Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Editing User Access Policy
The administrator can configure user policies by linking user groups, client tags, and client roles.
With the dual layer user policy, the administrator can configure user policies based on group membership and client tags. Earlier, the cloud authentication policies were based on only group memberships. Users will now be able to configure advanced user policies by incorporating the tags from Client Insights into user access policy decisions.
To configure a user access policy, complete the following steps:
-
In the User Access Policy card, in the Policies page, click the Edit icon.
The User Authentication page appears.
-
Complete the following steps to configure an identity provider:
- To configure Microsoft Entra ID as your identity provider:
- Select Microsoft Entra ID from the Identity Provider drop-down list.
If you had configured Google Workspace as your identity provider, a Confirm Change pop-up window is displayed when you select Microsoft Entra ID. Click Confirm to proceed.
Enter the following parameters:
Tenant ID—The tenant ID that is used by Cloud Authentication and Policy application when it communicates with the Microsoft Entra ID.
Client ID—The client ID that is used to identify the Cloud Authentication and Policy application with Microsoft Entra ID.
Client Secret—The client secret that is used to identify the Cloud Authentication and Policy application when requesting an access token from the Microsoft identity platform token endpoint. Access token is used in the Microsoft Graph API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. to get information about users.
- Select Microsoft Entra ID from the Identity Provider drop-down list.
- To configure Google Workspace as your identity server, do the following:
Select Google Workspace from the Identity Provider drop-down list.
If you had configured Microsoft Entra ID as your identity provider, a Confirm Change pop-up window is displayed when you select Google Workspace. Click Confirm to proceed.
Configure the following parameters:
Customer ID—The customer ID that is used to identify the Cloud Authentication and Policy application with Google Workspace.
Domain—The domain name that is used to identify the domain of your organization on Google Workspace.
Administrator Email—The administrator email ID that is associated with the Google Workspace account.
Client ID (Open ID)—The client ID that is used to identify Cloud Authentication and Policy application on Google Workspace.
Client Secret—The client secret that is used to identify the Cloud Authentication and Policy application while authenticating with authorization server.
The client secret is shared only between the Cloud Authentication and Policy application and the authorization server.
Credentials File—The credentials file contains a private key The part of a public-private key pair that is always kept private. The private key encrypts the signature of a message to authenticate the sender. The private key also decrypts a message that was encrypted with the public key of the sender. for the service account. Drag and drop the credentials file, or click browse and navigate to the credentials file on your file system, and then click Open.
You must save the credentials file in the JSON JavaScript Object Notation. JSON is an open-standard, language-independent, lightweight data-interchange format used to transmit data objects consisting of attribute–value pairs. JSON uses a "self-describing" text format that is easy for humans to read and write, and that can be used as a data format by any programming language. format while configuring Google Workspace identity server. For more information, see Google Workspace.
- To configure Okta Workforce Identity Cloud as your identity server, do the following:
Select Okta Workforce Identity Cloud from the Identity Provider drop-down list.
Configure the following parameters:
Okta Domain—The Okta domain that is used by Cloud Authentication and Policy application when it communicates with Okta Workforce Identity Cloud.
Client ID—The client ID that is used to identify Cloud Authentication and Policy application to the Cloud Auth Cloud Authentication and Policy allows you to configure user and client access policies that provide a secured, cloud-based network access control (NAC). OIDC application.
Client Secret—The client secret that is used to identify Cloud Authentication and Policy application while authenticating with the authorization server. The client secret is shared only between the Cloud Authentication and Policy application and the authorization server.
Service Client ID—The API service client ID that is used to identify Cloud Authentication and Policy application to the Cloud Auth API Services application.
Service Client Secret—The API service client secret that is used to identify the Cloud Authentication and Policy application while authenticating with the authorization server.
- To configure Microsoft Entra ID as your identity provider:
-
To set up the identity store in Microsoft Entra ID or Google Workspace console, you have to provide the redirect URI Uniform Resource Identifier. URI identifies the name and the location of a resource in a uniform format.. This is the endpoint URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. of the cloud guest server. To get the URI, click the Copy Redirect URI button. This action will instantly copy the URI on to your dashboard and the button label will change to URI Copied. You can then proceed with setting up the identity store.
