Higher Education

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Guru Elite

Re: Clearpass Enforcement Policy

User Bob is assigned Role A. Version 1 of the role downloads from ClearPass.

User Alice authenticates 5 minutes later and is assigned Role A. This role is still on version 1. It is not redownloaded.

 

Once the last user that is assigned the role disconnects, the role is flushed.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP

Re: Clearpass Enforcement Policy

What are some pros|cons of using downloadable roles vs traditionally creating them on the controller?
How many customers are using downloadable roles?


- Ryan -
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Guru Elite

Re: Clearpass Enforcement Policy

ClearPass becomes your only role definition point. That is very attractive to many customers.

 

We see much higher usage and interest on the wired side due to the sheer number of switches. With ArubaOS 8.X with Mobility Master, there might not be as big of a need on the wireless side.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: Clearpass Enforcement Policy

We love the fact that once a role is applied to a user (or AD group in our case), the user gets the same role no matter if they are wired or wireless and changes only have to be made in one location.


Mike Naylor
The College of Wooster
Guru Elite

Re: Clearpass Enforcement Policy

Sounds like downloadable roles would be perfect for you!


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: Clearpass Enforcement Policy

We have multiple masters on our campus and I have wanted to use downloadable roles for some time, but have not done so yet.

Pros I see are having a single point of definition (as Tim points out) for the roles makes it easier to implement changes across all of my controllers.

I don’t use ClearPass for all of the Wi-Fi networks yet (and may never have all of them on ClearPass), so a con would be having to deal with multiple ways of implementing roles and managing them.

Questions that I have had, but have not looked into (or don’t remember the answers to) are:

* What happens when I update the role definition in ClearPass? Do all existing users keep the same rules and only subsequent users get the updated ruleset?
* If the controller already has a role downloaded, how does it know if the role definition on ClearPass and it needs to download a new role?
* How do you look at the characteristics of a downloadable user role from the controller (either Web UI or CLI)?
* In HA pairs, when do backup controllers download the roles? With potentially thousands of users moving from one controller to the other how does ClearPass know to only download the role once since there would be thousands asking at virtually the same time?

A challenge I see is that, with the exception of rebooting controllers, we never have a role with zero users, so to be sure the current role was being sent, I suppose you would have to clear the user tables for users in that role?

Amel Caldwell
University of Washington UW-IT
Wi-Fi Network Engineer
Wi-Fi Service Manager

amelc@uw.edu
206-543-2915

Ask me about open Network Engineer positions on the wireless team.



Amel Caldwell
University of Washington UW-IT
Wi-Fi Network Engineer
Wi-Fi Service Manager

amelc@uw.edu
206-543-2915

Ask me about open Network Engineer positions on the wireless team.
MVP

Re: Clearpass Enforcement Policy

Definitely a neat sounding feature. Amel, you [perhaps inadvertently] outlined the complexity of it beautifully. For me, I have condense our network into 3 masters, and given that user-roles should overall be rather static, I prefer to keep ClearPass out it.
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Frequent Contributor I

Re: Clearpass Enforcement Policy

We too have 3 masters and look forward to ArubaOS 8.x to consolidate our configuration into one configuration tree.

Bruce Osborne - Wireless Engineer
ACCP, ACMP
Highlighted
MVP

Re: Clearpass Enforcement Policy

Braggadocious! ;) Unfortunately, we exceed single cluster limits and will continue to have multiple points of configuration. Not a bad thing though. Know what they say about [wifi] eggs in one basket…
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Frequent Contributor I

Re: Clearpass Enforcement Policy

Scalability is an issue many times.

I suspect your network is larger than most HPE customers but we thank you for stressing the products to their limit, improving them.

Bruce Osborne - Wireless Engineer
ACCP, ACMP
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: