Represents an Aruba configuration that utilizes VLANs on the controller rather than Roles to manage connecting users. When configured this way, Roles either do not exist or are not used. This operates similarly to L2 Roles with VLANs in that changes between states represent a change of network and therefore an IP address re-assignment. Therefore, disconnecting the host from the network is necessary here for the same reasons as given above.

Represents an Aruba configuration that uses Roles on the controller to manage connecting users. Each Role is assigned to a VLAN or VLAN pool (see VLAN Pools under Considerations). When configured in this fashion, users who are moved between different Roles by FortiNAC are assumed to be placed into different networks, thus requiring them to obtain a new IP address for each Role.

To ensure that hosts who are moved between Roles by FortiNAC correctly obtain a new IP address, it is necessary to temporarily sever their network connection. This process ensures a successful transition into the new network, however it also adds to the time required for the user to be functional in the new Role.

Represents an Aruba configuration that utilizes Roles on the controller to manage connecting users where all the affected Roles belong to the same VLAN. When configured in this way, users who are moved between different Roles by FortiNAC are assumed to always belong to the same network and maintain their IP address throughout their entire connection.

Because users never change networks, it is not necessary to disconnect them from the network during the Role transition, which allows for a smoother Role transition experience.