Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Configuring the Global Client Roles
Global client roles configuration affects all the access Switches and wireless Gateways in the network, as part of the global policy enforcement.
To configure client roles for role-to-role policy enforcement, complete the following procedure:
-
In the Aruba Central app, complete the following steps:
- Set the filter to Global.
-
Under Manage, click Security > Client Roles. The Client Roles page is displayed.
-
Toggle the Role-to-Role Policy Enforcement switch to the on position, to apply the roles and permissions that are defined.
Figure 1 Client Roles Page
- In the Roles table, click the + icon. The Create new role page is displayed.
- In the Create new role page, configure the following parameters:
- Name—Enter the name of the role that you want to create. For example, Admin.
- Description—Enter the description of the role. For example, all employees in the organization.
- Policy Identifier—Policy Identifier is a unique auto-generated identifier for the role. You can modify identifier, if required. For example, 100.
-
Enable the Allow default role to source role permissions for wired clients checkbox if you want to allow unauthenticated client traffic and external traffic (traffic with Policy Identifier 0) for the wired clients.
- In the Permissions table, click the edit icon to create bi-directional policies between roles.
The Allow Source to Destination column is used to enable permissions from the source role to the selected destination role. The Allow Destination to Source column is used to enable permissions from the selected destination role to the source role. For example, if you open the Assign Permissions window for the Admin role, you must select the check box corresponding to the BYOD Bring Your Own Device. BYOD refers to the use of personal mobile devices within an enterprise network infrastructure. role in the Allow Source to Destination column to allow network traffic from Admin role to BYOD role. You must click IOT under the Allow Destination to Source column to allow network traffic from IOT role to Admin role.
Selecting either of the check boxes for self, selects both the check boxes by default. Selecting self enables bi-directional network traffic between devices of the same role.
Figure 2 Assign Permissions Page
- In the Allow Source to Destination and the Allow Destination to Source columns, select the appropriate check box.
- Click Assign.
- In the Propagate roles between Aruba Gateways? options, select Yes if you have Branch Gateway or Mobility Gateway for role propagation else Select No.
When the Branch mode is enabled, the gateways can propagate role information and enforce role-based policies for client traffic across multiple sites across the SD-WAN Software-Defined Wide Area Network. SD-WAN is an application for applying SDN technology to WAN connections that connect enterprise networks across disparate geographical locations. traffic. When the Mobility mode is enabled, gateways can propagate role information and enforce role-bases policies for client traffic across multiple gateways, irrespective of the network infrastructure between them. -
In the Create new role page, click Save.
The role is created, and the assigned permissions are saved.
Configuring custom policy rules on switches is possible using the Multi-Editor with sequence numbers above 9999.
The following animation shows you how to configure client roles for role-to-role policy enforcement.