Cloud Authentication and Policy Overview
Cloud Authentication and Policy allows you to configure user and client access policies that provide a secured, cloud-based network access control (NAC Network Access Control. NAC is a computer networking solution that uses a set of protocols to define and implement a policy that describes how devices can secure access to network nodes when they initially attempt to connect to a network.). In Aruba Central, you can configure these policies and provide an on-boarding URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. for the network users to connect to the network. As the users attempt to connect to the network, you can monitor the authentication access requests and sessions on the monitoring dashboards. You can view more details of each access request and session to analyze them or identify any issues.
- User Access Policy: In the user access policy, a network administrator can connect the user groups, defined in the cloud identity stores, to the client roles defined in Aruba Central. User groups must be predefined in the cloud identity stores, from cloud providers like Google Workspace or Microsoft Entra ID. Client roles can be defined in the Aruba IAP network profiles while creating the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSIDs Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network..
- Client Access Policy: In the client access policy, a network administrator can add a list of client MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses that will be allowed access to the network. The administrator can then map the client tags, which are defined for the different client categories, to the client roles. The client tags are defined in the Clients > Clients Profile page in Aruba Central.
Cloud Authentication and Policy Architecture
The following Cloud Authentication and Policy architecture provides an overview of how the cloud identity store, user and client policy, the WLAN network, and the clients connect to establish a secured cloud network.
Figure 1 Cloud Authentication and Policy Architecture
- Clients and Aruba Devices: Based on the client access policy in the Cloud Authentication and Policy configuration, the Aruba devices that are managed through Aruba Central help to connect the clients to the enterprise network. The client roles and WLAN SSIDs set up on the IAPs are used in the Cloud Authentication and Policy to control the network access. You must use the on-boarding URL provided by the network administrator to download the wireless network profiles and connect the clients to the network, through Aruba devices. You can also use the Aruba Onboard app to connect the clients to the network.
Cloud Authentication and Policy: With Aruba Central, administrators can configure separate user and client access policies. This flexibility of configuring independent user and client access policies allows the administrator to configure security levels at both the user and client level. For more information about configuring user and client access policy, see Configuring Cloud Authentication and Policy .
- Cloud Identity Store: Aruba Cloud Identity configuration uses user group information from the identity store to allow end users to connect to Wi-Fi Wi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. networks
securely and automatically. With Aruba Central, you can configure and manage users and user groups in a centralized fashion. Cloud Authentication and Policy integrates with your existing cloud identity providers to authenticate user’s information and assign them the right level of network access. It retrieves and validates all the necessary attributes from the identity providers before enforcing role-based access policies associated with the user groups. Cloud Authentication and Policy
supports two external identity providers, Google Workspace and Microsoft Entra ID.
For more information about configuring Google Workspace and Microsoft Entra ID, see the following topics:
Roles Applicable for Configuring Cloud Authentication and Policy
With Aruba Central, you can configure client roles with appropriate access rules while configuring a WLAN SSID. These client roles are assigned to user groups, which are mapped from the external identity server, while configuring user and client access policy for users.
For more information about configuring user roles and associated access rules, and configuring user and client access policies, see the following topics:
- Configuring Cloud Authentication and Policy Server in a WLAN Network
- Configuring User Roles for IAP Clients
You can create user roles while configuring the WLAN SSID by selecting Role Based security level from the Security Level slider in the Access tab. For more information, see Configuring Cloud Authentication and Policy Server in a WLAN Network.
For more information about Cloud Authentication and Policy implementation, see the following topics: