Port access policy allows network administrators to define a set of rules. These rules are used to restrict or alter the passage of traffic for clients onboarding to a switch that has port security (802.1X, MAC authentication) enabled.

Unlike classifier policies, which are associated with individual front plane port, Link Aggregation Group (LAG), and VLAN or tunnel interface, port-access policies are associated with roles. Based on the role associated with a user after authentication, the policy is applied to the user.

The switch can obtain policies from any of the following sources:
  • Local: Policies configured locally on the switch.

  • Downloaded: Policies downloaded from a ClearPass Policy Manager server.

  • RADIUS: Policies configured using the NAS-Filter-Rule or Aruba-NAS-Filter-Rule RADIUS attributes.


Both local and downloaded type of policies do not have any standards associated with them. Policies that are obtained from the RADIUS server must support all criteria that can be defined using the NAS-Filter-Rule attribute.