TTechclick All lessons
HPE Aruba Networking · Access Control · ClearPass NACInteractive · L1 / L2

Aruba ClearPass Policy Manager — RADIUS, Roles, Posture & OnGuard

Skip the 300-page user guide. Pick a stage below, watch a real 802.1X request walk the ClearPass pipeline live — service match → RADIUS auth → role mapping → OnGuard posture → enforcement profile → CoA — ask the in-page AI tutor anything, and own NAC in 11 minutes.

📅 2026-05-31 · ⏱ 11 min · 2 animated demos · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Aruba ClearPass Policy Manager explained the AI-era way — pick a stage, watch a real 802.1X request flow through service → auth → roles → posture → enforcement live, ask the in-page AI tutor, and master RADIUS, OnGuard and CoA in 11 minutes instead of an afternoon.

By the end, you will be able to
Read as:

Pick a stage — jump straight to it

1

The Pipeline

Service → Auth → Roles → Posture → Enforcement. The one diagram that explains everything.

 2

RADIUS & Roles

How 802.1X auth picks a service, authenticates, and tags a user with a role.

 3

Posture & OnGuard

Health checks, persistent vs dissolvable agents, quarantine and auto-remediation.

 4

Troubleshoot

"Wrong role / no VLAN / CoA fails" → Access Tracker playbook + the CVE fix.

One wrong assumption that breaks every ClearPass deployment

Most new NAC engineers think ClearPass is "just a RADIUS server" — type a username, get a yes/no, done. That single assumption causes 90% of the day-one tickets. ClearPass is a policy pipeline, not a password checker. The yes/no is the easy part. The hard part is everything AROUND it: which service caught the request, what role the device earned, whether it passed posture, and which enforcement profile it returned.

🧒 Think of ClearPass as a club bouncer with a checklist. He doesn't just check your ID — he checks which door you came to (service), whether you're a member or guest (role), whether your jacket meets the dress code (posture), and only THEN points you to the VIP room or the general floor (enforcement).

🛠 In Access Tracker every request shows these stages as a vertical timeline. When something is wrong, you read down that timeline and find the exact stage that produced the wrong result — usually a mis-ordered service or a missing enforcement rule.

🏛 Architecturally ClearPass separates identity (who/what), context (role mapping, profiling), state (posture/health), and action (enforcement). Treating these as one monolith is exactly why "single mega-service" designs rot. Keep them decoupled and the policy stays readable at 200 services.

One sentence to memorise: "ClearPass evaluates services top-down and stops at the first match." Get the service ORDER wrong and a corporate laptop can land in the Guest VLAN — even though authentication "succeeded". Drill this in; it is the most-tested idea on the ACCP exam.

Scenario · Sneha at Infosys
Sneha onboards 40 new corporate laptops on the WLAN-Corp-Dot1X SSID. They authenticate fine but get the Guest VLAN 172.16.40.0/24 with no internal access. Tickets flood in. The bug is not authentication — it is a broad MAC-Auth service sitting ABOVE the 802.1X service, catching the request first. She reorders, problem gone in two minutes.
ClearPass deployment big picture Endpoint connects to a network access device which sends RADIUS to ClearPass; ClearPass consults Active Directory, runs OnGuard posture, and returns an enforcement profile, with CoA pushed back to the NAD. Endpoint laptop / phone NAD switch / WLC 802.1X authenticator ClearPass Policy Manager RADIUS · TACACS+ policy pipeline Active Directory OnGuard posture RADIUS Accept + profile CoA (UDP 3799)
ClearPass sits between the endpoint and your identity stores — RADIUS in, enforcement profile out, CoA back to the NAD on UDP 3799.
Warm-up · pre-quiz (no score — just predict)

Before we start: when ClearPass receives a request, how many services can match it?

Answer: b. First-match-wins, top-down. This single rule explains most "wrong VLAN" tickets — remember it for the whole lesson.
Warm-up · pre-quiz

What actually carries the VLAN number back to the switch?

Answer: c. Roles are just labels. The enforcement profile holds the real RADIUS attributes — like Tunnel-Private-Group-ID for the VLAN.
Warm-up · pre-quiz

Which OnGuard agent can auto-fix a non-compliant device?

Answer: b. Both agents run the same health checks, but only the persistent agent does auto-remediation. The dissolvable agent is a one-time check then self-uninstalls.

① The pipeline — the one diagram that explains everything

Every ClearPass decision flows through the same six stages, in order. Memorise the order and you can debug anything.

🚪
Service
tap to flip

The request is matched against services top-down. First match wins. The chosen service owns every step below it.

🔑
Authentication
tap to flip

Validate the credential against ordered auth sources (AD, local DB, SQL). Stops at the first source that authenticates.

🏷
Role Mapping
tap to flip

Tag the user/device with roles using attributes (AD group, device type, time). Roles are pure context — no action yet.

🩺
Posture
tap to flip

OnGuard reports a health token: Healthy / Checkup / Quarantine / Unknown. Optional — only if posture is enabled on the service.

📦
Enforcement
tap to flip

Enforcement policy maps (role + health + time) → an enforcement profile, which carries the real RADIUS attributes back to the NAD.

🔄
CoA
tap to flip

Change of Authorization (RFC 5176) re-authorizes a LIVE session — bounce/VLAN-change/re-auth — with no reconnect. Default UDP 3799.

The six-stage ClearPass policy pipeline A request flows left to right through Service, Authentication, Role Mapping, Posture and Enforcement, with a Change of Authorization loop back to the network device. Request in → Decision out 1 · Servicefirst match wins 2 · AuthAD / local / SQL 3 · Rolestag context 4 · PostureOnGuard health 5 · EnforceRADIUS attrs Access-Accept VLAN + role + ACL CoA re-authorizes the live session (no reconnect)
The fixed order: Service → Auth → Roles → Posture → Enforcement, with CoA looping a decision back onto an already-live session.

Pause & predict: if authentication succeeds but the role is empty, which stage failed?

Role Mapping (stage 3). Auth only proves identity. If no role-mapping rule matched the user's attributes — often because the authorization source (AD) wasn't queried — the user gets the default role, and enforcement falls back to the default profile. Check that AD is listed as an authorization source on the service.

② RADIUS & Roles — watch a real 802.1X request

Office mein 500 corporate laptops authenticate to the WLAN-Corp-Dot1X SSID using EAP-TLS. The controller is the NAD at 10.10.0.5; ClearPass listens on 10.10.0.20. Let's watch one request flow end to end.

▶ Watch an 802.1X request walk the pipeline

Click Play. Each stage lights up as ClearPass processes Sneha's corporate laptop.

① REQUEST IN Access-Request from NAD 10.10.0.5 · SSID=WLAN-Corp-Dot1X · EAP-TLS
Sneha's laptop, MAC aa:bb:cc:11:22:33, hits ClearPass on 10.10.0.20.
② SERVICE Top-down match → "WLAN-Corp-Dot1X" (Radius:IETF Service-Type = Framed, SSID = WLAN-Corp-Dot1X)
③ AUTHENTICATE EAP-TLS cert validated against [AD-Corp] (first auth source that matches). Result: Authenticated ✓
④ ROLE MAP AD attribute memberOf = Corp-Employees → role Employee
⑤ ENFORCE Enforcement policy: If Role = Employee → profile "Employee-VLAN-20" → returns Tunnel-Private-Group-ID = 20
⑥ ACCEPT Access-Accept to NAD → laptop placed in VLAN 20 10.10.20.0/24. Logged in Access Tracker.
Press Play to step through how ClearPass turns one RADIUS request into a VLAN assignment. Each press of Next advances one stage.

Authentication source vs authorization source — the trap

ClearPass distinguishes authentication sources (where it checks the credential) from authorization sources (where it fetches extra attributes for role mapping). Crucially: ClearPass fetches role-mapping attributes from the authorization sources regardless of which source authenticated the user — but only if you LIST AD as an authorization source on the service.

Symptom → cause: users authenticate but get the wrong role

Symptom you see: Access Tracker shows "User Authenticated = true" but the Role column is the default role, and the VLAN is wrong.

Cause: the [Local User Repository] is listed ABOVE Active Directory in the service's authentication sources. The local DB authenticates the user first, so ClearPass never queries AD for the memberOf group — the AD-group role-mapping rule never fires. Fix: move AD above local, or add AD explicitly as an authorization source.

Quick check · Q1 of 10

Sneha at Infosys finds her 802.1X laptops landing in a Guest role instead of Employee. Access Tracker shows the WLAN-Corp-Dot1X service is being SKIPPED entirely. What is the most likely cause?

Correct: b. ClearPass evaluates services top-down and stops at the first match. A broad MAC-Auth or catch-all service above WLAN-Corp-Dot1X grabs the request first. Reorder the 802.1X service above it (or tighten the broad service's match rules). Service order is the #1 ClearPass gotcha.
Scenario · Rahul at TCS
Rahul migrates auth from a local DB to Active Directory. Logins keep working, so he closes the change ticket. A week later, finance users complain they can't reach the finance VLAN. The cause: he left [Local User Repository] above AD, so AD group attributes were never read. Reordering the auth sources restores group-based roles instantly.
Quick check · Q2 of 10

Rahul at TCS placed [Local User Repository] above Active Directory in the authentication-source list. Users authenticate fine, but the AD-group-based Employee role never applies. Why?

Correct: c. Authentication stops at the first matching source. If the local DB authenticates first, AD's memberOf attributes are never queried, so the AD-group role-mapping rule silently misses. Move AD above the local repository, or add AD as an explicit authorization source on the service.
Quick check · Q3 of 10

In the ClearPass pipeline, which component decides WHAT the switch actually does to the port — the VLAN, ACL or downloadable role?

Correct: d. Services pick the pipeline, role mapping tags context, posture adds health — but the enforcement profile is the only thing physically returned to the NAD. Get the role right and forget the profile, and nothing happens to the port.

③ Posture & OnGuard — is the device actually healthy?

Authentication proves who you are. Posture proves your device is safe. OnGuard performs advanced endpoint health checks over wired, wireless and VPN, then hands ClearPass a posture token used in enforcement.

🧒 Posture is the "wash your hands before dinner" check. Even if mum knows it's you (authentication), you still don't get to the table until your hands are clean (healthy device).

🛠 You bind OnGuard to a service via the Posture tab. If the device is Quarantine, your enforcement policy routes it to a remediation VLAN with access only to the patch/AV servers — not the corporate LAN.

🏛 Posture is a continuous control, not a one-shot. With a persistent agent + CoA, a device that goes unhealthy mid-session (AV disabled at 3pm) is bounced into quarantine automatically — that's the difference between authentication and true zero-trust posture.

Persistent vs dissolvable — pick the right agent

🖥
Persistent agent
tap

Installed on IT-managed devices. Nonstop monitoring + auto-remediation. Re-checks continuously and can fix issues (start AV, force update).

💧
Dissolvable agent
tap

Web-based, for BYOD / guests via captive portal. One-time check at login, then self-uninstalls. Same checks, but NO auto-remediation.

🩹
Auto-remediation
tap

The persistent agent can fix a failed check itself — restart antivirus, trigger Windows Update. The user often never sees the quarantine.

🚧
Quarantine
tap

Unhealthy devices land in a remediation VLAN with reach only to patch/AV servers. The user sees a message + fix instructions.

