TTechclick All lessons
HPE Aruba Networking · Wireless · WLAN DesignInteractive · L1 / L2

Aruba WLAN & SSID Design — VAPs, AAA Profiles, WPA3 & User Roles

One SSID is three profiles stacked together. Skip the manual — pick a layer below, watch a real client earn its user role live, ask the in-page AI tutor anything, and decode the 5-level role-derivation order without the headache.

📅 2026-05-31 · ⏱ 11 min · 2 animated visualizers · 🏷 10-Q assessment + AI Tutor inline
Read as:

⚡ Quick Answer

HPE Aruba WLAN design explained the AI-era way — stack the Virtual AP → SSID → AAA profiles, watch a client get its user role assigned live, master WPA3 vs Enhanced Open vs transition mode, and decode the 5-level role-derivation order in 11 visual minutes instead of an hour.

By the end you will be able to

Pick a layer — jump straight to it

1

The Profile Stack

Virtual AP → SSID → AAA. How three profiles become one broadcast SSID.

 2

WPA3 & Enhanced Open

SAE, Enterprise modes, OWE, and why transition mode is a trap.

 3

User Roles & Derivation

The 5-level precedence order — and which role actually wins.

 4

Troubleshoot

"Auth passed but no internet" → the role + VLAN diagnosis ladder.

The mistake that costs every new Aruba engineer a day

Here's how it usually goes. Sneha, fresh onto the wireless team at Infosys, gets her first ticket: "Stand up a new Corp-WiFi SSID on the third floor." She opens Aruba Central, finds the SSID settings, types the name, sets a WPA3 password, hits save. The SSID appears. Laptops connect. She closes the ticket.

Two hours later: a flood of complaints. Everyone on Corp-WiFi can reach each other's machines, the finance VLAN, and the printers in another building. Sneha configured the radio. She never configured who the clients become once they join. That second half — the user role — is where real WLAN design lives.

ELI5: Think of an SSID like the name on a building's front door. Anyone can read the name and walk in. The user role is the visitor badge you hand them inside — it decides which floors they can ride the lift to. Sneha printed the door sign but gave everyone a master key.
Architect view: The radio/encryption layer (SSID profile) and the identity/authorization layer (AAA profile + roles) are intentionally decoupled in ArubaOS so the same encryption posture can map to many authorization outcomes. Treat the role, not the SSID, as your real segmentation boundary — it survives roaming and re-auth where VLAN-per-SSID does not.

This lesson fixes Sneha's mental model permanently. We'll stack the three profiles that make an SSID, pick the right WPA3 mode, then master the role-derivation order — the single most-tested, most-misunderstood topic on the wireless side of the HPE6-A85 blueprint.

① The Profile Stack — three profiles, one SSID

An Aruba SSID is never a single object. It's a stack. The top of the stack is the Virtual AP (VAP) profile. Think of the VAP as the assembly line: it points at one SSID profile and one AAA profile, and only then does the AP start beaconing.

By default a new VAP is wired to the default SSID, AAA, 802.11k and Hotspot profiles. You override the two that matter — SSID and AAA — and leave the rest alone until you need them.

Aruba Virtual AP profile stack diagram The Virtual AP profile sits at the top and references an SSID profile on the left and an AAA profile on the right; the AAA profile in turn holds the initial role, default roles and server group. Virtual AP (VAP) Profile "Corp-WiFi" — what the AP actually broadcasts references references SSID Profile the RADIO & ENCRYPTION half • essid "Corp-WiFi" • opmode wpa3-aes-ccm-128 • band / SSID hide / max-clients AAA Profile the IDENTITY & ROLE half • initial-role "logon" • dot1x-default-role "corp" • auth-server-group "CPPM" Roles & RADIUS the AAA profile points to logon role · corp role · guest role · IoT role each role = firewall ACLs + VLAN + bandwidth One VAP = one SSID. Swap the AAA profile → change auth without touching the radio settings.
Figure 1 — The Aruba profile stack. The VAP is the parent; the SSID profile owns encryption, the AAA profile owns identity and roles.
📡
Virtual AP
tap to flip

The parent container. It binds one SSID profile + one AAA profile and is what an AP group actually advertises. No VAP = no SSID on air.

