Comprehensive and Detailed Explanation (Verified Extract from HPE Aruba Networking Switching Documentation)
When implementing AAA (Authentication, Authorization, and Accounting) on Aruba CX switches, there are mechanisms to ensure that end-user devices maintain basic network connectivity even if authentication fails due to server unreachability or configuration errors.
Two key mechanisms address this concern:
1. Critical Role
The critical role defines the local role that is automatically applied to a port or user session when:
The authentication server is unreachable, or
This ensures that endpoints (clients) can still obtain limited or temporary access to the network (for example, DHCP and DNS access) even when RADIUS is unavailable.
ArubaOS-CX Extract:
“When AAA authentication fails due to the RADIUS server being unreachable, the switch assigns the critical-role to the client, allowing limited access to the network until connectivity to the server is restored.”
2. Fallback Role
The fallback-role defines a default role that the switch applies to any device that fails authentication or does not match any configured authentication method (e.g., device profiling, MAC-auth, or 802.1X).
In lab or early deployment scenarios, this role provides baseline network access for devices that fail authentication but should not be entirely blocked.
ArubaOS-CX Extract:
“The fallback role allows clients that do not match any authentication or profiling method to obtain a defined level of access instead of being denied network connectivity.”
Option Analysis:
A. Configure onboarding-method concurrent → Used to enable multiple onboarding methods (802.1X, MAC-auth, device profiling) concurrently; does not prevent network denial.
B. Configure the critical role → Correct. Ensures connectivity when AAA servers are unreachable.
C. Configure auth-mode multi-device → Controls how multiple clients share a port; unrelated to AAA fallback behavior.
D. Configure the fallback role → Correct. Provides network access to unauthenticated or failed-auth clients.
E. Configure port-access radius-override → Allows RADIUS to override local roles or VLANs; does not address reachability or failure handling.
Final Verified Answers: B, D
Reference Sources (HPE Aruba Official Materials):
Aruba AOS-CX Security and Access Configuration Guide – Port Access, AAA, and Roles
Aruba Certified Switching Professional (ACSP) Study Guide – AAA and Authentication Failover
ArubaOS-CX Fundamentals Guide – Critical and Fallback Role Configuration