OnGuard posture decision tree Decision flow: is an agent installed, is the device managed, does it pass health checks, leading to healthy VLAN, auto-remediation, or quarantine VLAN. Device connects IT-managed? agent present YES Persistent agent continuous + auto-fix NO Dissolvable agent one-time check Health OK? AV · patch · FW Healthy VLAN full access FAIL Quarantine VLAN remediation only Persistent agent can auto-remediate and CoA back to Healthy without a reconnect.
Posture decision tree: managed devices use the persistent agent (auto-fix); BYOD uses the dissolvable agent (one-time check); failures route to a quarantine VLAN.

Pause & predict: a guest phone fails the AV check on the captive portal. Will ClearPass auto-fix it?

No. Guests use the web-based dissolvable agent, which does a one-time check and self-uninstalls — it has no auto-remediation. The user simply gets a message with instructions. Only the persistent agent on IT-managed devices auto-remediates.

▶ Posture failure → CoA quarantine

Priya's laptop is online and Healthy. At 3pm her antivirus is disabled. Watch ClearPass re-quarantine her WITHOUT a reconnect.

① HEALTHY Laptop 10.10.20.42 in VLAN 20, posture = Healthy, full access.
② HEALTH CHANGE Persistent OnGuard agent detects antivirus disabled → reports posture = Quarantine
③ RE-EVALUATE ClearPass enforcement policy: If health = Quarantine → profile "Quarantine-VLAN-99"
④ CoA SENT ClearPass sends CoA to NAD 10.10.0.5 on UDP 3799 → bounce session / change VLAN
⑤ QUARANTINED Laptop now in VLAN 99 10.10.99.0/24 — reach only to patch/AV servers. No user reconnect.
⑥ AUTO-FIX Persistent agent restarts AV → posture = Healthy → ClearPass CoAs her BACK to VLAN 20 automatically.
CoA is what makes posture continuous. Without it, you'd only re-check at the next login.
Quick check · Q4 of 10

Priya at HCL deploys OnGuard. IT laptops auto-remediate when antivirus is stale, but BYOD phones on the captive portal only get a one-time health check and never auto-fix. Is this expected?

Correct: a. Both agent types run the same health checks, but auto-remediation is a persistent-agent-only feature. The dissolvable agent is built for non-managed devices via captive portal — one-time check, self-uninstall, no fixing. This is by design, not a bug.

④ Troubleshoot — Access Tracker playbook + CVE fix

A request misbehaves. ClearPass gives you a single best tool: Access Tracker. Open the request, read the stages top-down, and the wrong stage will be obvious. Here's the 4-step ladder.

Which service matched?
tap

Access Tracker → request → "Service" field. Wrong service = reorder. No service = no rule matched; widen the rules or add a service.

Did auth + roles run?
tap

Check "Authentication" and "Roles" in the request details. Empty role usually = AD not queried as an authorization source.

What profile returned?
tap

Check "Enforcement Profiles" + the RADIUS reply attributes. Default profile = no enforcement rule matched the role.

CoA failing?
tap

Auth works but the bounce/VLAN-change never lands → check the NAD's dynamic-author port (default UDP 3799) and CoA shared secret.

Cisco NAD — enable CoA (dynamic authorization) for ClearPass 
aaa server radius dynamic-author
 client 10.10.0.20 server-key MyCoASecret
 port 3799
 auth-type all
Expected: verify CoA is listening + secret matches ClearPass 
switch# show aaa servers | include CoA|3799
  RADIUS: id 1, priority 1, host 10.10.0.20, auth-port 1812, acct-port 1813
  CoA dynamic-author: client 10.10.0.20, port 3799, state UP
  Disconnects: total 14, sent 14, failed 0
  CoA requests:  total 38, sent 38, failed 0

Pause & predict: auth works but a CoA bounce never lands on the switch. Which port and secret would you check first?

UDP 3799 + the dynamic-author shared secret. CoA rides a separate port and its own secret from the 1812 auth flow. If either is wrong on the NAD, authentication on 1812 succeeds but CoA is silently dropped — exactly the symptom here. Verify aaa server radius dynamic-author and the port on both ends.
Symptom → cause: authentication works, but CoA disconnect / VLAN-change silently fails

Symptom you see: the user logs in fine and Access Tracker shows Accept, but when ClearPass tries to bounce or move them, nothing happens — the session stays put and CoA shows as failed/timed-out.

