Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Configuring Enforcement Profiles
You can configure Policy Manager enforcement profiles globally, but they must be referenced to an enforcement policy that is associated with a service. Policy Manager includes the following enforcement profiles by default.
|
The Framed-IPv6-Prefix attribute can now be set or sent from a ClearPass Enforcement-Profile. The Framed-IPv6-Prefix attribute indicates the IPv6 prefix (and corresponding route) configured for a user, and is often used in an ISP Internet Service Provider. An ISP is an organization that provides services for accessing and using the Internet. environment, where a AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. server enforces a mobile gateway Gateway is a network node that allows traffic to flow in and out of the network.'s allocation of IPv6 addresses within a prefix range. The Framed-IPv6-Prefix attribute displays the IPv6/Prefix-Length in readable format and is used in the Service Rule/Enforcement profile. |
Adding a New Enforcement Profile
Each enforcement policy contains enforcement profiles that match conditions (role, posture, and time) to actions (enforcement profiles).
To create an enforcement profile:
1. Navigate to Configuration > Enforcement > Profiles. The page opens:
Figure 1 Enforcement Profiles Page
2. Click the link. The dialog opens.
Figure 2 Add Enforcement Profile Dialog
Select any of the following enforcement profile templates to create a profile based off of that template type.
Modifying an Existing Enforcement Profile
To modify an existing enforcement profile:
1. Navigate to the Configuration > Enforcement > Profiles page.
2. Select a profile name from the profiles list, then click or
3. Make the necessary changes in the and dialogs, then click .
Deleting an Existing Enforcement Profile
To delete an existing enforcement profile:
1. Navigate to the Configuration > Enforcement > Profiles page.
2. Click the checkbox by a profile name from the profiles list, then click or
3. Make the necessary changes in the and dialogs, then click .
AOS-CX Management Access via RADIUS
Going forward, Policy Manager includes AOS-CX management access using RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. on AOS-CX versions 10.11 and above. User access is granted by the Vendor-specific attributes values sent over Access-Accept Response from the RADIUS server indicating successful authentication and containing authorization information. from Policy Manager. Vendor-specific attributes are not sent for denied users.
Vendor-specific attributes that must be configured to grant user access include:
Aruba-User-Management-Interfaces - Supported AOS-CX interfaces include SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. , Console, Telnet, and HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection.-Server
Aruba-Priv-Admin-User - The privilege level granted to the user
For additional information on AOS-CX, refer to AOS-CX Overview.