Vendor-Specific Attributes supported in session authorization

Following are the Vendor-Specific Attributes (VSAs) supported in session authorization:

| Attribute Name            | Length | Type    | Aruba Vendor ID | Aruba Attribute Type |
| Aruba-CPPM-Role           | <=63   | string  | 14823           | 23                   |
| Aruba-PoE-Priority        | 4      | integer | 14823           | 49                   |
| Aruba-Port-Auth-Mode      | 4      | integer | 14823           | 50                   |
| Aruba-NAS-Filter-Rule     | <=247  | string  | 14823           | 51                   |
| Aruba-QoS-Trust-Mode      | 4      | integer | 14823           | 52                   |
| Aruba-Gateway-Zone        | <=63   | string  | 14823           | 54                   |
| Aruba-UBT-Gateway-Role    | <=63   | string  | 14823           | 53                   |
| Aruba-Captive-Portal-URL  | <=247  | string  | 14823           | 43                   |
| Aruba-User-Role           | <=63   | string  | 14823           | 1                    |
| Aruba-Port-Bounce         | 4      | Integer | 14823           | 40                   |
  • Change of Authorization of specific attributes in the user role is not supported. Only entire role can be changed.

  • Similarly if the session is using RADIUS attributes, CoA can change only the RADIUS session attributes.

  • Change of Authorization to user role for a session using RADIUS attributes is not supported either. If this action is attempted, a NAK message is sent.

Description of VSAs


This attribute is used to download roles from ClearPass Policy Manager.


Specifies the PoE priority of onboarding devices post authentication. Following are the supported values:

  • 0: Critical

  • 1: Medium

  • 2: Low

This attribute overrides the PoE priority configured on the port where the device onboards. This attribute is typically used for infrastructure devices. When multiple clients request different priorities, the critical priority takes precedence over medium priority and the medium priority takes precedence over low priority setting.


Specifies the authentication mode of the port post authentication. Following are the supported values:

  • 1: Device mode—In this mode, an infrastructure device, for example, switch or access point, is authenticated first, and all devices connecting to this authenticated device are allowed access. Here, the policy and VLAN attributes are applied at the port-level. In device mode, it is expected that only one device is active and authenticated at any instant. Untagged VLAN will override the port VLAN ID and the tagged VLANs will override the tagged VLANs that are configured on the port using the CLI.

  • 2: Client mode—In this mode, all devices trying to onboard on that port are authenticated. Here, the policy and VLAN attributes are applied per client. Untagged VLAN is configured using MAC-based VLAN. Tagged VLANs are arbitrated among all clients and the result is applied to the port.


This attribute is similar to the NAS-Filter-Rule RFC attribute but with additional functionality to support vendor-specific actions in the rule. The vendor-specific action supported is cp-redirect that is used to redirect device HTTP traffic to captive portal authentication. This attribute can be used to perform other actions such as count and rate-limiting. Multiple instances of this attribute are supported, however, the maximum number of filter rules (including this VSA and NAS-Filter-Rule) supported per client is 128. A single NAS-Filter-Rule attribute split across multiple VSAs is not supported as servers such as FreeRadius and ClearPass Policy Manager do not terminate filter rule with '\0' value. Most policy servers use one filter rule per VSA.


Specifies how the switch assigns local priority values to ingress packets. Following are the supported values:

  • 0: Trust mode DSCP

  • 1: Trust mode QoS

  • 2: No trust mode configuration

This attribute overrides the trust mode configured on the port where the device onboards. This attribute is typically used for infrastructure devices. When multiple clients request different trust modes, the DSCP trust mode takes precedence over QoS trust mode and the QoS trust mode takes precedence over no trust mode configuration setting.


Specifies the gateway zone name where the device traffic will be tunneled after authentication.


Specifies the role to be applied for devices in the controller. This attribute must be used with the Aruba-Gateway-Zone attribute for onboarding devices using User-Based Tunneling (UBT).


Specifies the URL to be used for captive portal redirection. This attribute plus the Aruba-NAS-Filter-Rule VSA must be used to authenticate a client using captive portal authentication. For URLs that have a size more than 247 characters, multiple VSAs can be used and the switch will merge these VSAs to form a single URL. The maximum URL size supported is 1024 characters.


Specifies the role that must be applied for the devices post authentication. The role must be defined on the switch. All the session attributes can be defined in the role. Session authorization attributes (both standard and VSAs) sent with this attribute are ignored.


Used in the CoA message to signal the switch to shut down the port for the duration specified.