Configuring Enforcement Profiles

You can configure Policy Manager enforcement profiles globally, but they must be referenced to an enforcement policy that is associated with a service. Policy Manager includes the following enforcement profiles by default.

Table 1: Default Enforcement Profiles

Enforcement Profile

Type

Description

[Aerohive - Terminate Session]

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. _CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

System-defined profile to disconnect user (Aerohive).

[AirGroup The application that allows the end users to register their personal mobile devices on a local network and define a group of friends or associates who are allowed to share them. AirGroup is primarily designed for colleges and other institutions. AirGroup uses zero configuration networking to allow Apple mobile devices, such as the AirPrint wireless printer service and the AirPlay mirroring service, to communicate over a complex access network topology. Personal Device]

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. 

System-defined profile for an AirGroup The application that allows the end users to register their personal mobile devices on a local network and define a group of friends or associates who are allowed to share them. AirGroup is primarily designed for colleges and other institutions. AirGroup uses zero configuration networking to allow Apple mobile devices, such as the AirPrint wireless printer service and the AirPlay mirroring service, to communicate over a complex access network topology. personal device request.

[AirGroup The application that allows the end users to register their personal mobile devices on a local network and define a group of friends or associates who are allowed to share them. AirGroup is primarily designed for colleges and other institutions. AirGroup uses zero configuration networking to allow Apple mobile devices, such as the AirPrint wireless printer service and the AirPlay mirroring service, to communicate over a complex access network topology. Response]

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. 

System-defined profile for any AirGroup The application that allows the end users to register their personal mobile devices on a local network and define a group of friends or associates who are allowed to share them. AirGroup is primarily designed for colleges and other institutions. AirGroup uses zero configuration networking to allow Apple mobile devices, such as the AirPrint wireless printer service and the AirPlay mirroring service, to communicate over a complex access network topology. request.

[AirGroup The application that allows the end users to register their personal mobile devices on a local network and define a group of friends or associates who are allowed to share them. AirGroup is primarily designed for colleges and other institutions. AirGroup uses zero configuration networking to allow Apple mobile devices, such as the AirPrint wireless printer service and the AirPlay mirroring service, to communicate over a complex access network topology. Shared Device]

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. 

System-defined profile for an AirGroup The application that allows the end users to register their personal mobile devices on a local network and define a group of friends or associates who are allowed to share them. AirGroup is primarily designed for colleges and other institutions. AirGroup uses zero configuration networking to allow Apple mobile devices, such as the AirPrint wireless printer service and the AirPlay mirroring service, to communicate over a complex access network topology. shared device request.

[Allow Access Profile]

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. 

System-defined profile to allow network access.

[AOS-CX - Bounce Switch Port]

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. _CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

System-defined profile to bounce the switch port on AOS-CX switches.

[AOS-CX - Disconnect]

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. _CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

System-defined profile to disconnect a device on AOS-CX switches.

[Allow Application Access Profile]

Application

System-defined profile to allow access to an application.

ArubaOS Switching - Bounce Switch Port

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. _CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

System-defined profile to bounce the switch port on ArubaOS Switching products.

ArubaOS Switching - Terminate Session

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. _CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

System-defined profile to disconnect the user on ArubaOS Switching, HP ProCurve, and HP UWW (Unified Wired-WLAN) products.

ArubaOS Wireless - Bounce Switch Port

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. _CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

System-defined profile to bounce the switch port on ArubaOS Mobility controllers, Multi-Port APs, and Mobility Access Switches.

[ArubaOS Wireless - TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  Read-Only Access]

TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. 

System-defined profile for TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  read-only access on ArubaOS Mobility controllers, Aruba Instant APs, and Mobility Access Switches.

[ArubaOS Wireless - TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  root Access]

TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. 

System-defined profile for TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  root access on ArubaOS Mobility controllers, Aruba Instant APs, and Mobility Access Switches.

[Aruba Wireless - Terminate Session]

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. _CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

System-defined profile to disconnect the user on ArubaOS Mobility controllers, Aruba Instant APs, and Mobility Access Switches.

[Cisco - Bounce-Host-Port]

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. _CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

System-defined profile to bounce the host port (Cisco).

[Cisco - Disable Host-Port]

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. _CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

System-defined profile to disable the host port (Cisco).

[Cisco - Reauthenticate-Session]

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. _CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

System-defined profile to re-authenticate session (Cisco).

[Cisco - Terminate-Session]

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. _CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

System-defined profile to disconnect a user (Cisco).

[Deny Access Profile]

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. 

System-defined profile to deny network access.

[Deny Application Access Profile]

Application

System-defined profile to deny access to an application.

[Drop Access Profile]

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. 

System-defined profile to drop the request.

[H3C - Bounce Switch Port]

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. _CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

System-defined profile to bounce the switch port on H3C products (including HPE FlexNetwork/Comware)

[H3C - Disable Switch Port]

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. _CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

System-defined profile to disable the switch port on H3C products (including HPE FlexNetwork/Comware).

[H3C - Terminate Session]

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. _CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

System-defined profile to disconnect the user on H3C products (including HPE FlexNetwork/Comware).

[Handle AirGroup The application that allows the end users to register their personal mobile devices on a local network and define a group of friends or associates who are allowed to share them. AirGroup is primarily designed for colleges and other institutions. AirGroup uses zero configuration networking to allow Apple mobile devices, such as the AirPrint wireless printer service and the AirPlay mirroring service, to communicate over a complex access network topology. Time Sharing]

HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands.

System-defined profile to send time-based sharing policy to the AirGroup The application that allows the end users to register their personal mobile devices on a local network and define a group of friends or associates who are allowed to share them. AirGroup is primarily designed for colleges and other institutions. AirGroup uses zero configuration networking to allow Apple mobile devices, such as the AirPrint wireless printer service and the AirPlay mirroring service, to communicate over a complex access network topology. notification service.

[Juniper Terminate Session]

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. _CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

System-defined profile to disconnect a user (Juniper).

[Motorola - Terminate Session]

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. _CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

System-defined profile to disconnect a user (Motorola).

[Operator Login - Admin Users]

Application

Enforcement profile for Guest admin logins.

[Operator Login - Local Users]

Application

Enforcement profile for Guest operator logins.

Registered Device MPSK

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. 

Enforcement profile for Multiple Pre-Shared Key (MPSK) Device Registration. Returns a device's assigned MPSK that was generated automatically during Device Registration.

[Return Device Sponsor Name - RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  User-Name] RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. 

Returns the [Guest Device Repository]:SponsorName value as the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. :IETF:User-Name value when Policy Manager is configured to use Multiple Pre-Shared Key (MPSK) authentication.

[TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. Admin]

TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. 

API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. admin access for Policy Manager Policy Manager Admin.

[TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  Deny Profile]

TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. 

System-defined profile to deny network access.

[TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  Help Desk]

TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. 

Help desk access for Policy Manager Policy Manager Admin.

[TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  Network Admin]

TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. 

Network admin access for Policy Manager Policy Manager Admin.

[TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  Read-only Admin]

TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. 

Read-only admin access for Policy ManagerPolicy Manager Admin.

[TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  Receptionist]

TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. 

Receptionist access for Policy ManagerPolicy Manager Admin

[TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  Super Admin]

TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. 

Super admin access for Policy Manager Policy Manager Admin.

[Trapeze - Terminate Session]

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. _CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

System-defined profile to disconnect a user (Trapeze).

[Update Endpoint Known]

Post-Authentication

System-defined profile to change an Endpoint's status to Known.

 

The Framed-IPv6-Prefix attribute can now be set or sent from a ClearPass Enforcement-Profile. The Framed-IPv6-Prefix attribute indicates the IPv6 prefix (and corresponding route) configured for a user, and is often used in an ISP Internet Service Provider. An ISP is an organization that provides services for accessing and using the Internet. environment, where a AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. server enforces a mobile gateway Gateway is a network node that allows traffic to flow in and out of the network.'s allocation of IPv6 addresses within a prefix range. The Framed-IPv6-Prefix attribute displays the IPv6/Prefix-Length in readable format and is used in the Service Rule/Enforcement profile.

Adding a New Enforcement Profile

Each enforcement policy contains enforcement profiles that match conditions (role, posture, and time) to actions (enforcement profiles).

To create an enforcement profile:

1. Navigate to Configuration > Enforcement > Profiles. The Enforcement Profiles page opens:

Figure 1  Enforcement Profiles Page

2. Click the Add link. The Add Enforcement Profile dialog opens.

Figure 2  Add Enforcement Profile Dialog

Select any of the following enforcement profile templates to create a profile based off of that template type.

