Vendor-Specific Attributes supported in session authorization
Following are the Vendor-Specific Attributes (VSAs) supported in session authorization:
| Attribute Name | Length | Type | Aruba Vendor ID | Aruba Attribute Type |
|---------------------------|--------|---------|-----------------|----------------------|
| Aruba-CPPM-Role | <=63 | string | 14823 | 23 |
| Aruba-PoE-Priority | 4 | integer | 14823 | 49 |
| Aruba-Port-Auth-Mode | 4 | integer | 14823 | 50 |
| Aruba-NAS-Filter-Rule | <=247 | string | 14823 | 51 |
| Aruba-QoS-Trust-Mode | 4 | integer | 14823 | 52 |
| Aruba-Gateway-Zone | <=63 | string | 14823 | 54 |
| Aruba-UBT-Gateway-Role | <=63 | string | 14823 | 53 |
| Aruba-Captive-Portal-URL | <=247 | string | 14823 | 43 |
| Aruba-User-Role | <=63 | string | 14823 | 1 |
| Aruba-Port-Bounce | 4 | Integer | 14823 | 40 |
Change of Authorization of specific attributes in the user role is not supported. Only entire role can be changed.
Similarly if the session is using RADIUS attributes, CoA can change only the RADIUS session attributes.
Change of Authorization to user role for a session using RADIUS attributes is not supported either. If this action is attempted, a NAK message is sent.
Description of VSAs
Aruba-CPPM-Role
This attribute is used to download roles from ClearPass Policy Manager.
Aruba-PoE-Priority
Specifies the PoE priority of onboarding devices post authentication. Following are the supported values:
0:
Critical1:
Medium2:
Low
Aruba-Port-Auth-Mode
Specifies the authentication mode of the port post authentication. Following are the supported values:
1:
Device mode—In this mode, an infrastructure device, for example, switch or access point, is authenticated first, and all devices connecting to this authenticated device are allowed access. Here, the policy and VLAN attributes are applied at the port-level. In device mode, it is expected that only one device is active and authenticated at any instant. Untagged VLAN will override the port VLAN ID and the tagged VLANs will override the tagged VLANs that are configured on the port using the CLI.2:
Client mode—In this mode, all devices trying to onboard on that port are authenticated. Here, the policy and VLAN attributes are applied per client. Untagged VLAN is configured using MAC-based VLAN. Tagged VLANs are arbitrated among all clients and the result is applied to the port.
Aruba-NAS-Filter-Rule
This attribute is similar to the NAS-Filter-Rule RFC attribute but with additional functionality to support vendor-specific actions in the rule. The vendor-specific action supported is cp-redirect that is used to redirect device HTTP traffic to captive portal authentication. This attribute can be used to perform other actions such as count and rate-limiting. Multiple instances of this attribute are supported, however, the maximum number of filter rules (including this VSA and
NAS-Filter-Rule
) supported per client is 128. A singleNAS-Filter-Rule
attribute split across multiple VSAs is not supported as servers such as FreeRadius and ClearPass Policy Manager do not terminate filter rule with '\0' value. Most policy servers use one filter rule per VSA.Aruba-QoS-Trust-Mode
Specifies how the switch assigns local priority values to ingress packets. Following are the supported values:
0:
Trust mode DSCP1:
Trust mode QoS2:
No trust mode configuration
Aruba-Gateway-Zone
Specifies the gateway zone name where the device traffic will be tunneled after authentication.
Aruba-UBT-Gateway-Role
Specifies the role to be applied for devices in the controller. This attribute must be used with the
Aruba-Gateway-Zone
attribute for onboarding devices using User-Based Tunneling (UBT).Aruba-Captive-Portal-URL
Specifies the URL to be used for captive portal redirection. This attribute plus the
Aruba-NAS-Filter-Rule
VSA must be used to authenticate a client using captive portal authentication. For URLs that have a size more than 247 characters, multiple VSAs can be used and the switch will merge these VSAs to form a single URL. The maximum URL size supported is 1024 characters.Aruba-User-Role
Specifies the role that must be applied for the devices post authentication. The role must be defined on the switch. All the session attributes can be defined in the role. Session authorization attributes (both standard and VSAs) sent with this attribute are ignored.
Aruba-Port-Bounce
Used in the CoA message to signal the switch to shut down the port for the duration specified.