Cause: CoA uses a SEPARATE UDP port (default 3799) and its own shared secret in the NAD's dynamic-author config. If the port or secret doesn't match what ClearPass sends, normal auth (port 1812) still works but CoA is dropped. This is the most-reported CoA issue on the Aruba Airheads community.

Quick check · Q5 of 10

After a posture failure, ClearPass needs to move an ALREADY-CONNECTED device from the Healthy VLAN to the Quarantine VLAN without making the user reconnect. Which mechanism does this?

Correct: c. CoA (RFC 5176) pushes a new authorization to an active session — bounce the port, change VLAN, or re-authenticate — with no user reconnect. Default UDP 3799. A port/secret mismatch on the NAD is the classic reason it silently fails.

Patch the CVEs — ClearPass is your control plane, treat it like one

ClearPass decides who gets on your network. If it's compromised, the attacker controls access for everyone. Two recent advisories matter: CVE-2025-23060 (cleartext information disclosure — enables interception / MITM) and CVE-2024-51771 (authenticated command-injection RCE in the web UI). A third, CVE-2025-23058, is an authenticated broken-access-control privilege escalation.

Three actions to harden ClearPass

1. Patch. Upgrade to a fixed train — ClearPass 6.12.4 / 6.11.10 or later per the HPE advisory — which resolves these CVEs. 2. Segment. Put the management interface on a dedicated admin VLAN with strict firewall rules so only the NOC subnet can reach the web UI. 3. Least-privilege admins. Use scoped admin roles so a low-privilege account can't escalate (the CVE-2025-23058 class). Patching closes the bug; segmentation shrinks who can even attempt it.

A device's journey through a day on ClearPass Timeline showing connect, authenticate, healthy access, posture failure, quarantine, auto-remediation, and return to healthy access across a workday. 09:00Connect + 802.1X 09:01Role = Employee 09:01Healthy → VLAN 20 15:00AV off → Quarantine 15:00CoA → VLAN 99 15:02Auto-fix → VLAN 20 One identity, many decisions — ClearPass re-evaluates continuously, not just at login.
A device's day on ClearPass: posture is continuous — a 3pm AV failure triggers an instant CoA quarantine and auto-recovery, no help-desk ticket.

🤖 Ask the AI Tutor

Tap any question — instant context-aware answer. No login, no waiting.

Pre-curated answers from HPE Aruba ClearPass docs + Airheads community Q&A. For complex prod issues, paste your Access Tracker request detail into chat.techclick.in.

📝 Wrap-up — five more

You've already answered 5 inline. Five left. 70% (7 of 10) total marks the lesson complete on your profile. Tap Submit all answers at the end.

Q6 · Apply

A ClearPass service matches correctly and authentication succeeds, but the user lands in the default role with no VLAN. The Enforcement Policy has only a fallback "Deny" rule. What is the fix?

Correct: b. The role was tagged, but the enforcement policy had no rule mapping that role to a profile, so the default profile (here, Deny/default) applied. Enforcement-policy conditions match on roles/health/time, and the first matching rule's profile is returned to the NAD.
Q7 · Analyze

Your security team must mitigate CVE-2025-23060 (cleartext information disclosure) and CVE-2024-51771 (authenticated RCE) on ClearPass. What is the right combined action?

Correct: c. Patching closes the bugs; network segmentation reduces who can even reach the web UI to exploit an authenticated flaw. Both are needed — defence in depth on your access control plane.
Q8 · Analyze

A Cisco switch is configured with ClearPass. Authentication works, but CoA disconnects fail — Access Tracker shows Accept yet the bounce never lands on the switch. Most likely cause?

