Users/Devices and Policy Enforcement Recommendations

The following table specifies the enforcement recommendations for different type of users and devices. While it is recommended to tunnel the traffic in some cases, other cases can be met by simply using local forwarding on the switch.

Type	Enforcement	Description
Access Point	Local	Local infrastructure device.
Voice/Video Device	Local	Desk and conference phones, security cameras, and room media systems.
Employee on Managed Device	Local	Users connecting from a healthy and managed device can stay local to the Aruba switch.
Employee on Unmanaged device	Tunnel	Users connecting from an unmanaged or potentially untrusted device can be tunneled.
New/Unknown Device	Tunnel	Tunnel new or unknown devices, potentially untrusted devices used for profiling, potential onboarding, guest registration, and quarantine.
Guest User	Tunnel	Guest users to DMZ guest network.
Contractor	Tunnel	Contractors may need more access than a traditional guest user.
Change in User/Device Posture	Tunnel	User or device goes from a healthy to unhealthy state (OnGuard checks, IntroSpect notification, Ingress Event Engine Notification)