Link Search Menu Expand Document
calendar_month 14-Mar-23

Aruba ESP Policy Architecture

The Aruba Edge Services Platform (ESP) architecture provides flexible and highly reliable designs that ensure efficient access to applications and data for all authorized users while simplifying operations and accelerating service delivery. Innovations in high availability combined with enhanced simplicity and programmability provide a best-in-class industry network solution for modern organizations.

Table of contents

Aruba ESP is an evolution of Aruba’s end-to-end architecture, providing a Unified Infrastructure with centralized management that leverages Artificial Intelligence Operations (AIOps) for an improved operational experience with a Zero Trust Security policy. Aruba ESP is the industry’s first platform that is built specifically for the new requirements of the Intelligent Edge.

**ESP Architecture**

Aruba ESP offers a breadth of services, including onboarding, provisioning, orchestration, security, analytics, location tracking, and management. AI Insights reveal issues before they impact users. Intuitive workflow-centric navigation enables the organization to accomplish tasks quickly and easily using views that present multiple dimensions of correlated data. Policies are created centrally, and features such as Dynamic Segmentation enable the network administrator to implement them over an existing infrastructure. The Aruba ESP architecture is built in distinct layers, as shown in the figure below.

**ESP Layers**

Aruba ESP Campus Policy Layer

The policy layer for the Aruba ESP campus is implemented using overlay technologies and traffic filtering mechanisms to isolate user and application traffic. Data traffic can be tunneled back to a gateway cluster for centralized enforcement or handled within a switch fabric that provides policy enforcement at every node in the network.

ClearPass Policy Manager is typically used to provide the network authentication interface (RADIUS) to a user database (LDAP) and to define user roles with associated policies enforced within the network. Device Insights ensures that the endpoint security posture is determined from information gathered from the network.

Aruba ESP’s powerful policy management is derived by separating policy from the network’s IP design. Traffic tunneled to a gateway cluster is tagged at ingress with a user role that determines how the gateway treats the traffic during forwarding. Traffic in a distributed fabric is tagged using the VXLAN-Group Based Policy (GBP) feature to assign a role ID to every frame in the fabric, ensuring consistent policy enforcement across LAN, WLAN, and WAN.

Overlay Network

Aruba ESP centralized overlays are implemented using the Generic Routing Encapsulation (GRE) protocol. This enables an access layer switch to tunnel client traffic back to a gateway cluster for policy enforcement.

Aruba ESP distributed overlays are implemented using VXLAN tunnels that provide both layer 2 and layer 3 virtualized network services to endpoints attached to edge switches. A VXLAN Network Identifier (VNI) is used to identify layer 2 and layer 3 segments in a VXLAN overlay topology. Symmetric Integrated Routing and Bridging (IRB) supports ubiquitous layer 2 forwarding and layer 3 routing throughout the overlay.

**VXLAN Frame**

A VXLAN Tunnel End Point (VTEP) is the function within edge and border switches that handles the origination and termination of point-to-point tunnels forming an overlay network. A single logical VTEP is implemented when redundant switches are deployed in a rack. Aggregation and core switches provide IP transport for the overlay tunnels but do not participate in the encapsulation/decapsulation of VXLAN traffic.


Attached hosts are learned at the edge switch using Ethernet link layer protocols. Remote learning across the VXLAN fabric is accomplished using Multiprotocol Border Gateway Protocol (MP-BGP) as the control plane protocol and the Ethernet virtual private network (EVPN) address family for advertising host IP and MAC prefixes. This approach minimizes flooding while enabling efficient, dynamic discovery of remote hosts within the fabric.


ClearPass Policy Manager is a full-featured RADIUS, TACACS, guest lifecycle management, and captive portal platform.

ClearPass can access user and device authentication information stored within a local database, a user databased connected to the local network, or a cloud-hosted user database. ClearPass has the ability to query most sources for user information using a variety of authentication methods.

ClearPass Policy Manager provides secure role- and device-based network access control for Internet of Things (IoT), bring your own device (BYOD), and corporate devices as well as for employees, contractors, and visitors across wired, wireless, and VPN infrastructure. With a built-in context-based policy engine, RADIUS, TACACS+, non-RADIUS enforcement using OnConnect, device profiling, posture assessment, onboarding, and visitor access options, ClearPass is unrivaled as a foundation for network security for organizations of any size.

ClearPass also supports secure self-service capabilities, making it easier to access the network. Users can securely configure their own devices for enterprise use or Internet access based on administrative policy controls. Aruba wireless customers get unique integration capabilities, such as AirGroup, as well as ClearPass Auto Sign-On (ASO). ASO passes users’ network authentication automatically to their enterprise mobile apps, so they can get right to work.

