the network. dynamic role.

NOTE: Support for dynamic secondary roles in AOS-CX was introduced in Policy Manager 6.10.2 for switches running AOS-CX 10.08 and later releases.

MTU Maximum Transmission Unit. MTU is the largest size packet or frame specified in octets (eight-bit bytes) that can be sent in networks such as the Internet. <68-9198>

Sets the MTU Maximum Transmission Unit. MTU is the largest size packet or frame specified in octets (eight-bit bytes) that can be sent in networks such as the Internet. (Maximum Transmission Unit) for an interface. This defines the maximum size of a layer 2 (Ethernet Ethernet is a network protocol for data transmission over LAN.) frame. Packets larger than the MTU Maximum Transmission Unit. MTU is the largest size packet or frame specified in octets (eight-bit bytes) that can be sent in networks such as the Internet. are dropped and cause an ICMP Internet Control Message Protocol. ICMP is an error reporting protocol. It is used by network devices such as routers, to send error messages and operational information to the source IP address when network problems prevent delivery of IP packets. fragmentation-needed message to be sent back to the originator.

Trust Mode

Configures QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. trust mode for the role:

None: Do not trust any priority fields.

COS: Trust DSCP Differentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. and preserve the 802.1p priority.

DHCP: Trust 802.1p priority and retain DSCP Differentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. or IP-ToS Type of Service. The ToS field is part of the IPv4 header, which specifies datagrams priority and requests a route for low-delay, high-throughput, or a highly reliable service..

PoE Power over Ethernet. PoE is a technology for wired Ethernet LANs to carry electric power required for the device in the data cables. The IEEE 802.3af PoE standard provides up to 15.4 W of power on each port. Priority

Select the priority level for PoE Power over Ethernet. PoE is a technology for wired Ethernet LANs to carry electric power required for the device in the data cables. The IEEE 802.3af PoE standard provides up to 15.4 W of power on each port.; High, Low or Critical.

Private VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. Port Type

Private VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. partition an existing VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. into multiple sets of ports for traffic isolation. The partitioned VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. is referred to as the Primary VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.. To define a VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. port type for the role, select one of the following port types:

Promiscuous: A promiscuous port is a switch port that is connected to an uplink router, firewall Firewall is a network security system used for preventing unauthorized access to or from a private network., or other common gateway Gateway is a network node that allows traffic to flow in and out of the network. device, and can communicate with all ports within a private VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., including the ports in the isolated and community VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.. By default, every primary VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. port acts as a promiscuous port. If the specified VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. is a primary VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. that has been associated with secondary VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., the command also assigns the port to the associated secondary VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

Secondary: Secondary VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. trunk ports carry secondary VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. traffic. A secondary VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. trunk port can carry traffic for multiple secondary VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. only if each secondary VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. is a member of a different primary VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

Class Configuration

Select the Manage Classes link to add, edit, or delete class definitions. For more information, see Classes.

Policy

Select the Enforcement Policy from the drop-down list if already configured.

To add a new Enforcement Policy, click the Add Policy link. For more information, see Policies.

User Role Configuration

Select the Summary tab to view the generated user role configuration.

The Role Configuration tab also allows you to associate other profile types with your selected user role, or to create these profiles if they are not yet defined. Refer to the following sections for information on creating those profiles.

Role Configuration: Advanced Mode

When you set Role Configuration Mode to Advanced, the Enforcement Profile page displays the Attributes tab (see Figure 14 below).

 

In Advanced mode, a validation check is not available for downloadable role names that are greater than 64 characters. This is due to a limitation on the switch. Thus, if a downloadable role name configured on the Policy Manager server exceeds 64 characters, the enforcement profile may fail on the switch.

In Advanced mode, the Aruba Downloadable Role Enforcement profile provides two dictionaries and two attributes.

Mobility Controllers, and Mobility Access Switches and AOS-CX devices use the Aruba dictionary and the Aruba-CPPM-Role and Aruba-UBT-Gateway-CPPM-Role attributes.

ArubaOS-Switch devices use the Hewlett-Packard-Enterprise dictionary and the HPE-CPPM-Role and HPE-CPPM-Secondary-Role attributes. The HPE-CPPM-Secondary-Role attribute adds support for a downloadable secondary role that can be used with Per User Tunneled Node (PUTN). When the attribute is added to the enforcement profile, Policy Manager can send the controller role for the ArubaOS switch.

 

You can use only one of the Advanced mode dictionaries at any given time; these dictionaries can't both be used at the same time.

To configure the Aruba Downloadable Role Enforcement > Advanced attributes:

1. Navigate to Configuration > Enforcement > Profiles > Add.

2. Select Aruba Downloadable Role Enforcement from the Template drop-down list.

3. Configure the settings on the Profile tab as described in Role Configuration: Standard Mode, but select the Advanced option for the Role Configuration Mode setting.

Figure 14  Downloadable Role Enforcement > Profile Tab (Advanced Mode)

4. Next, select the Attributes tab. The appropriate RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  dictionary for the selected device type is enabled by default.

Figure 15  Configuring HPE-CPPM-Role Attribute

5. In the Value field, enter the appropriate commands.

a. For RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  dictionary type Radius: Hewlett-Packard Enterprise, select HPE-CPPM-Role (27) or HPE-CPPM-Secondary-Role (28), then enter a value in the Value field.

b. For RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  dictionary type Radius: Aruba select Aruba-CPPM-Role (23) or Aruba-UBT-Gateway-CPPM-Role (59), then enter a value in the Value field.

6. Click Save.

Summary Information

For a profile in Standard Role configuration mode, the Summary tab summarizes the parameters configured in the Profile and Role Configuration tabs. For a profile in Advanced role configuration mode, the Summary tab summarizes the parameters configured in the Profile and Attribute tabs.