Users/Devices and Policy Enforcement Recommendations

The following table specifies the enforcement recommendations for different type of users and devices. While it is recommended to tunnel the traffic in some cases, other cases can be met by simply using local forwarding on the switch.
Type Enforcement Description
Access Point Local Local infrastructure device.
Voice/Video Device Local Desk and conference phones, security cameras, and room media systems.
Employee on Managed Device Local Users connecting from a healthy and managed device can stay local to the Aruba switch.
Employee on Unmanaged device Tunnel Users connecting from an unmanaged or potentially untrusted device can be tunneled.
New/Unknown Device Tunnel Tunnel new or unknown devices, potentially untrusted devices used for profiling, potential onboarding, guest registration, and quarantine.
Guest User Tunnel Guest users to DMZ guest network.
Contractor Tunnel Contractors may need more access than a traditional guest user.
Change in User/Device Posture Tunnel User or device goes from a healthy to unhealthy state (OnGuard checks, IntroSpect notification, Ingress Event Engine Notification)