Editing User Access Policy

The administrator can configure user policies by linking user groups, client tags, and client roles.

With the dual layer user policy, the administrator can configure user policies based on group membership and client tags. Earlier, the cloud authentication policies were based on only group memberships. Users will now be able to configure advanced user policies by incorporating the tags from Client Insights into user access policy decisions.

To configure a user access policy, complete the following steps:

  1. In the User Access Policy card, in the Policies page, click the Edit icon.

    The User Authentication page appears.

  2. Complete the following steps to configure an identity provider:

  3. Click Connect.

    If the connection is successful, the Connect button changes to Connected Successfully ü. The User Group, Client Tag, Client Role as well as the Network Profile sections, are displayed. Admin can map a User Group to a Client Tag and a Client Role.

    By default, the user group is set as unspecified, the client tag as Any, and the client role as Deny. Administrators can change the Deny role and use any other role that can grant the user with access to the network.

    Any device that attempts to connect to the network with user group as unspecified and client role as deny will be denied access to the network.

  4. To add a new row in the User Groups to Client Role Mapping table, do the following:

    1. Click the + icon.

      A new row is added in the User Groups to Client Role Mapping table.

    2. Select a user group from the User Group drop-down list.

      The values in this drop-down list are mapped to the user groups that are created or configured on the identity provider's server.

    3. Select a client tag from the Client Tag drop-down list. The system tags as well as user defined tags from Client Insights are listed in this drop-down.

      If a user group to client tag and client role mapping is specified as Any, then tags are ignored for this rule. In this case, during policy evaluation, only the user group is checked for the user connecting to the network. When client tags are added in the rules and matched, then the rules are evaluated in the order in which they appear in the table, from top to bottom.

    4. Select a corresponding client role from the Client Role drop-down list.

    5. Repeat steps a to d to add rows and map the user group with the client tag and client role.

      • A same user group can be mapped to different client tags and different client roles.
      • Client Role drop-down list displays only those roles that are configured at the group level using Configuring Cloud Authentication and Policy Server in a WLAN Network. That is, Client Role drop-down list does not display the roles that are configured at device level.
      • Client Role must be created for all wired and wireless configurations including those on APs, Gateways, and Switches. This will ensure that Cloud Authentication and Policy is applied globally across wired and wireless networks.
      • If you delete a client role associated with a user access policy, the user access policy will not work as expected.

  5. In the Network Profile section, do the following:

    1. In the Organization name field, enter the organization name.

    2. Select WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. from the WLAN for Non-passpoint clients drop-down list. The purpose of this field is to use the selected SSID for Non-Passpoint Passpoint is a Wi-Fi certified solution that enables the mobile devices to automatically authenticate on enterprise Wi-Fi networks using their cellular credentials. devices using Client App. This is the SSID created in AP's WLAN configuration. For more information, see Configuring Cloud Authentication and Policy Server in a WLAN Network.

  6. Click SAVE to save the user policy.

  7. Click the User Access Policy accordion to view the summary of the newly created user access policy along with the newly generated onboarding URL.

    For onboarding and provisioning client devices, you must copy the onboarding URL and share the same with the end-users.

For the wired client device access, after upgrade to Aruba Central 2.5.6, save the User Access Policy. Once the policy is saved, you must install the network profile on the wired client device using HPE Aruba Networking Onboard App version 1.3 and onwards.

Manage MPSK Multi Pre-Shared Key. The Cloud Authentication and Policy server enables MPSK in a WLAN network in Aruba Central, to provide seamless wireless network connection to the end-users and client devices.

The Manage MPSK link will only be visible after creating a user policy. For more information, see Managing MPSK Network.