Upcoming community maintenance Oct. 27th through Oct. 29th
For more info click here

Downloading an undefined role from ClearPass to Controller


In order to provide per-user level access, user roles can be created when a user has been successfully authenticated.During the configuration of a remote access policy, administrator can define a role that should be assigned to the user after successful authentication. If the Role is not defined in the controller, the role can not be mapped to the user hence we need a solution where we can download a relevant Role from the server.



In RADIUS authentication, when server (ClearPass) successfully authenticates a user, the user is assigned a user role (role name) by the server (ClearPass) and if the role is not defined on the controller, the role attributes can also be automatically downloaded from ClearPass.

This feature supports roles obtained by the following authentication methods:

  1. 802.1X (wireless and wired users)
  2. MAC authentication
  3. Captive Portal

ClearPass does not perform any error checking to confirm accuracy of the role definition (policy mapped to the user role). Controller will validate the policy before downloading.


How to enable :

1. Navigate to the Configuration > Security > Authentication > AAA Profiles.

2. Select an AAA profile.

3. Check the Download Role from CPPM check box to enable role download.


Providing CPPM credentials:

It is mandatory ( From ClearPass 6.4 ) to specify ClearPass credentials for downloading the Role


Configuring ClearPass :


A Role can be defined and mapped trough an Enforcement profile as shown bellow.


  1. We should select “ Aruba Downloadable Role Enforcement” from Template dropdown list.
  2. Add Aruba controller IP in the Device list ( First create a group, Ex “My_Devices” and add the IP address to that group)

Defining and mapping the Policy to the Role :


  1. Define a policy ( ACL) by selecting type of ACL (Stateless ACL/Session ACL/Ethertype)
  2. Add the policy to the Role ( Ex Test_policy)
  3. Add the VLAN and CP profile as per the requirement.

Summary of Enforcement Profile :

Define and Enforcement Policy :

A policy/ Rules required to pickup this Enforcement profile,

  1. Create a new enforcement policy and define a condition for picking the Profile

Defining a Service :

Finally we have to define a Service to handle this Authentication

  1. Define a service by selecting an appropriate template ( Ex Aruba 802.1x Wireless/ Aruba 802.1x Wired/Aruba Guest  etc..)
  2. Select desired type of Auth types ( EAP-PEAP, MSCHAP V2 etc..)
  3. Select the Enforcement profile


Testing :

On successful Authentication, ClearPass will push the Role along with the policy to the controller as shown below.


Role is being downloaded to the controller :


Role is downloaded and a policy is created :



Version history
Revision #:
3 of 3
Last update:
‎01-03-2018 04:03 AM
Updated by:
Labels (2)

Great article!

Can the bandwidth conrtact be defined in the DUR as well?





Search Airheads
Showing results for 
Search instead for 
Did you mean: