Higher Education

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Occasional Contributor I

Clearpass Enforcement Policy

Hi ,

 

I have a question related to a senario,where in i want to push a firewall role (Controller) from Clearpass. I am having a hardtime to understand how we can implement this .

 

For example: I want to block certian type of traffic for a user group . I have created a Firewall rule on controller. when i define a enforcement policy where shall i define this enforcement ? Because in Enforecment profile i dont see any condiction related to pushing a firewall rule .

 

Regards,

MD

 

 

20 REPLIES
Frequent Contributor I

Re: Clearpass Enforcement Policy


MDTCS wrote:

Hi ,

 

I have a question related to a senario,where in i want to push a firewall role (Controller) from Clearpass. I am having a hardtime to understand how we can implement this .

 

For example: I want to block certian type of traffic for a user group . I have created a Firewall rule on controller. when i define a enforcement policy where shall i define this enforcement ? Because in Enforecment profile i dont see any condiction related to pushing a firewall rule .

 

Regards,

MD

 

 


We define the user roles in the controllers and send the Aruba-User-Role VSA from the ClearPass enforcement profile.

 

 

Bruce Osborne - Wireless Engineer
ACCP, ACMP
Occasional Contributor I

Re: Clearpass Enforcement Policy

Thanks for the reply Bruce.

What should be the attr value  in this case, plain text Aruba firewall role created in controller ?

 

For example : I have created firewall role as " Block youtube"  ,so my enforcment profile attr would be .

 Type: Radius:Aruba

Name : Aruba-user-role 1

vale : Block youtube

 

Is this correct understanding ?

 

Could you also help me to understand,on what basis we select an appropriate attrb?

 

Appriceate you help

Thanks 

MD

Frequent Contributor I

Re: Clearpass Enforcement Policy

I am assuming you have PEFNG firewall licenses on your controller . The user-role would contain your ACL. If you wish to just block things, you must add the allowall ACL (policy) as the last ACL since there is an implicit denyall in a role which blocks anything.

 If your controller user-role containing your ACLs is named "Block-Youtube" then your ClearPass Enforcement Profile would send back

 

Type   : Radius:Aruba

Name: Aruba-User-Role

Value : Block-Youtube

 

I recommend not using spaces in names on the controller. You can use underscores and dashes instead, just be consistent. 

Bruce Osborne - Wireless Engineer
ACCP, ACMP
Contributor I

Re: Clearpass Enforcement Policy

Also don't forget about downloadable roles from CPPM. That way you can manage the roles in one place and push them to any switch or controller.

 

http://www.arubanetworks.com/techdocs/ClearPass/Aruba_CPPMOnlineHelp/Content/CPPM_UserGuide/Enforce/EPAruba_Downloadable_Role.htm

 


Mike Naylor
The College of Wooster
Frequent Contributor I

Re: Clearpass Enforcement Policy

That requires ClearPass 6.6.7, correct? I do not currently recommend that release.

Our roles have so many ACL lines that downloading them for each user might not be too efficient. I may research this when I have time.

Bruce Osborne - Wireless Engineer
ACCP, ACMP
Highlighted
Contributor I

Re: Clearpass Enforcement Policy

No sir. We have been using downloadble roles for the last four years.


Mike Naylor
The College of Wooster
Frequent Contributor I

Re: Clearpass Enforcement Policy

OK, thanks for the correction.

I was just looking at the switch release notes and it requires 6.6.7.

Bruce Osborne - Wireless Engineer
ACCP, ACMP
Guru Elite

Re: Clearpass Enforcement Policy

Just to clarify here, the first time a user requires the downloadable role, it is downloaded from ClearPass. Each additional user that requies the same role will use the controller's dowloaded copy of the role unless a change to the role has occured in ClearPass.

 

tl;dr it's not downloaded every time.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: Clearpass Enforcement Policy

Hi Tim,

 

Are you  saying we can create firewall roles/ACls(Downloadable) in clearpass and firstime user will download it from clearpass and controller will also download it . Next time new user will downlaod it from controller?

 

I am not able to understand it correctly.

 

Regards,

MD.

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: