Link Search Menu Expand Document
calendar_month 07-Mar-24

Policy Definition

Definition of policy involves business-oriented discussion more than a technical one. It requires categorizing users and devices based on their connectivity needs and specifying the access permissions for each group. This is accomplished by defining Aruba Roles and then associating those roles to a policy in Global Policy Manager.

Table of contents


An Aruba role is simply a way to represent a grouping of users or devices, which is assigned when connecting to the network. Aruba ESP provides the ability to assign a role to any connected client in the network and enforce the policy based on the role.

IT administrators define a role for every type of user or device attempting to gain access. All traffic for an assigned role is subject to its associated policy throughout network.

During the authentication and authorization process, organizations can apply a long list of built-in and customizable attributes that Aruba devices support based on the role assigned. These attributes provide administrators with additional classifications to allow or deny network access.

Available attributes include:

  • Hostname
  • IP address
  • Location of a gateway
  • MDM membership status
  • Firewall traffic classification
  • Client OS version
  • Time of day
  • Profiled device type.

Precise assignment of a role is an important foundation for enforcing Zero Trust policy in an organization.

Roles defined for users and devices should be grouped with a common set of security requirements. Keep the number of roles as small as possible, while still obtaining the desired security policy. The fewer roles in use, the easier it is to understand and maintain policy.


A policy and its assigned roles must be defined carefully to serve as a comprehensive solution that provides appropriate, uninterrupted access to all trusted network devices, while securing the network from threats.

A policy is a set of rules governing client behavior on the network. A policy rule defines the traffic permitted or denied traffic between roles. Roles are often dynamically assigned during authentication, and all traffic from the associated user or device is marked with a role ID for that access instance.

After traffic is marked with a unique role ID, the policy can be enforced on any Aruba device, which ensures a consistent security posture across all areas of the network.

Global Policy Manager

The Aruba Central cloud platform hosts applications to manage policy across the ESP architecture. Central provides an interface identified as Global Policy Manager (GPM). Within GPM, an operator defines the roles and role-to-role policies. These elements are then pushed to relevant networking infrastructure for enforcement.

An example of GPM in use today is a NetConductor fabric. The switches and gateways in a NetConductor fabric use a policy ID (Aruba Role) marked in the VXLAN header of every packet in the overlay to enable policy enforcement anywhere in the network. Policies are configured through the Client Roles interface in the gateway Security configuration section on Central.


Additional Policy Managers

Global Policy Manager is the future for unified policy definition at Aruba. Policy definition within GPM will continue to be enhanced and support more Aruba products in the future. Today, policy also is managed in the following additional products:

Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.