New Contributor

CPPM RADIUS Authenticatiion



We want to accomplish following by Clear Pass:-


users comming from employee SSID need to get different VLANS on the bases of conditions


Purpose is to give allow all contents (fb,youtube etc;) for VIP users while others will get blocked access. We have done it with different SSIDs but we want to do it in one SSID. We will use Cisco ACS and ClearPass to get it done.


Any suggestions, please...


Thanks & Regards



Guru Elite

Re: CPPM RADIUS Authenticatiion

You would build multiple enforcement profiles that return the Aruba User VLAN VSA. You could also return a user-role that has a VLAN assigned to it in the controller.



| Tim Cappalli | Aruba Security | @timcappalli | |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
New Contributor

Re: CPPM RADIUS Authenticatiion

Thanks for the reply. But it is still not clear to me. A user joins SSID "abc"  using his active directory user ID, I want Clear Pass to give him role/vlan based on his user ID (staff and exective having different vlans). CPPM can not differentiate users because users are in AD. There should be some sort of mechanism so that RADIUS server can differnciate users and return some string or value which could be used by CPPM to be used in enforcement Policy.

Re: CPPM RADIUS Authenticatiion




You can do the following :


You need to make sure CCPM it's already part of the domain and it's able to read attributes from AD , if this is already setup just follow these steps


 Create a Role Mapping Screen Shot 2013-07-23 at 8.18.24 AM.png


Then add the rules that will match in AD 

Screen Shot 2013-07-23 at 8.19.52 AM.png


Create a role 

Screen Shot 2013-07-23 at 8.21.57 AM.png


Create an enforcement profile 

Screen Shot 2013-07-23 at 8.24.24 AM.png


Add the attributes that you want to match VLAN and USER-ROLE created in the controller

Screen Shot 2013-07-23 at 9.05.36 AM.png


Create a enforcement policy and add the enforcement profile already created

Screen Shot 2013-07-23 at 8.25.29 AM.png



Add the rules to the enforcement policy to match the Role you created under CCPM (AD Test Group)


Screen Shot 2013-07-23 at 8.32.43 AM.png


And Finally add this role to the Service 

Screen Shot 2013-07-23 at 8.36.58 AM.png

Thank you

Victor Fabian
Lead Mobility Architect @WEI
Search Airheads
Showing results for 
Search instead for 
Did you mean: