Configuring Downloadable Roles

HPE Aruba Networking Central allows you to download pre-existing user roles when you create network profiles.

The Downloadable Role feature is available only for networks that include access points (APs) that run a minimum of Aruba Instant 8.4.0.0 firmware version with a minimum of ClearPass ClearPass is an access management system for creating and enforcing policies across a network to all devices and applications. The ClearPass integrated platform includes applications such as Policy Manager, Guest, Onboard, OnGuard, Insight, Profile, QuickConnect, and so on. server version 6.7.8.

Aruba Instant and ClearPass Policy Manager ClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. include support for centralized policy definition and distribution.

When ClearPass Policy Manager successfully authenticates a user, the user is assigned a role by ClearPass Policy Manager. If the role is not defined on the IAP, the role attributes can also be downloaded automatically. In order to provide highly granular per-user level access, user roles can be created when a user has been successfully authenticated. During the configuration of a policy enforcement profile in ClearPass Policy Manager, the administrator can define a role that should be assigned to the user after successful authentication. In RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication, when ClearPass Policy Manager successfully authenticates a user, the user is assigned a role by ClearPass Policy Manager.

If the role is not defined on the IAP, the role attributes can also be downloaded automatically. This feature supports roles obtained by the following authentication methods:

This section describes the following topics:

ClearPass Policy Manager Certificate Validation for Downloadable Role

When a ClearPass Policy Manager server is configured as the domain for RADIUS authentication for downloading user roles, in order to validate the ClearPass Policy Manager customized CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate., IAPs are required to publish the root CA for the HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. server to the well-known URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. (http://<clearpass-fqdn>/.wellknown/ aruba/clearpass/https-root.pem). The IAP must ensure that an FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. is defined in the above URL for the RADIUS server and then attempt to fetch the trust anchor by using the RADIUS FQDN. Upon configuring the domain of the ClearPass Policy Manager server for RADIUS authentication along with a username and password, the IAP tries to retrieve the CA from the above well-known URL and store it in flash memory. However, if there is more than one ClearPass Policy Manager server configured for authentication, the CA must be uploaded manually.

Enabling Downloadable Role Feature for Wireless Networks in HPE Aruba Networking Central

To enable the Downloadable Role feature, complete the following steps:

  1. In the WebUI, set the filter to a group containing at least one AP.

    The dashboard context for the group is displayed.

  2. Under Manage, click Devices > Access Points.

    A list of APs is displayed in the List view.

  3. Click the Config icon.

    The tabs to configure the APs are displayed.

  4. Click the WLANs tab.

    The WLANs details page is displayed.

  5. In the WLANs tab, click + Add SSID. To modify an existing SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network., select a wireless SSID from the Wireless SSIDs table and then click the edit icon.
  6. In the Security tab, select the RADIUS server in Primary Server field.

    At least one radius server must be configured to apply the Downloadable User Roles feature. For more information on configuring radius server, see Authentication Servers for IAPs

  7. Click Next.
  8. The Access tab is displayed.
  9. Turn on the Downloadable Role toggle switch to allow downloading of pre-existing user roles. The CPPM Settings table with Name, CPPM Username, and Actions columns related to the radius servers are displayed.
    • The Downloadable Role feature is available only for networks that include APs that run a minimum of Aruba Instant 8.4.0.0 firmware version with a minimum of ClearPass server version 6.7.8.
    • At least one radius server must be configured to apply the Downloadable Role feature. For more information on configuring radius server, see Authentication Servers for IAPs.
  10. Click the action corresponding to the radius server listed in the CPPM Settings table. The Edit Server page is displayed.

    The Edit Server page displays the name of the radius server name. The Name field is non-editable.

  11. Enter the following details:
    1. CPPM Username—Enter the ClearPass Policy Manager admin username.
    2. Password—Enter the password.
    3. Retype—Retype the password.
  12. Click OK.

Enabling Downloadable Role Feature for Wired Networks in HPE Aruba Networking Central

To enable the Downloadable Role feature, perform the following steps:

  1. In the WebUI, set the filter to a group containing at least one AP.

    The dashboard context for the group is displayed.

  2. Under Manage, click Devices > Access Points.

    A list of APs is displayed in the List view.

  3. Click the Config icon.

    The tabs to configure the APs are displayed.

  4. Click Show Advanced.
  5. Click the Interfaces tab.

    The Interfaces page is displayed.

  6. Click the Wired accordion.
  7. Under Wired, click + Add Port Profile. To modify an existing profile, select the network that you want to edit in the Wired Port Profiles pane, and then click the edit icon.
  8. In the Security tab, select the RADIUS server in Primary Server field.

    At least one radius server must be configured to apply the Downloadable Role feature. For more information on configuring radius server, see Authentication Servers for IAPs

  9. Click Next.
  10. The Access tab is displayed.
  11. Enable the Downloadable Role option to allow downloading of pre-existing user roles. The CPPM Settings table with Name, CPPM Username, and Actions columns related to the radius servers are displayed.
    • The Downloadable Role feature is available only for networks that include APs that run a minimum of Aruba Instant 8.4.0.0 firmware version with a minimum of ClearPass server version 6.7.8.
    • At least one radius server must be configured to apply the Downloadable Role feature. For more information on configuring radius server, see Authentication Servers for IAPs.
  12. Click the action corresponding to the radius server listed in the CPPM Settings table. The Edit Server page with the radius server name is displayed.

    The Edit Server page displays the radius server name. The Name field is non-editable.

  13. Enter the following details:
    1. CPPM Username—Enter the ClearPass Policy Manager admin username.
    2. Password—Enter the password.
    3. Retype—Retype the password.
  14. Click OK.