Cisco side :
- Configure an ACL that allows communication to your CPPM throught HTTP/HTTPS, also allow DNS, DHCP . this acl is similar to the captiveportal And logon-control ACLs on the Aruba side that you for the Guest-Logon role or onboard provisioning role
- create a network with Layer 2 802.1X and in the Layer 3 use a conditional redirect and select the preauth ACL you previously created
- Add CPPM as a radius server and enable CoA and radius accounting
Aruba :
You can use the onboard templates that already exist on you CPPM the only thing you need to change are the enforcement profiles :
- For the redirect you need an enforcement profile using the Cisco radius attributes Cisco av-pair and instead sending role you use the URL-redirect:<Onboard URL>
- You can either assign a VLAN Or send an radius accept so the device gets the default VLAN assigned to the network
- To send a different you use the Radius ietf
IETF 64 (Tunnel Type)—Set this to VLAN.
IETF 65 (Tunnel Medium Type)—Set this to 802
IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID.