Comprehensive and Detailed Explanation From Exact Extract of HPE Aruba Networking Switching:

In AOS-10 deployments using Zero Trust network architecture, user and device identities are enforced through roles assigned by ClearPass or Aruba Central policies. For multi-site environments, maintaining consistent policy enforcement requires role propagation between gateways across different locations.

To propagate user roles and policies across sites, tunneled SSIDs with gateways are required. This design ensures that wireless client traffic is tunneled from the access point (AP) to the Aruba gateway, where role-based access control (RBAC) and policy enforcement occur. The gateway acts as the policy enforcement point (PEP) for both local and remote traffic.

Exact Extract from HPE Aruba Networking AOS-10 and Switching Documentation:

“In AOS 10, tunneled SSIDs are used to extend centralized policy enforcement to gateways. Gateways apply user roles, firewall policies, and dynamic segmentation consistently across distributed sites.”

“For zero-trust designs requiring cross-site role propagation, all wireless traffic must terminate on gateways through tunneled SSIDs. Gateways then synchronize role information through the overlay tunnel or mobility framework.”

Thus, the only way to propagate role information between multiple sites in a zero-trust deployment is through tunneled SSIDs that terminate at the Aruba gateways. This ensures consistent policy enforcement across locations.

Why the Other Options Are Incorrect:

A. Configure the gateways to mobility type and configure the Roles under System → Client Roles in Central:While mobility type configuration is used for roaming, it does not enable role propagation across sites. Roles must be tied to tunneled SSIDs terminating on gateways for centralized enforcement.

“Gateway mobility enables seamless roaming, not centralized role propagation.”

B. Configure "use switch fabric for role propagation" under Security → Client Roles:This option applies to AOS-CX switch fabrics (Campus Fabric design) and not wireless AOS-10 environments. Wireless role propagation uses gateway tunnels, not switch fabric propagation.

“Use switch fabric for role propagation applies to CX switch-based VXLAN fabrics, not wireless gateway deployments.”

C. Overlay campus switch fabric with CX switches:While Aruba CX fabrics can propagate roles in wired environments, this does not fulfill the requirement for wireless role propagation between remote sites.

“Role propagation over CX fabric applies to wired clients and does not substitute for tunneled SSID gateways in wireless networks.”

References of HPE Aruba Networking Switching Documents or Study Guide:

Aruba AOS 10 Network Design Guide – “Zero-Trust Design and Role Propagation in Multi-Site Deployments.”

Aruba Campus Wireless and Gateway Deployment Guide – “Tunneled SSIDs and Centralized Role Enforcement.”

Aruba Policy Enforcement and Role-Based Access Control Guide – “Role propagation over gateway tunnels.”