It's currently not supported to send multiple user-roles/dACL (ClearPass can send it, but switch/AP/controller will reject it), nor ClearPass can merge/combine multiple ACLs into a single role or ACL set. As you mentioned there is quite some complexity in there with conflicts or ordering challenges.
Please reach out to your local Aruba SE to discuss if you have ideas on how that should work, so it can be filed as a feature request.
For now, as mentioned, create roles for HR, HRVIP, and VIP. I agree that doesn't scale too well.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------
Original Message:
Sent: Apr 27, 2021 06:11 AM
From: Tim Lloyd
Subject: Combining Multiple ACLs based upon Group Membership
Hello all, I was wondering if it was possible at Clearpass authorisation stage, to be able to "evaluate all", and send multiple snippets of ACL to the authenticating device.
EG:
User member of HR = HR ACL
User also member of VIP = append VIP ACL
Conscious that typically the HR ACL would typically have an implied deny any at the end, but can we append like this at all?
Or even sending multiple roles to the NAD, would that work? NADs will be IAP and Aruba switches. Just to add that this HR is just one example, the intention is to have hundreds of potential combinations - clearly easier to achieve using per user VPNs etc but just wanted to explore this first.
Thanks in advance.