The question asks for a best practice when configuring Group-Based Policy (GBP). GBP simplifies policy management by assigning users/devices to roles and defining policies between these roles, often leveraging dynamic assignment from an authentication server.
GBP Concepts:Policies are typically defined based on source and destination roles. Roles can be assigned statically on the switch or dynamically via an authentication server like ClearPass.
Analysis of Options:
A & C: Policies define interactionsbetweenroles (source role to destination role). These roles can be the same (intra-role policy) or different (inter-role policy). Neither option represents a singular "best practice" for all configurations.
B: Using Static User Roles (SUR) is possible but less flexible and scalable than dynamic assignment for large or complex environments.
D: Using Downloadable User Roles (DUR) is generally considered a best practice. DUR allows roles and associated policies (including GBP attributes like GPID) to be centrally defined on an authentication server (e.g., ClearPass) and dynamically assigned to users/devices uponsuccessful authentication. This provides scalability, consistency, and easier management.
Conclusion:Leveraging Downloadable User Roles (DUR) from a central authentication server like ClearPass is a best practice for implementing scalable and manageable Group-Based Policies.
[References:Aruba Dynamic Segmentation concepts, Group-Based Policy (GBP) documentation, Aruba ClearPass integration guides. This relates to "Security" (10%) and "Authentication/Authorization" (9%) objectives., ]
Submit