VSA user-role priority change from Aruba OS 6.4.3.x and above
What is the change in Aruba VSA user-role priority in Aruba OS 6.4.3.x and above?
Starting from Aruba OS 6.4.3.x, user-role flow has been streamlined.
In general, if a user is in a higher priority L2 user-role, then the user would not go into a lower priority L2 user-role.
Enforce machine authentication is not enabled in the controller.
Aruba VSA user-role is configured for machine authentication and not for the user authentication.
The Aruba VSA user-role has higher priority than default-dot1x user-role.
Here is how it works:
User completes dot1x machine authentication, VSA user-role is sent by the Radius Server then the user picks up the VSA user-role.
When the same user completes dot1x user authenication and if VSA user-role is not configured in the Radius Server and user entry is still present with VSA user-role.
The client will not pick the default-dot1x role as the user is already present in the user-table with the higher priority VSA user-role.
Prior to Aruba OS 6.4.3.x, in the above scenario the user will pick up the default-dot1x role after upgrading to Aruba OS 6.4.3.x and will retain the higher priority VSA user-role.
If we have the above scenario prior to 6.4.3.x and if we need to upgrade to 6.4.3.x and above then the solution would be to create VSA user-role for the user authentication and user will fall into the new VSA user-role.
Otherwise, user will retain the VSA user-role after completing the dot1x machine authentication.