Question- Do we need to disconnect Aruba VIA/VPN user after the health/posture check to switch the user to access role?
Environment- Aruba VIA user authentication against ClearPass 6.2.x and above versions.
Answer- There is no need to disconnect VPN user to switch the user role. All we need to do is to switch the user from quarantine to access role after the successful health check using the template "RADIUS Change of Authorization (CoA)" in the enforcement.
Create an enforcement profile as shown below and apply this enforcement profile in the service after the successful health check to change the user role on controller.
Navigation: Configuration >> Enforcement >> Profiles >> Add >> Select the Template to "Radius Change of Authorization(CoA)" >> Attributes >> Set the Radius CoA Template to "Aruba - Change -User-Role"
Enter the role name as Filter-Id Value in the above profile and use it in the web authentication/health check service to switch the user role after the successful health/posture validation.
Note: ClearPass should be configured as RFC 3576 server on the controller and mapped under L3 Authentication >> VIA Authentication Profile >> RFC 3576 server. And also RADIUS CoA should be enabled on ClearPass for the controller under Configuration >> Network >> Devices.