🔐
SSID Profile
tap to flip

The radio half: essid name, opmode (WPA mode), band, SSID-hide, max-clients. Decides how the client encrypts — not who it is.

🪪
AAA Profile
tap to flip

The identity half: initial role, default role per auth method, derivation rules, and the RADIUS server group. Decides who the client becomes.

🛡
User Role
tap to flip

A named bundle of firewall ACLs + VLAN + bandwidth contract. This is your real segmentation boundary — it follows the client across APs.

Here's the same stack as CLI. On a controller-managed AOS deployment the profiles are explicit objects you chain together; in Aruba Central the wizard hides the names but creates the identical objects underneath.

CLI — build the SSID, AAA and Virtual AP profiles 
wlan ssid-profile "Corp-WiFi-ssid"
   essid "Corp-WiFi"
   opmode wpa3-aes-ccm-128

aaa profile "Corp-WiFi-aaa"
   initial-role "logon"
   authentication-dot1x "default"
   dot1x-default-role "corp"
   auth-server-group "CPPM-Servers"

wlan virtual-ap "Corp-WiFi-vap"
   ssid-profile "Corp-WiFi-ssid"
   aaa-profile "Corp-WiFi-aaa"
   vlan 30
Expected output 
show wlan virtual-ap "Corp-WiFi-vap"
Virtual AP profile "Corp-WiFi-vap"
----------------------------------
Parameter            Value
---------            -----
SSID Profile         Corp-WiFi-ssid
AAA Profile          Corp-WiFi-aaa
Virtual AP enable    Enabled
VLAN                 30
Forward mode         tunnel
Scenario · Sneha @ Infosys Sneha fixes her ticket by leaving the SSID profile alone and editing only the AAA profile — she sets dot1x-default-role to a locked-down corp role that denies client-to-client traffic. The radio never changed; the laptops never re-associated. Only the role flipped. Complaints stop.
Pause & predict

A colleague says "just make a second SSID for the IoT cameras." You only need different authentication and a different VLAN — same encryption. Do you need a new SSID profile, a new AAA profile, or both?

Both — plus a new VAP. Every distinct SSID name is its own Virtual AP, and a VAP must point at an SSID profile and an AAA profile. Even if the encryption matches, you still create a separate SSID profile (different essid) and a separate AAA profile (MAC-auth instead of 802.1X, different default role). The VLAN lives on the VAP. One thing you should not do: pile a 5th and 6th SSID onto every radio — each beacon costs airtime.
Quick check · Q1 of 10

In ArubaOS, which profile object does an access point actually advertise on its radio to put an SSID on the air?

Correct: a. The Virtual AP (VAP) profile is the broadcast container. It binds exactly one SSID profile (radio + encryption) and one AAA profile (identity + roles). The SSID profile and AAA profile don't beacon on their own — they're referenced by the VAP. Roles and server groups sit further down the chain.

② WPA3, Enterprise modes & Enhanced Open

The opmode line in the SSID profile is your encryption decision. Get it wrong and you either lock out half your clients or leave the door cracked. Aruba gives you a precise set of keywords — here are the four you'll actually type.

🔑
wpa3-sae-aes
tap

WPA3-Personal. SAE replaces the WPA2 PSK handshake. Same one password, but un-crackable offline. Needs a pre-shared key.

🏢
wpa3-aes-ccm-128
tap

WPA3-Enterprise, widest compat. 128-bit; with transition mode it still admits WPA2-Enterprise clients. The everyday corporate 802.1X choice.

🛰
wpa3-aes-gcm-256
tap

WPA3-Enterprise, GCMP-256. Admits only WPA3 clients that support GCMP-256. Step toward CNSA (192-bit) for high-assurance / government.

🌐
enhanced-open
tap

Enhanced Open / OWE (RFC 8110). Open guest Wi-Fi, no password — but every client gets per-session encryption. Replaces naked open SSIDs.

The transition-mode trap

To support old laptops, engineers flip on transition mode: one SSID advertises both WPA2-PSK and WPA3-SAE. Everyone connects — and that's the problem. An attacker forces the weak WPA2 path, captures the 4-way handshake, and cracks your PSK offline with Hashcat. WPA3's protection is bypassed by the very fallback you enabled. Worse, PMF is only optional in transition mode.

