Contributor II

Clearpass Endpoint Attributes



I have a MAC Caching service that authenticates againsed AD, looks up a group and maps to a role. gsStaff to [Staff]


I then have an enforcement policy that matches the [Staff] role, updates the endpoint as known, sends a CoA and a custom post authentication profile that adds the authentication username and the roles that were matched to the endpoint attributes.


Type=Endpoint, Name=Username, Value=%{Authentication:Username}

Type=Endpoint, Name=ADtoClearpassRoles, Value=%{Tips:Role}


The issue I'm having is that when modifying the MAC Authentication service mapping rules I attempt to select Type=Endpoint, Name=ADtoClearpassRoles EQUALS but the value is blank and no drop down for the roles within the endpoint attributes are selectable.


In essence I'd like to place MAC Authenticated devices into particular VLANS based on the AD groups from who originally authenticated the device. I'm not too sure if I'm going down the right track.


Can someone point me in the right direction please?





Guru Elite

Re: Clearpass Endpoint Attributes

You should really just stamp the username to the endpoint and evaluate the group membership of this user in real-time. Stamping dynamic data to the endpoint is not generally recommended.


Also, just an FYI, you should try not to use brackets in your profiles/roles/etc. They're reserved for system defaults.

Tim Cappalli | Aruba Security
@timcappalli | | ACMX #367 / ACCX #480
Contributor II

Re: Clearpass Endpoint Attributes

Thanks Tim,


You've put me on the right track and I now have this working.




Search Airheads
Showing results for 
Search instead for 
Did you mean: