Aruba SD-WAN - Identity Based Traffic Management

In this article, we are going to talk about the Aruba SD-WAN Identity-Based Traffic Management (IBTM) capability. Aruba SD-WAN IBTM allows to configure policies based on identity match criteria such as username, user role, user group, MAC address, device type, etc. As soon as the user initiate the communication, IBTM automatically applies the traffic policies that match the identity criteria. For instance, a user in the Guest group should only be able to access the Internet and should deny access to corporate applications.

This feature is supported in environments where the –

·       SD-WAN orchestrator and SD-WAN appliance version is 9.2 or later

·       ClearPass configured as RADIUS server,

·       Endpoints configured to authenticate against RADIUS server,

·       SD-WAN appliance should be in path where RADIUS packet transit to RADIUS server,

·       RADIUS Security is disabled.

Aruba SD-WAN can apply the right policies after a device authenticates to the network. RADIUS roles assigned to the device become the matching criteria during the policy creation process. This policy is automatically taken into consideration when user communicate over the network. This greatly simplifies the policy administration.

RADIUS user roles such as user role, mac address, user group, device type, etc. as available to all policies match criteria – such as overlay policy, route policy, security policy, QoS policy, NAT policy. For example, a user is authenticated to the network as the Guest user. A guest is assigned a policy that allows only internet access and other performance enhancement features such as WAN Optimization, FEC, and fast failover is not enabled. 

Another user who is authenticated as a corporate user should be able to access all applications (internal or external) and should be given all performance enhancements.

Aruba SD-WAN does not require to configure any authentication method and protocol configuration on the SD-WAN appliance. It just inspect the RADIUS headers for populating it’s identity table. This identity table includes – mac address, IP address, username, user device, user role, and user group. 

These attributes becomes the match criteria while configuring the policies in the orchestrator (Aruba SD-WAN management portal).

IBTM can be used to achieve multiple use-cases some of them are as follows:

-         Traffic Steering use case – for IoT devices, don’t forward traffic to cloud security solution (SSE). For corporate group, internet traffic to be sent to cloud security for protection against the external threat.

-          QoS use case – for Guest devices – use the best effort treatment but for corporate users or business clients (POS terminals), provide the real-time or critical application treatment with WAN optimization feature

-          WAN Optimization use cases – for network management traffic should be compressed

With this brief introduction to the feature let me conclude this article there is more to come on this. I hope you find this informative!