HPE6-A78 Exam - Topic 1 Question 83 Discussion

In an AOS-8 Mobility Controller (MC) environment, a WLAN is configured with WPA3-Enterprise security, using HPE Aruba Networking ClearPass Policy Manager (CPPM) for authentication. The WLAN's default role is set to 'guest,' which would be applied if no specific role is assigned after authentication. The MC has several roles configured, including 'general-access' (note the underscore in the question : 'general

_access').

The client successfully authenticates, and CPPM sends an Access-Accept message with an Aruba-User-Role Vendor-Specific Attribute (VSA) set to 'general_access.' In AOS-8, the Aruba-User-Role VSA is used to assign a specific role to the client, overriding the default role configured on the WLAN. The role specified in the VSA must match a role that exists on the MC. Since 'general-access' (or 'general_access' as written in the question) is listed among the roles configured on the MC, the MC will apply this role to the client.

The underscore in 'general_access' in the VSA versus the hyphen in 'general-access' in the MC's role list is likely a typographical inconsistency in the question. In practice, AOS-8 role names are case-insensitive and typically use hyphens, not underscores, but for the purpose of this question, we assume 'general_access' matches 'general-access' as the intended role.

Option A, 'guest,' is incorrect because the guest role is the default 802.1X role for the WLAN, but it is overridden by the Aruba-User-Role VSA specifying 'general_access.'

Option B, 'logon,' is incorrect because the logon role is typically applied during the authentication process (e.g., to allow access to DNS or RADIUS servers), not after successful authentication when a specific role is assigned.

Option C, 'general-access,' is correct because the MC applies the role specified in the Aruba-User-Role VSA ('general_access'), which matches the 'general-access' role configured on the MC.

Option D, 'authenticated,' is incorrect because the 'authenticated' role is not specified in the VSA, and there is no indication that it is the default role for successful authentication in this scenario.

The HPE Aruba Networking AOS-8 8.11 User Guide states:

'When a client authenticates successfully via 802.1X, the Mobility Controller checks for an Aruba-User-Role VSA in the RADIUS Access-Accept message. If the VSA is present and the specified role exists on the controller, the controller assigns that role to the client, overriding the default 802.1X role configured for the WLAN. For example, if the VSA specifies 'general-access' and this role is configured on the controller, the client will be assigned the 'general-access' role.' (Page 305, Role Assignment Section)

Additionally, the HPE Aruba Networking ClearPass Policy Manager 6.11 User Guide notes:

'The Aruba-User-Role VSA allows ClearPass to assign a specific role to a client on an Aruba Mobility Controller. The role name sent in the VSA must match a role configured on the controller, and the controller will apply this role to the client session, ignoring the default role for the WLAN.' (Page 289, RADIUS Enforcement Section)

:

HPE Aruba Networking AOS-8 8.11 User Guide, Role Assignment Section, Page 305.

HPE Aruba Networking ClearPass Policy Manager 6.11 User Guide, RADIUS Enforcement Section, Page 289.

===========