You can only tunnel to a single controller or single cluster from a switch in AOS-Switch. A switch cannot tunnel to multiple, separate controllers or clusters.
Yes, absolutely, that's the idea behind user based tunneling. Each role has its own unique policy applied to it. You can even block traffic role to role at the controller.
So each wired tunnel has a primary role (switch) and a secondary role (controller). The controller role is where you would put your policy in to restrict or grant access to other roles. Each role will have to have policy designed to do so.
For AD, you'd have to tie the user role in the ClearPass Enforcement Policy to the AD user that you would want the specific role applied to.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.