Cloud Managed Networks

Hi All, 

One of the customer is using on prem AD and they want to block Android/IOS on a particular SSID using device profiling. Is it possible using Aruba Central (with our without Central NAC)?

-------------------------------------------

for you to be able to block, yo need to have some form of auth/authz, so either CNAC or ClearPass.

CNAC only supports Cloud based Identity stores (Entra, Google workspace and Okta). So for on-prem identity store, you can achieve it with ClearPass

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

So for that to work is Foundation license for AP enough or do i need Advance license with/without Central NAC subscription?

i saw in the documents that we cannot define custom policy type in core?

-------------------------------------------

Original Message:
Sent: Feb 19, 2026 01:42 AM
From: ariyap
Subject: Central NAC - Profiling and On Prem AD

for you to be able to block, yo need to have some form of auth/authz, so either CNAC or ClearPass.

CNAC only supports Cloud based Identity stores (Entra, Google workspace and Okta). So for on-prem identity store, you can achieve it with ClearPass

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

Correct on the documentation. Using policy like 'Entra ID Group AND Device Type' is a custom policy and require NAC Pro.

Just 'Entra ID group' would be in NAC Core which is included in Foundation Central Licenses, similar to the functionality in Classic Central Cloud Authentication and Policy.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Feb 25, 2026 03:23 AM
From: harry fine
Subject: Central NAC - Profiling and On Prem AD

So for that to work is Foundation license for AP enough or do i need Advance license with/without Central NAC subscription?

i saw in the documents that we cannot define custom policy type in core?

With Central NAC Pro, you should be able to do that. If you have enrolled your clients with EAP-TLS / Client Certificates, you can authenticate those without an authorization source, just on the client certificate. Also with Central NAC Pro, you can create advanced policies, like 'if issueing CA is your on-premises PKI and Client TAG or Device Type is mobile device' and apply roles or reject accordingly.

ClearPass may be the more logical choice for on-premises AD.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Dear Herman, 

I got the official recommendation to use Aruba central Advanced subscription only as it will be able to block the device type. however what i want to know will it be able to block the android device on association stage (so that the device doesnt connect at all) or will it let it connect and then assign it a quarantine vlan etc to restrict its access?

-------------------------------------------

Original Message:
Sent: Feb 20, 2026 10:14 AM
From: Herman Robers
Subject: Central NAC - Profiling and On Prem AD

With Central NAC Pro, you should be able to do that. If you have enrolled your clients with EAP-TLS / Client Certificates, you can authenticate those without an authorization source, just on the client certificate. Also with Central NAC Pro, you can create advanced policies, like 'if issueing CA is your on-premises PKI and Client TAG or Device Type is mobile device' and apply roles or reject accordingly.

ClearPass may be the more logical choice for on-premises AD.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------