Lets Learn Network

, , , ,

Aruba ClearPass Role Mapping and Enforcement Policy with Active Directory (Wireless 802.1X)

Aruba ClearPass Role Mapping and Enforcement Policy with Active Directory (Wireless 802.1X) Network Access Control (NAC) is a critical component of modern enterprise security. One of the most widely deployed NAC platforms today is Aruba Networks ClearPass, which enables centralized authentication, authorization, and policy enforcement across wired and wireless networks. In this article, we walk…

Tharindu Pamoda
3–4 minutes

Aruba ClearPass Role Mapping and Enforcement Policy with Active Directory (Wireless 802.1X)

Network Access Control (NAC) is a critical component of modern enterprise security. One of the most widely deployed NAC platforms today is Aruba Networks ClearPass, which enables centralized authentication, authorization, and policy enforcement across wired and wireless networks.

In this article, we walk through a practical lab demonstrating how to:

  • Create roles in ClearPass

  • Build Role Mapping Policies

  • Create Enforcement Policies

  • Authenticate wireless users using 802.1X

  • Integrate ClearPass with Microsoft Active Directory

  • Validate authentication from an Aruba Wireless LAN Controller (WLC)

This guide is ideal for network engineers, security engineers, and anyone preparing for Aruba certifications.

Understanding Roles in Aruba ClearPass

In ClearPass, a role is simply a tag that represents a user or device attribute. Roles do not directly apply network access; instead, they are later evaluated by enforcement policies.

Example roles used in this lab:

  • IT

  • HR

  • Finance

Best practice is to design roles based on your organization’s directory structure. Reviewing your Active Directory Organizational Units (OUs) or user attributes (such as Department) helps you plan meaningful roles.

Creating Roles in ClearPass

Navigate to:

Identity → Roles

Create each role with a clear name and description, for example:

  • Role Name: IT

  • Description: Information Technology users

Repeat for HR and Finance.

Clear descriptions make troubleshooting and audits much easier later.

Configuring the Role Mapping Policy

A Role Mapping Policy determines which role is assigned to a user after authentication.

Key design choices:

  • Default Role: Other

    • Used if no conditions match

  • Role Evaluation Algorithm: Select All Matching

    • Because roles act as tags and multiple roles can be assigned

Example mappings:

  • If Department equals Finance → Assign Finance role

  • If Department equals HR → Assign HR role

  • If Department equals IT → Assign IT role

This allows ClearPass to dynamically tag users based on directory attributes.

Creating the Enforcement Policy

Enforcement Policies decide what happens after a role is assigned.

In this demonstration:

  • Default Profile: Deny Access

  • Role Evaluation Algorithm: First Match

Rules:

  • If Role equals Finance → Allow Access

  • If Role equals HR → Allow Access

  • If Role equals IT → Allow Access

At this stage, we keep enforcement simple. More advanced enforcement (dynamic VLANs or downloadable roles) can be added later.

Creating the 802.1X Wireless Service

Navigate to:

Configuration → Services → Add Service

Service Type:
802.1X Wireless

Key settings:

  • Enable Authorization

  • Enable Profile & Endpoint Classification

Service Categorization

Use the SSID name (for example: STAFF) as a condition so that authentication requests from this SSID hit this service.

Authentication Configuration

  • Authentication Method: PEAP (username/password)

  • Authentication Source: Active Directory

PEAP is commonly used for password-based authentication. Certificate-based authentication (EAP-TLS) can be implemented in later stages.

Authorization Configuration

Add the following as Authorization Sources:

  • Active Directory

  • Endpoint Repository

Then select:

  • Role Mapping Policy (created earlier)

  • Enforcement Policy (created earlier)

⚠️ Important:
If Active Directory is not added as an Authorization Source, role mapping will fail even if authentication succeeds.

This is one of the most common mistakes in ClearPass deployments.

Validating Authentication in Access Tracker

After connecting a wireless client:

  • Open Access Tracker

  • Confirm:

    • Authentication Source = Active Directory

    • Authorization Source = Active Directory

    • Assigned Role = Finance / HR / IT

    • Enforcement Profile = Allow Access

You can also see attributes such as:

  • Department

  • Group Memberships

  • SSID Name

  • Controller IP

  • AP Details

This confirms that role mapping and enforcement are functioning correctly.

Verifying on the Wireless Controller

On the WLC, verify the client session:

  • Client is connected

  • Username is visible

  • Authentication method is 802.1X

If ClearPass and WLC show consistent information, your integration is successful.

Summary

In this lab, we demonstrated how to:

  • Create roles

  • Map roles using AD attributes

  • Build enforcement policies

  • Configure an 802.1X wireless service

  • Authenticate users via Active Directory

  • Validate results using Access Tracker and WLC

This forms the foundation for more advanced NAC designs such as dynamic VLAN assignment, downloadable user roles, posture checks, and certificate-based authentication.

Watch the Full Video Tutorial

👉  https://youtu.be/6DV-0B3307A

Leave a Reply

Trending

Discover more from Lets Learn Network

Subscribe now to keep reading and get access to the full archive.

Continue reading