on 08-20-2015 11:23 AM
Probably this question have been addressed previously.
I would like to provide a different role and vlan to student based on AP-Group on the same SSID.
Basically if the student is in the classroom = Student Role
Student is now at the dorms = Studentdorm Role
This way i can provide a different vlan addressing and firewall policies to students on campus.
On clearPass the long way to do this is the create a separate service and then match the incoming request on ap-group but then you have to create a new enforcement profile and push the roles. (Duplicate work)
Can i do this within one Clearpass service configuration and do the classification on the enforecment profile? if so how?
Currently i have Clearpass 802.1x service configurated matching the SSID then the enforecment profile based on AD membership groups. The problem is that on AD all campus student fall wihin the same group. So i need to find another way to differentiate a student in the classroom vs a student in the dorms.
on 08-20-2015 11:26 AM
Can't you just refrence the AP Group in the role mapping rule?
Either that or have your Enforcement Policy rule look for the Student role AND the AP Group to point at the proper policy.
on 08-20-2015 11:34 AM
Thank you for your time.
All the dorms AP-groups terminate on the same controller. I do have other blgs terminating at the same controller. However, if you can match on the enforcement profile based on the controller ip to push a different role, then i would just move the lms-ip of the others bldgs to a different controller.
on 08-20-2015 11:37 AM
I wouldn't move your APs around just for this without looking at the overall topology.
Like Bruce said, you can just use the ap-group VSA in your role mapping to give the device a TIPS role like LOCATION_DORM and reference that TIPS role in your enforcement policy.
on 08-20-2015 11:52 AM
I can create a Role Mapping to push the roles based on AP-Group. Then in the enforecment profile i use the role mapping to push the roles to the controller, can the enforecment profile coexist with the AD-membership groups.
Ideally if you can do something like:
Authorization: AP-Group or based on the controller ip = Studentsdorms.
Authorization: Clearpass to AD member of contains AllStudents = Students
The students when in classroom connect to a different ap-group diff controller, then we they go to the dorm then a differnt ap-group diff controller.
on 08-20-2015 11:55 AM
I agree abour the ap-group moving fact because i originally group all physically close buildings to the controller. That would means near by bldgs would end up terminate in different controller with diff l3 add schema.
From the messages it seams the role mapping would be the best strategy. I will test this out.