Correct: a. CoA rides UDP 3799 with the dynamic-author shared secret, independent of the 1812 auth secret. If either is wrong on the NAD, auth succeeds but CoA is silently dropped — the single most-reported CoA fault on Airheads. Verify aaa server radius dynamic-author and the port on both ends.
Q9 · Evaluate

You must publish guest Wi-Fi AND 802.1X corporate AND a posture-gated VPN on ONE ClearPass. A junior engineer wants a single giant service with many rules. Evaluate the design.

Correct: b. Separate services per access method (802.1X Wireless, MAC-Auth/Guest, VPN posture), each self-contained and ordered most-specific first. A single mega-service becomes unreadable, mis-orders rules, and is a top cause of wrong-role incidents.
Q10 · Evaluate

To safely roll out a NEW Enforcement Policy on a production ClearPass service without risking a campus-wide lockout, what is the recommended approach?

Correct: d. Monitor Mode is the production-safe rollback path: full evaluation, real logging, zero enforcement. Confirm the simulated roles and profiles look right in Access Tracker, then re-enable enforcement.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the section that tripped you up and tap "Try again".

🧠 Lock it in — explain it back

In your own words, write the six pipeline stages and what each one does. Self-explanation is the single biggest retention multiplier — your future on-call self will thank you.

Teach a friend: message one teammate the one-liner "ClearPass evaluates services top-down and stops at the first match — get the order wrong and a corporate laptop lands in Guest." If you can teach it, you own it.

We'll send ONE recall question in a week. No spam, unsubscribe anytime.

📖 Glossary

Service
A policy container for one access type (802.1X Wireless, MAC-Auth, VPN). First-match-wins, top-down.
Role
A context label ClearPass assigns from attributes (AD group, device type). Drives enforcement — not a switch port role.
Enforcement profile
The actual RADIUS attributes returned to the NAD: VLAN, ACL, Aruba-User-Role.
OnGuard
The ClearPass posture agent. Checks AV, firewall, patches, encryption. Persistent or dissolvable.
Posture token
The health result: Healthy / Checkup / Quarantine / Unknown. Fed into the enforcement policy.
CoA
Change of Authorization (RFC 5176). Re-authorizes a live session. Default UDP 3799.
NAD
Network Access Device — the switch or WLAN controller that speaks RADIUS and enforces the result.
Access Tracker
The ClearPass log/troubleshooting view. Shows every request's stages top-down.

📚 Sources

  1. HPE Aruba Networking TechDocs — ClearPass Policy Manager 6.12 User Guide: About ClearPass, Services, Enforcement Policies. arubanetworking.hpe.com/techdocs
  2. HPE Aruba Networking TechDocs — ClearPass OnGuard: Persistent vs Dissolvable Agents, Agentless OnGuard Troubleshooting (6.11).
  3. Juniper Networks Docs — Example: Configuring 802.1X-PEAP and MAC RADIUS Authentication with EX Series Switches and Aruba ClearPass Policy Manager. juniper.net/documentation
  4. HPE Aruba Airheads Community — "ClearPass and Cisco CoA Failing" / "ClearPass CoA Problem" threads (CoA port + shared-secret mismatch).
  5. NACSOC — ClearPass Access Tracker Explained (With Real Troubleshooting Flow); top-down service + role-mapping order gotchas + Monitor Mode.
  6. HPE Security Advisories / CVE — CVE-2025-23060 (info disclosure), CVE-2024-51771 (authenticated RCE), CVE-2025-23058 (broken access control); fixed in 6.12.4 / 6.11.10.
  7. HPE Certification & Learning — Aruba Certified ClearPass Professional (ACCP, HPE6-A68) exam blueprint (AAA, Posture, Operations weightings).

What's next?

You can now identify a device, role it, posture-check it and enforce a VLAN. Next we push the policy decision all the way to the edge — how Aruba turns a ClearPass role into a port-level firewall with Dynamic Segmentation and the Policy Enforcement Firewall (PEF), so traffic is filtered the moment it hits the switch.

Next · Aruba Dynamic Segmentation & PEF → ← All Aruba lessons