VSA user-role priority change from Aruba OS 6.4.3.x and above


What is the change in Aruba VSA user-role priority in Aruba OS 6.4.3.x and above?


Starting from Aruba OS 6.4.3.x, user-role flow has been streamlined. 

In general, if a user is in a higher priority L2 user-role, then the user would not go into a lower priority L2 user-role.

Enforce machine authentication is not enabled in the controller. 
Aruba VSA user-role is configured for machine authentication and not for the user authentication. 

The Aruba VSA user-role has higher priority than default-dot1x user-role.
Here is how it works: 

User completes dot1x machine authentication, VSA user-role is sent by the Radius Server then the user picks up the VSA user-role. 
When the same user completes dot1x user authenication and if VSA user-role is not configured in the Radius Server and user entry is still present with VSA user-role. 
The client will not pick the default-dot1x role as the user is already present in the user-table with the higher priority VSA user-role. 
Prior to Aruba OS 6.4.3.x, in the above scenario the user will pick up the default-dot1x role after upgrading to Aruba OS 6.4.3.x and will retain the higher priority VSA user-role.
If we have the above scenario prior to 6.4.3.x and if we need to upgrade to 6.4.3.x and above then the solution would be to create VSA user-role for the user authentication and user will fall into the new VSA user-role.
Otherwise, user will retain the VSA user-role after completing the dot1x machine authentication. 

Version history
Revision #:
2 of 2
Last update:
‎03-15-2019 01:22 PM
Updated by:
Labels (1)