Operational notes
Following are some of the operational notes to be considered for port access roles:
When roles are enabled, they are applied to all devices connected to ports where authentication is configured.
Special roles, such as, critical, reject, pre-auth, and auth are applied depending on the authentication state of the device.
- Roles can be applied in one of the following two ways:
Vendor-Specific Attribute (VSA)-Derived Role
Type:
RADIUS: Aruba
Name:
Aruba-User-Role
ID:
25
Value:
<myUserRole>
See Vendor-Specific Attributes supported in session authorization.
The RADIUS server (ClearPass Policy Manager server) determines how the VSA-Derived Role is applied to the user. The role is sent to the switch through a RADIUS VSA. The VSA derived role will have the same precedence order as the authentication type (802.1x, MAC authentication).
User Derived Role (UDR)
The UDR is applied when the roles are enabled.
UDR will have the same precedence order as the authentication type (802.1x, MAC authentication).