ClearPass Policy Manager Key Features

  • Role-based, unified network access enforcement across multi-vendor networks
  • Intuitive policy configuration templates and visibility troubleshooting tools
  • Support for multiple authentication/authorization sources (AD, LDAP, SQL)
  • Self-service device onboarding with built-in certificate authority (CA) for BYOD
  • Visitor access with extensive customization, branding, and sponsor-based approvals
  • Integration with key UEM solutions for in-depth device assessments
  • Comprehensive integration with the Aruba 360 Security Exchange Program.

ClearPass is the only policy platform that centrally enforces all aspects of enterprise-grade access security for any industry. Granular policy enforcement is based on a user’s role, device type and role, authentication method, UEM attributes, device health, traffic patterns, location, and time of day. The scalable deployment supports tens of thousands of devices and authentications, surpassing the capabilities of legacy AAA solutions. Options are available for small, medium, or large organizations, and for centralized or distributed environments.

Central NetConductor

Central NetConductor gives network and security teams a shared toolbox to ensure optimal connectivity and the appropriate level of protection. It extends the capabilities of Aruba’s market-leading Dynamic Segmentation across multiple network overlays, making it easier to adopt comprehensive Zero Trust and SASE security.

Aruba Central NetConductor components include the following:

Policy Manager

Policy Manager defines user and device groups as well as the associated access enforcement rules for the physical network. Policy is a set of rules that define the access permitted or denied for role-associated traffic flow within the ESP network.

Group Policy Identifier (GPID)

GPID carries client policy information in traffic for inline policy enforcement, which reduces configuration and security overhead and increases mobility and scalability.

Fabric Wizard

Fabric Wizard simplifies the creation of overlays using an intuitive, graphic user interface, greatly simplifying how virtual components are defined and how configuration instructions are generated and pushed to switches and gateways.

Network Insights

Network Insights combines network expertise, artificial intelligence, and machine learning to detect, triage, root cause, and resolve Wi-Fi, wired, and WAN issues. The tool uses class-based site comparisons and best practices to identify opportunities for user experience optimization.

Client Insights

Client Insights uses network and client telemetry with machine learning to accurately fingerprint and classify all wired and Wi-Fi connected user and IoT endpoints for policy assignment and enforcement. It also monitors the behavior of traffic flows for added security.

Flexible Network Access Control

Flexible network access control ensures that entities are correctly identified and assigned a role that defines their access privileges using Cloud Auth cloud-native NAC, ClearPass, or third-party solutions.

Fabric-Capable Aruba Switches and Gateways

Aruba switches and gateways support configuration and enforcement based on the routing instructions and access privileges defined in relation to the GPID.

Cloud Auth

Cloud Auth on Aruba Central provides a seamless, cloud-based onboarding and NAC solution. Small and medium-sized organizations with limited IT personnel benefit from simplified workflows and secure role-based policies administered through Aruba Central to ensure users and devices have appropriate network access.



The term “Role” has had different meanings at Aruba, depending on the context. To a network engineer, a role often refers to a user role. To a ClearPass administrator, it can mean the same as it does to a network engineer, or it can refer to TIPS roles within ClearPass’s Role Mapping Policies.

In Aruba Central Global Policy Manager, it refers to a Global Client Role. To help eliminate confusion, brief descriptions are provided below.

User Role (Gateway, Switch, AP)

Introduced in ArubaOS 6, the User Role is a set of attributes associated to a device or user when connectivity to the network is established. A user role comprises firewall policies, bandwidth contracts, QoS markings, and other configurable parameters to control secure access at the AP, gateway, or switch.

TIPS Role (ClearPass)

Within Aruba ClearPass, role mapping tags devices and users within a service with as much information as possible for use in a policy decision. Within a Role Mapping Policy, a user and/or device can be mapped to a TIPS role which is significant only within a ClearPass cluster deployment. This TIPS role can be used by the Enforcement Policy (along with attributes such as time of day, profiled information, or Microsoft Active Directory security group membership) to make a decision about the level of access a network client is granted. That Enforcement Policy then returns the user role attribute to be applied for the authenticating client to the AP, gateway, or switch .

Global Client Role (Aruba Central)

In Aruba Central Global Policy Manager, the role refers to the Global Client Role, configured for role-to-role policy enforcement. To make these client roles more powerful and consistent with the ESP architecture, they can be managed globally from Aruba Central. For example, if you have five roles in your network, a role-to-role policy is created by defining permissions from one role to another. And by configuring this only once in Central, it is applied to all relevant network devices: from a Microbranch or Bridge Mode AP, to a Mobility Gateway, to a switch. There is no need to build three different formats of security policy.


Back to top

© Copyright 2022 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.