Higher Education

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Highlighted
Contributor II

ClearPass enforcement Profile

Probably this question have been addressed previously.

 

I would like to provide a different role and vlan to student based on AP-Group on the same SSID.

 

Basically if the student is in the classroom = Student Role

Student is now at the dorms = Studentdorm Role

 

This way i can provide a different vlan addressing and firewall policies to students on campus.

 

On clearPass the long way to do this is the create a separate service and then match the incoming request on ap-group but then you have to create a new enforcement profile and push the roles. (Duplicate work)

 

Can i do this within one Clearpass service configuration and do the classification on the enforecment profile? if so how?

 

Currently i have Clearpass 802.1x service configurated matching the SSID then the enforecment profile based on AD membership groups. The problem is that on AD all campus student fall wihin the same group. So i need to find another way to differentiate a student in the classroom vs a student in the dorms.

 

Thank you

Nils.

 

 

 

 

 

7 REPLIES
Guru Elite

Re: ClearPass enforcement Profile

Are the two different groups of APs on different controllers?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: ClearPass enforcement Profile

Can't you just refrence the AP Group in the role mapping rule?

Either that or have your Enforcement Policy rule look for the Student role AND the AP Group to point at the proper policy.

Bruce Osborne - Wireless Engineer
ACCP, ACMP
Contributor II

Re: ClearPass enforcement Profile

Cappalli

 

 

Guru Elite

Re: ClearPass enforcement Profile

I wouldn't move your APs around just for this without looking at the overall topology.

 

Like Bruce said, you can just use the ap-group VSA in your role mapping to give the device a TIPS role like LOCATION_DORM and reference that TIPS role in your enforcement policy.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: ClearPass enforcement Profile

So,

 

I can create a Role Mapping to push the roles based on AP-Group. Then in the enforecment profile i use the role mapping to push the roles to the controller, can the enforecment profile coexist with the AD-membership groups.

 

Ideally if you can do something like:

 

Enforecment profile

 

Authorization: AP-Group or based on the controller ip                = Studentsdorms.

Authorization: Clearpass to AD  member of contains  AllStudents  = Students

 

The students when in classroom connect to a different ap-group diff controller, then we they go to the dorm then a differnt ap-group diff controller.

Contributor II

Re: ClearPass enforcement Profile

I agree abour the ap-group moving fact because i originally group all physically close buildings to the controller. That would means near by bldgs would end up terminate in different controller with diff l3 add schema.

 

From the messages it seams the role mapping would be the best strategy. I will test this out.

Guru Elite

Re: ClearPass enforcement Profile

Yes, you can combine as many TIPS roles as you want in an enforcement rule.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: