Occasional Contributor II

ClearPass enforcing role to Instant


I'm having trouble passing a Role to an Instant using ClearPass.


It's not clear if I'm going about this the right way. This is my first attempt at doing this.


I have a Employee SSID setup on Instant to use ClearPass Onboard to provision and authenticate users.

The default role on the Employee SSID has a external captive portal, which points to the Onboard QuickConnect app.

That part works great.  I can log-in, go to the portal, download quickconnect, and install certificates. Works just like the normal controller based routine.


The problem I'm having is getting the ClearPass to change the default role of the Employee SSID to something else (allow all).

Without changing the default role, my client con only get to the captive portal.


I've got user roles setup in both ClearPass and Instant with the same name.  

My ClearPass service for Onboard Provisioning is applying the right role. Looking at the Access Tracker, roles and enforcement prfiles are being correctly assigned.  I'm not sure if they are being accepted by the Instant AP.


I basically have two settings on my Onboard Provisioning.

First is the Role tab.  I setup a role in ClearPass and it gets assigned.

Second is the Enforcement tab.  I have an enforcement profile set to the following:

Radius:Aruba    Aruba-User-Role  CRA_Instant          ( type,name,value) ("CRA_Instant" is the name of my Role I'm trying to apply)


Now the canned choices from the drop-down menu are nothing like the value I have above.  Most look like %{Authorization:Active Directory:Name}  or something similar.  I'm not sure if I can just type in the name of a role I configured or if I have to use the language that is part of the drop down.  

Nothing in the drop-down list by default looks to be anything I could use in terms of Roles.


Maybe using enforcement as described above is not the way to go about this?


Any help, especially if I'm going off on a tagent is appreciated.









Re: ClearPass enforcing role to Instant

You can simply type the name (case-sensitive) of the Aruba user role there.  You don't need to worry about the drop down list.


Can you cut and paste the IAP config?

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
If you found my post helpful, please give kudos
Occasional Contributor II

Re: ClearPass enforcing role to Instant



Full config file attached.



CRA_IAP_Employee  is the SSID I'm having issues with.

Default access role woudl be "CRA_IAP_Employee"

Access role I'm trying to apply is "CRA_Instant"


The SSID config tab for Access Rules , as viewed in the GUI,  defaults to Network-based.  Reading from prior posts this is expected and as-designed. 

What I'm not sure of, is if I send a RADIUS request to change the role from default, will the config change to role based?


Here are the config portions that may be of interest (not in order shown in config file):



wlan ssid-profile CRA_IAP_Employee


index 1

type employee

essid CRA_IAP_Employee

opmode wpa2-aes

max-authentication-failures 0

vlan 15

auth-server clearpasscra

rf-band all

captive-portal disable

dtim-period 1

inactivity-timeout 1000

broadcast-filter none

dmo-channel-utilization-threshold 90

local-probe-req-thresh 0

max-clients-threshold 64


wlan access-rule CRA_Instant

index 2

rule any any match any any any permit


wlan access-rule CRA_IAP_Employee

index 3

captive-portal external profile Employee

rule any any match any any any permit

rule match tcp 443 443 permit

rule match tcp 80 80 permit

rule match tcp 443 443 permit

rule match tcp 443 443 permit

rule match tcp 443 443 permit

rule any any match any any any deny


wlan auth-server clearpasscra


port 1812

acctport 1813

key 3ab42c4060d6db48e5882ecb4b2a0e696756c5120a1185ff


cppm-rfc3576-port 5999


wlan external-captive-portal Employee


port 443

url "/guest/landing.php/device_provisioning2.php"

auth-text ""





Search Airheads
Showing results for 
Search instead for 
Did you mean: