Using User Roles with User-Based Tunneling

User-Based Tunnels can also be used with Local User Roles and any third-party RADIUS server. This requires that the user roles be preconfigured on the switch. For truly colorless and dynamic policy management, Aruba recommends the use of ClearPass to dynamically send policies to both the switch and controller using Downloadable User Roles along with User-Based Tunneling.

The Aruba switch downloads user policies from ClearPass using downloadable user roles. This makes the ClearPass a centralized point to administer user policy to the access switch and minimize user configuration on the Aruba switch. For downloadable user roles to work appropriately, the signing Certificate Authority (CA) of the ClearPass HTTPS certificate must be added to the Aruba switch and marked as trusted. With ArubaOS-Switch 16.08, there is an automated way to download the CA certificate of ClearPass. Please refer to the Access Security Guide on using this feature.

ClearPass Sample Configuration

aaa authorization user-role name "<role-name>" 
vlan-id <vlan id> tunneled-node-server-redirect VSA

When the primary user role is downloaded onto the switch and the secondary user role is downloaded onto the controller:

When the primary user role is downloaded onto the switch and the secondary user role is manually configured on the controller (not sent through VSA):