AAA, NAC, Guest Access & BYOD

Do we need to disconnect Aruba VPN user after health/posture check?

Question- Do we need to disconnect Aruba VIA/VPN user after the health/posture check to switch the user to access role?

Environment- Aruba VIA user authentication against ClearPass 6.2.x and above versions.

Answer- There is no need to disconnect VPN user to switch the user role. All we need to do is to switch the user from quarantine to access role after the successful health check using the template "RADIUS Change of Authorization (CoA)" in the enforcement.

Create an enforcement profile as shown below and apply this enforcement profile in the service after the successful health check to change the user role on controller.

Navigation: Configuration >> Enforcement >> Profiles >> Add >> Select the Template to "Radius Change of Authorization(CoA)" >> Attributes >> Set the Radius CoA Template to "Aruba - Change -User-Role"


 

 

rtaImage (4).png

 

Enter the role name as Filter-Id Value in the above profile and use it in the web authentication/health check service to switch the user role after the successful health/posture validation.

Note: ClearPass should be configured as RFC 3576 server on the controller and mapped under L3 Authentication >> VIA Authentication Profile >> RFC 3576 server. And also RADIUS CoA should be enabled on ClearPass for the controller under Configuration >> Network >> Devices.

 

Version History
Revision #:
1 of 1
Last update:
‎04-01-2015 10:25 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.