Enforcment Profile templates
Template Description

Aruba Downloadable Role Enforcement Profiles

When Policy Manager successfully authenticates a user, the user is assigned a role by Policy Manager. However, if the role is not defined on the Aruba controller or switch, you can use downloadable role enforcement profiles to allow the role attributes to be downloaded automatically.

Aruba RADIUS Enforcement Profile

Define an enforcement profile based on Aruba vendor-specific RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attributes.

Cisco Downloadable ACL Enforcement Profile

Integrate a Cisco switch with Policy Manager by defining a Cisco Downloadable Access Control List (dACL) profile based on Cisco vendor-specific RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attributes.

Cisco Web Authentication Enforcement Profile

Integrate a Cisco switch with Policy Manager by defining a Web authentication enforcement profile based on Cisco vendor-specific RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attributes.

Filter ID Based Enforcement Profile

Define an enforcement profile based on RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Internet Engineering Task Force (IETF) attributes

RADIUS Based Enforcement Profile

Define an enforcement profile based on values from any of the following vendor- specific RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attribute types.

Radius:Aruba

Radius:IETF

Radius:Cisco

Radius: Hewlett-Packared-Enterprise

Radius: Lucent-Alcatel-Enterprise

Radius:Microsoft

Radius:Avenda

RADIUS Dynamic Authorization Enforcement Profile

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  dynamic authorization Dynamic authorization refers to the ability to make changes to a visitor account’s session while it is in progress. This might include disconnecting a session or updating some aspect of the authorization for the session. enforcement profile configuration pages contain a large variety of templates for different actions that are automatically populated with default RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  settings and values appropriate for that template type.

VLAN Enforcement Profile

Define an enforcement profile that assigns VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. settings.

Agent Enforcement Profile

Agent Enforcement profiles allows Policy Manager to define actions to be executed by OnGuard agents. Is this really true?

Agent Script Enforcement Profile

Agent Script Enforcement profiles allows Policy Manager to execute custom scripts on endpoint devices as part of agent enforcement.

CLI-Based Enforcement Profile

Agent Script Enforcement profiles allows Policy Manager to execute CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands on endpoint devices as part of agent enforcement.

Policy Manager Entity Update Enforcement Profile

Entity Update enforcement profiles can push endpoint information or status updates to devices after they have been authenticated.

Generic Application Enforcement Profile

Define an enforcement profile for an application.

HTTP Based Enforcement Profile

Define an HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands.-based enforcement policy.

SNMP-Based Enforcement Profile

Define SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. -based enforcement profiles with attributes for a VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID or session timeout period, or to reset the connection.

Session Notification Enforcement Profile

Use a Session Notification Enforcement profile to send notification of a change in IP address to any external context server (such as a firewall Firewall is a network security system used for preventing unauthorized access to or from a private network.) by configuring that server as a generic HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. server and adding the appropriate generic HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. context server actions.

Session Restrictions Enforcement Profile

If OnGuard Agent is disconnected, Policy Manager uses Keep-Alive messages to issue Disconnect Messages for a Session Restrictions Enforcement Profile for agent-based enforcement.

TACACS+ Based Enforcement Profile

Define TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. -based enforcement profiles

Modifying an Existing Enforcement Profile

To modify an existing enforcement profile:

1. Navigate to the Configuration > Enforcement > Profiles page.

2. Select a profile name from the profiles list, then click Edit or Delete

3. Make the necessary changes in the Profile and Attributes dialogs, then click Save.

Deleting an Existing Enforcement Profile

To delete an existing enforcement profile:

1. Navigate to the Configuration > Enforcement > Profiles page.

2. Click the checkbox by a profile name from the profiles list, then click Edit or Delete

3. Make the necessary changes in the Profile and Attributes dialogs, then click Save.

AOS-CX Management Access via RADIUS

Going forward, Policy Manager includes AOS-CX management access using RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  on AOS-CX versions 10.11 and above. User access is granted by the Vendor-specific attributes values sent over Access-Accept Response from the RADIUS server indicating successful authentication and containing authorization information. from Policy Manager. Vendor-specific attributes are not sent for denied users.

Vendor-specific attributes that must be configured to grant user access include:

Aruba-User-Management-Interfaces - Supported AOS-CX interfaces include SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. , Console, Telnet, and HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection.-Server

Aruba-Priv-Admin-User - The privilege level granted to the user

For additional information on AOS-CX, refer to AOS-CX Overview.