Attribute filtering helps with the TechSpec requirement that sites don't send unnecessary, and potentially dangerous, attributes back to other sites. The normal problem is that a Home site will attach RADIUS attributes which set VLANs or roles intended for their own wireless controller. However, if these are sent back to a remote site where one of their users is trying to authenticate, then it might inadvertently set the VLAN or role of on the remote wireless controller. No one wants that.

Primarily you should filter the responses to incoming authentication requests. This will prevent you from affecting other sites.

You should have a Service which proxies incoming auth requests from the NRPS to your IdPs.

• Go to 'Proxy Targets' and set these attributes for removal.

• Tunnel-Type
• Tunnel-Medium-Type
• Tunnel-Private-Group-ID
• Aruba-User-Role
• Aruba-User-VLAN

For your own safety you should apply the same set of filters to the Service which proxies the auth requests from visitors to your site to the NRPS.

• Go to 'Proxy Targets' and set the same attributes as above:
  • Tunnel-Type
  • Tunnel-Medium-Type
  • Tunnel-Private-Group-ID
  • Aruba-User-Role
  • Aruba-User-VLAN