-
For Okta Workforce Identity Cloud identity provider, the redirect URI needs to be configured during the installation of the Cloud Auth OIDC application.
-
Click Connect.
If the connection is successful, the Connect button changes to Connected Successfully ü. The User Group, Client Tag, Client Role as well as the Network Profile sections, are displayed. Admin can map a User Group to a Client Tag and a Client Role.
By default, the user group is set as unspecified, the client tag as Any, and the client role as Deny. Administrators can change the Deny role and use any other role that can grant the user with access to the network.
Any device that attempts to connect to the network with user group as unspecified and client role as deny will be denied access to the network.
-
To add a new row in the User Groups to Client Role Mapping table, do the following:
-
Click the + icon.
A new row is added in the User Groups to Client Role Mapping table.
-
Select a user group from the User Group drop-down list.
The values in this drop-down list are mapped to the user groups that are created or configured on the identity provider's server.
-
Select a client tag from the Client Tag drop-down list. The system tags as well as user defined tags from Client Insights are listed in this drop-down.
If a user group to client tag and client role mapping is specified as Any, then tags are ignored for this rule. In this case, during policy evaluation, only the user group is checked for the user connecting to the network. When client tags are added in the rules and matched, then the rules are evaluated in the order in which they appear in the table, from top to bottom.
-
Select a corresponding client role from the Client Role drop-down list.
-
Repeat steps a to d to add rows and map the user group with the client tag and client role.
- A same user group can be mapped to different client tags and different client roles.
- Client Role drop-down list displays only those roles that are configured at the group level using Configuring Cloud Authentication and Policy Server in a WLAN Network. That is, Client Role drop-down list does not display the roles that are configured at device level.
- Client Role must be created for all wired and wireless configurations including those on APs, Gateways, and Switches. This will ensure that Cloud Authentication and Policy is applied globally across wired and wireless networks.
- If you delete a client role associated with a user access policy, the user access policy will not work as expected.
-
-
In the Network Profile section, do the following:
-
In the Organization name field, enter the organization name.
-
This is the user-friendly name that is displayed as Wi-Fi Wi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. connection name on client-devices based on the device support.
-
This field is pre-populated with the organization name that is registered with HPE Aruba Networking Central. Based on the organization name you have provided, the HPE Aruba Networking Onboardmobile app preview shows how the organization name will appear in the corresponding HPE Aruba Networking Onboard mobile app.
-
-
Select WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. from the WLAN for Non-passpoint clients drop-down list. The purpose of this field is to use the selected SSID for Non-Passpoint Passpoint is a Wi-Fi certified solution that enables the mobile devices to automatically authenticate on enterprise Wi-Fi networks using their cellular credentials. devices using Client App. This is the SSID created in AP's WLAN configuration. For more information, see Configuring Cloud Authentication and Policy Server in a WLAN Network.
-
The WLAN for Non-passpoint clients drop-down displays only enterprise SSIDs. As enterprise SSIDs with Cloud Auth as AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. server are applicable to the Client App (HPE Aruba Networking Onboard App), only the enterprise SSIDs are displayed in the drop-down. This list consists of only those WLAN SSIDs that are configured at a group level using Configuring Cloud Authentication and Policy Server in a WLAN Network. That is, WLAN for Non-passpoint clients drop-down list does not display the WLAN SSIDs that are configured at the device level.
-
If you delete the selected WLAN SSID from the WLAN configuration, the user access policy will not work as expected.
-
-
-
Click SAVE to save the user policy.
- Click the
For onboarding and provisioning client devices, you must copy the onboarding URL and share the same with the end-users.
accordion to view the summary of the newly created user access policy along with the newly generated onboarding URL.
For the wired client device access, after upgrade to HPE Aruba Networking Central 2.5.6, save the User Access Policy. Once the policy is saved, you must install the network profile on the wired client device using HPE Aruba Networking Onboard App version 1.3 and onwards.
The Manage MPSK link will only be visible after creating a user policy. For more information, see Managing MPSK Network.