Security

Reply
Frequent Contributor II
Posts: 117
Registered: ‎02-26-2010

Clearpass User and Device custom limit -- October-MHC

[ Edited ]

Introduction:

I need to bypass bandwith enforcment limit applied for Nas because some guests need to be "unlimited".

 

I've two services, one for mac-auth and one for radius-auth

(in this tutorial I skip web-auth rules)

services.JPG

 

Normally my guests are created from self service portal login and they have different bandwith restriction depending on the nas where they are connecting.

 

Now some customers want that some users become "power users" and skip the bandwith limit I set on various nap's services.

 

1) Custom Role_ID

The fist step is adding the Role_Id column in guest account manager and modifing this filed in the users we want to elect as "unlimited".

 

users.JPG

 

One we've done this, we have to clean up the endpoint associated to this user

(we can go under config -- identity -- endpoint and use a filter like "attribute contains username containg 338").

 

2) Radius-Auth

Now we can try a new logon.

The first service match will be mac-auth but now the endpoint doens't exist, so next rule will be match - Radius Auth.

radius-auth.JPG

 

As you can see from previous image, the mapping feature will set the role "UtentiSenzaLimiti" because the guest roleid is = 2 and the enforcment profile will update the endpoint id as we can see in next image.

endpoint update.JPG

 

3) MAC-Auth

So now also mac-auth will work (next the mac-auth detail).

mac-auth1.JPG

mac-auth2.JPG

 

4) Debug

If I make some login test, I can see in logs that all is working as expected.

 

Radius Debug

radius-auth-log.JPG

 Mac-Auth Debug

debug-mac-auth.JPG

 

Andrea Consadori
ACMP 5.0 and 6.3


-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: