CPPM the central device to manage all security policies in a controller deployment; the controllers will merely enforce those policies.
CPPM RADIUS will provide the role name at user authentication. The authenticator switch or controller can request for the role details if the role does not exist. Users are then assigned to the newly defined role. CPPM RADIUS will provide the role name at user authentication. The authenticator switch or controller can request for the role details if the role does not exist. Users are then assigned to the newly defined role.
Role download is can be triggered in two ways:
Aruba-CPPM-Role VSA: When user does a full-authentication and received a role-name in this VSA, a role request is sent to the CPPM for this role.
Cached downloadable role: This applies only to HA-failover scenarios with dot1x-wpa2. During the first full-authentication, as soon as the role-name is received through the VSA, it is marked for caching, instead of the next-derived role. On HA-failover and user-creation, when the cached role is recovered, is found to be a downloadable role that is not present on the controller, a role request is sent for this role-name
Configuration Steps :
CLI audit trail will not show the CPPM commands being executed via Auth.
Enable/Disable knob will be available at AAA profile.
AAA Profile "test"
Initial role logon
MAC Authentication Profile N/A
MAC Authentication Default Role logon
MAC Authentication Server Group internal
802.1X Authentication Profile default
802.1X Authentication Default Role dot1x
802.1X Authentication Server Group cppm-radius-group
RADIUS Accounting Server Group N/A
RADIUS Interim Accounting Disabled
Download Roles from CPPM Enabled
XML API server N/A
User derivation rules N/A
Enforce DHCP Disabled
Authentication Failure Blacklist Time 3600 sec.