In order to provide per-user level access, user roles can be created when a user has been successfully authenticated.During the configuration of a remote access policy, administrator can define a role that should be assigned to the user after successful authentication. If the Role is not defined in the Controller, Role can not be mapped to the User hence we need a solution where we can download a relevant Role from the server.
In RADIUS authentication, when Server (CPPM) successfully authenticates a user, the user is assigned a role ( role name) by the Server (CPPM) and if the role is not defined on the controller, the role attributes can also be automatically downloaded from CPPM.
This feature supports roles obtained by the following authentication methods:
- 802.1x (wireless and wired users)
- MAC authentication
- Captive Portal
CPPM does not perform any error checking to confirm accuracy of the role definition (policy mapped to the Role). Controller will validate the Policy before downloading.
How to enable :
1. Navigate to the Configuration > Security > Authentication > AAA Profiles.
2. Select an AAA profile.
3. Check the Download Role from CPPM check box to enable role download.
Providing CPPM credentials:
It is mandatory ( From CPPM 6.4 ) to specify CPPM credentials for downloading the Role
Configuring CPPM :
A Role can be defined and mapped trough an Enforcement profile as shown bellow.
- We should select “ Aruba Downloadable Role Enforcement” from Template dropdown list.
- Add Aruba controller IP in the Device list ( First create a group, Ex “My_Devices” and add the IP address to that group)
Defining and mapping the Policy to the Role :
- Define a policy ( ACL) by selecting type of ACL (Stateless ACL/Session ACL/Ethertype)
- Add the policy to the Role ( Ex Test_policy)
- Add the VLAN and CP profile as per the requirement.
Summary of Enforcement Profile :
Define and Enforcement Policy :
A policy/ Rules required to pickup this Enforcement profile,
- Create a new enforcement policy and define a condition for picking the Profile
Defining a Service :
Finally we have to define a Service to handle this Authentication
- Define a service by selecting an appropriate template ( Ex Aruba 802.1x Wireless/ Aruba 802.1x Wired/Aruba Guest etc..)
- Select desired type of Auth types ( EAP-PEAP, MSCHAP V2 etc..)
- Select the Enforcement profile
On successful Authentication, CPPM will push the Role along with the policy to the Controller as shown below.
Role is being downloaded to the Controller :
Role is downloaded and a policy is created :