Architect view: Plan transition mode as a dated migration window, not a permanent state. Track legacy-client count in Central, set a cutover date, then flip to WPA3-only with PMF required. On 6 GHz the decision is made for you — WPA3-SAE + PMF is mandatory and transition mode literally does not exist there.

▶ Watch a client join and earn its role

Click Play. Each stage lights up as the client moves from radio association through WPA3 to a final user role.

① ASSOCIATE Client a4:83:e7:11:22:33 associates to SSID Corp-WiFi (VAP "Corp-WiFi-vap")
Radio settings come from the SSID profile.
② INITIAL ROLE AAA profile assigns initial role logon → client can reach only DHCP, DNS, RADIUS
③ WPA3 / 802.1X wpa3-aes-ccm-128 handshake + 802.1X to 10.20.0.10 (ClearPass)
④ RADIUS REPLY Access-Accept returns Aruba-User-Role = "corp" (a VSA)
⑤ ROLE DERIVE Precedence resolved → VSA role "corp" wins over the dot1x-default-role
⑥ FORWARD Client now in role corp → VLAN 30, corp-ACLs applied, traffic flows
Press Play to step through how a client moves from "just associated" to "fully authorized". Each press of Next advances one stage.
WPA3 opmode decision tree A decision tree that routes from the question of whether a password is needed and whether RADIUS is used, to the correct Aruba opmode keyword for guest, personal and enterprise SSIDs. Designing a new SSID? start here Need a password at all? NO YES Guest / public SSID enhanced-open OWE — encrypted, no key Per-user RADIUS login? NO (one shared pwd) YES WPA3-Personal wpa3-sae-aes SAE — needs PSK WPA3-Enterprise wpa3-aes-ccm-128 gcm-256 / cnsa = stricter On 6 GHz, the only legal answer is wpa3-sae-aes (Personal) or a WPA3 Enterprise mode — with PMF required.
Figure 2 — Pick the opmode by answering two questions: do you need a password, and is it per-user (RADIUS)?
The symptom: "half my old devices dropped after we 'upgraded security'"

You switched the SSID from WPA2 straight to wpa3-aes-gcm-256 or pure wpa3-sae-aes with transition mode off. Cause: legacy phones, printers and IoT that only speak WPA2 (or can't do GCMP-256 / PMF-required) silently fail to associate. Fix: either run a short transition window with a cutover date, or carve those devices onto a separate WPA3-Personal or dedicated IoT SSID rather than forcing the strictest cipher on everyone.

Quick check · Q2 of 10

A cafe wants guest Wi-Fi with no password but still wants each customer's traffic encrypted over the air. Which Aruba opmode is correct?

Correct: d. Enhanced Open (OWE, RFC 8110) is exactly this: an open SSID with no password where each client still negotiates a unique encryption key. Plain open sends everything in clear text. SAE and CNSA both require a credential, so they can't be "passwordless" guest Wi-Fi.

③ User Roles & the 5-level derivation order

Authentication answers "are you allowed in?" A role answers "now that you're in, what can you touch?" On Aruba a client can be assigned a role from up to five different sources at once — and they don't all carry equal weight. This precedence order is the single most-tested wireless concept, and the one that wastes the most production hours.

From lowest to highest precedence: initial role → user-derived role → default role (per auth method) → server-derived role → VSA-derived role. The higher one always overrides the lower one. So an Aruba VSA from RADIUS beats everything you configured locally.

Aruba user-role derivation precedence ladder A five-rung ladder from the lowest-precedence initial role at the bottom up to the highest-precedence VSA-derived role at the top, showing when in the connection lifecycle each is applied. Role derivation — highest wins 5 · VSA-derived role Aruba-User-Role VSA from RADIUS — always wins after auth 4 · Server-derived role from standard RADIUS attributes / rules after auth 3 · Default role (per method) e.g. dot1x-default-role on success on auth pass 2 · User-derived role from MAC OUI / DHCP fingerprint before auth 1 · Initial (logon) role unauthenticated default in AAA profile pre-auth PRECEDENCE ↑ Troubleshooting truth: a VSA you forgot about silently overrides the role you carefully configured locally. Run show user-table to see the role actually applied — and how it was derived.
Figure 3 — The role-derivation ladder. Lower rungs apply earlier in the connection; higher rungs override them.
Scenario · Rahul @ TCS Rahul sets dot1x-default-role corp and swears it's right — yet contractors keep landing in a wide-open role. The cause: ClearPass returns an Aruba-User-Role VSA for the contractor group. That VSA (rung 5) beats his local default (rung 3). His CLI was never wrong; the override lived on the RADIUS side. He fixes it in ClearPass, not on the controller.
Pause & predict

A user-derived rule matches an IoT camera by MAC OUI and assigns role iot-locked. The same camera then passes MAC-auth, whose default role is iot-open. Which role does the camera end up in?

iot-open — the default role wins. User-derived roles (rung 2) are applied before authentication; the per-method default role (rung 3) is applied on successful auth and sits higher on the ladder. So once MAC-auth succeeds, its default role overrides the earlier user-derived role. If you wanted iot-locked to stick, you'd return it as a server rule or VSA instead.

The initial (logon) role — don't leave it open

Before 802.1X finishes, the client lives in the initial role (commonly named logon). A client whose auth fails or stalls stays there. If that role is permissive, a failing device can still reach the LAN — a quiet but real hole. Lock the initial role to DHCP, DNS and the RADIUS path only.

CLI — verify which role a live client actually got, and how 
show user-table mac a4:83:e7:11:22:33
Expected output 
IP            MAC                Name     Role   Age  Auth   Profile
----------    -----------------  ------   ----   ---  ----   -------
10.30.0.57    a4:83:e7:11:22:33  rahul.k  corp   00:03 802.1x Corp-WiFi-aaa
   Role derived from: VSA (Aruba-User-Role)
   VLAN: 30   ACL: corp-acl
Read the "Role derived from" line first

That one line ends 80% of role arguments. It tells you whether the role came from a VSA, a server rule, the method default, a user-derived rule, or the initial role. If it says VSA and you didn't expect one, your fix is on RADIUS/ClearPass — not the SSID, not the VAP, not the controller config you've been staring at.

Quick check · Q3 of 10

A client gets a server-derived role of staff AND an Aruba VSA returning admin in the same Access-Accept. Which role is applied?

Correct: a. The Aruba VSA (Aruba-User-Role) sits at rung 5 — the top of the precedence ladder — so it wins over the server-derived role (rung 4). Roles don't merge, and a conflict doesn't drop the client to logon. Whatever the VSA names is the role that applies.

④ Troubleshoot — "auth passed but no internet"

The most common wireless ticket isn't "can't connect" — it's "connected, authenticated, but nothing works." Almost always it's a role or VLAN problem, not an auth problem. Here's the 4-rung ladder.

show user-table
tap

show user-table mac <mac>. Confirm the role + VLAN actually applied, and read the "Role derived from" line. This finds the wrong-role bug instantly.

show rights <role>
tap

Dump the ACLs the role enforces. A client stuck with no internet often has a role whose firewall policy permits DHCP/DNS but denies the rest.

VLAN reachability
tap

Right role, wrong VLAN? The VSA or server rule may push a VLAN your upstream switch trunk doesn't carry. Verify the VLAN exists end-to-end.

show auth-tracebuf
tap

Live auth trace for one MAC. Shows the full 802.1X exchange and exactly which RADIUS attribute/VSA came back. The ground truth.

Scenario · Priya @ HCL Priya gets "guests can authenticate but stay stuck in the logon role." She runs show user-table and sees the role never moves past logon. The captive-portal role that should follow login was never returned — ClearPass needed valid credentials on the first attempt to hand back the post-portal role. The radio, the SSID profile, the WPA mode: all fine. The fix lived entirely in the role-return logic, which she'll wire up properly in the ClearPass lesson next.

The CVE you should know this month

Keep firmware current. In late 2025 HPE disclosed CVE-2025-37165 (CVSS 7.5) — an unauthenticated VLAN-configuration information-disclosure on Aruba APs in router mode — alongside CVE-2025-37166, a crafted-packet DoS that can wedge an AP until a hardware reset. Both are fixed in the patched AP firmware HPE pushed in December 2025. There's also a critical AOS-CX auth-bypass (CVE-2026-23813, CVSS 9.1) on the switching side. WLAN design is wasted if the platform under it is exploitable — patch, then design.

The whole lifecycle on one timeline

Zoom out. Every concept in this lesson maps onto one client's life — from beacon to forwarded traffic. Keep this timeline as your cheat-sheet: when a ticket lands, you know exactly which stage owns the symptom.

Wi-Fi client lifecycle timeline cheat-sheet A left-to-right timeline of a client's connection: association governed by the SSID profile, initial role from the AAA profile, WPA3 plus 802.1X authentication, role derivation where the VSA wins, and finally traffic forwarding in the assigned VLAN. A colour legend maps royal blue to the SSID/radio layer, indigo to the AAA/identity layer, amber to the pre-auth window and lime to the forwarding result. Client lifecycle — which profile owns each stage Radio / SSID profile Identity / AAA profile Pre-auth window Forwarding result Associate SSID profile Initial role DHCP/DNS only WPA3 + 802.1X AAA → RADIUS Role derive VSA wins Forward VLAN + ACLs "Can't connect" lives left of the orange dot · "connected but no internet" lives right of it.
Figure 4 — One client's lifecycle. The orange "initial role" dot is the dividing line between auth problems and role/VLAN problems.
Pause & predict

A user reports "Wi-Fi shows connected and authenticated, but no app works." Using the timeline above, is this an auth problem or a role/VLAN problem — and which side of the orange dot do you investigate?

Role / VLAN problem — investigate to the RIGHT of the orange dot. "Authenticated" means the WPA3 + 802.1X stage already succeeded, so the failure is downstream: the derived role's ACLs may permit only DHCP/DNS, or the pushed VLAN isn't trunked upstream. Start with show user-table mac <mac> to read the applied role and VLAN, then show rights <role>. Don't waste time re-checking the password or RADIUS reachability — those are left of the dot.
Quick check · Q4 of 10

A user complains: "Wi-Fi connects, shows authenticated, but no website loads." Which single command tells you the role and VLAN the client actually received, and how the role was derived?

Correct: c. show user-table mac <mac> shows the live client's applied role, VLAN, auth method, and the all-important "Role derived from" line. show ap database lists APs, show wlan ssid-profile shows static config, and show running-config is a haystack — none tell you what role a specific live client got.

🤖 Ask the AI Tutor

Tap any question — instant context-aware answer. No login, no waiting.

Pre-curated answers from HPE Aruba TechDocs + Airheads community Q&A. For complex prod issues, paste your show user-table + show auth-tracebuf output into chat.techclick.in.

📝 Wrap-up — six more

You've already answered 4 inline. Six left. 70% (7 of 10) total marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

In the Aruba role-derivation order, which method has the highest precedence — overriding all the others?

Correct: c. The order low→high is initial → user-derived → default → server-derived → VSA-derived. The Aruba VSA sits at the top and overrides every other source. Memorise this ladder — it's the most-tested wireless fact on the blueprint and the #1 cause of "wrong role" tickets.
Q6 · Apply

You must add a guest SSID and an IoT SSID alongside the existing corporate SSID, each with different auth and different VLANs. What's the minimum you create per new SSID?

Correct: d. Each distinct SSID name is its own Virtual AP, and a VAP must point at one SSID profile and one AAA profile. Different auth means a different AAA profile; a different SSID name means a different SSID profile. Reusing the corporate AAA profile would give guests corporate roles — exactly the segmentation failure to avoid.
Q7 · Analyze

After enabling WPA3 transition mode on the corporate SSID to keep a few old laptops working, a pen-tester captures a handshake and recovers the passphrase offline. How was WPA3 defeated?

Correct: c. WPA3-SAE resists offline cracking, but transition mode keeps WPA2-PSK on the same SSID for compatibility. The attacker simply uses the WPA2 path, grabs the 4-way handshake, and cracks the PSK offline. Because PMF is only optional in transition mode, the protection window is even wider. Once legacy clients are gone, disable transition mode and run WPA3-only with PMF required.
Q8 · Analyze

An 802.1X client authenticates successfully but lands in a wide-open role instead of the corp default you configured. show user-table shows "Role derived from: VSA". Where is the fix?

Correct: b. The "Role derived from: VSA" line is the giveaway. A VSA-derived role (rung 5) beats your locally configured default role (rung 3), so the controller config is correct but irrelevant. The override lives in RADIUS/ClearPass policy — fix the returned VSA there. Re-typing the local default or touching the radio won't change anything.
Q9 · Evaluate

A team plans a 6 GHz Wi-Fi 6E corporate SSID and wants to keep WPA2 fallback "just in case." Evaluate this plan.

Correct: d. On 6 GHz the standard requires WPA3-SAE (or WPA3-Enterprise) with PMF required — WPA2 and transition mode simply aren't allowed. So a "WPA2 fallback" on 6 GHz is impossible by design. Old WPA2-only devices stay on 2.4/5 GHz SSIDs. You also can't lower PMF to optional on 6 GHz.
Q10 · Evaluate

An admin sets the initial (logon) role to permit all traffic "so onboarding is smooth," planning to tighten roles only after 802.1X succeeds. Evaluate the security impact.

Correct: a. The initial role governs the client during the pre-auth window and is the fallback for clients whose auth fails or stalls. A permissive logon role means a device that never authenticates can still pass traffic to the LAN — a genuine breach path. Always scope the initial role to just DHCP, DNS and the RADIUS servers. PMF protects management frames, not data-plane authorization.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the section that tripped you up and tap "Try again".

🧠 Explain it back (60 seconds)

In your own words: a teammate says "the SSID profile and the AAA profile do the same thing." Type the one-line correction you'd give them — then imagine saying it out loud to a friend. Teaching it is how it sticks.

📬 Lock it in — get a 3-day recall nudge

We'll email you 3 quick recall questions on this lesson in 3 days. Spaced repetition is the cheapest way to turn "I read it" into "I know it."

✓ Locked in — watch your inbox in 3 days.

📖 Glossary — the terms that show up in tickets

VAP
Virtual AP profile — the broadcast container that ties an SSID profile to an AAA profile. One VAP = one SSID on air.
SSID profile
The radio/encryption half: essid, opmode (WPA mode), band, hide, max-clients.
AAA profile
The identity half: initial role, default roles per auth method, derivation rules, RADIUS server group.
User role
A named bundle of firewall ACLs + VLAN + bandwidth applied to a client after it connects. Your real segmentation boundary.
SAE
Simultaneous Authentication of Equals — WPA3-Personal's password handshake; resists offline cracking.
OWE
Opportunistic Wireless Encryption (RFC 8110) — encrypts open Wi-Fi with no password. Aruba opmode enhanced-open.
PMF
Protected Management Frames (802.11w) — blocks deauth/disassoc spoofing. Mandatory in WPA3, optional in transition mode.
VSA
Vendor-Specific Attribute — Aruba-User-Role is the famous one; a role it returns beats every locally configured role.
Transition mode
One SSID advertising both WPA2 and WPA3 for compatibility — convenient, but opens an offline-cracking path.

📚 Sources

  1. HPE Aruba Networking TechDocs — Virtual AP Profiles & Configuring WLAN Properties on AOS-10 APs. arubanetworking.hpe.com
  2. HPE Aruba Networking TechDocs — wlan ssid-profile (opmode keywords) & Configuring WPA3 Encryption. arubanetworking.hpe.com / CLI-Bank
  3. HPE Aruba Networking TechDocs — User Roles & Assigning User Roles (derivation precedence). arubanetworking.hpe.com (AOS 8.x & Central)
  4. HPE Aruba Networking — WPA3 and Enhanced Open 101 Technical Note + #ArubaAirheads WPA3/OWE TechTalk Live.
  5. TrustedSec — The Dangers of Transition Mode (WPA3 downgrade / PMF-optional risk). trustedsec.com
  6. Airheads Community — Guests stuck in logon role & 802.1x to captive portal threads. community.arubanetworks.com
  7. HPE Security Advisory — CVE-2025-37165 / CVE-2025-37166 (Aruba AP info-disclosure + DoS) and CSA advisory CVE-2026-23813 (AOS-CX auth bypass).
  8. HPE Certification — HPE6-A85 ACA Campus Access exam blueprint (WLAN domain ≈ 18%).

What's next?

You've seen how a VSA from RADIUS quietly overrides every local role. Next we open the box that sends that VSA — ClearPass Policy Manager: RADIUS service flow, role-mapping and enforcement policies, device posture and OnGuard health checks, and exactly why guests get "stuck in the logon role."

Next · Aruba ClearPass Policy Manager — RADIUS, Roles, Posture & OnGuard → ← Recap Aruba Architecture