Security

Hi,

Just been looking at writing scripts to import RAS devices from our existing freeradius service into clearpass.

While writing the xml bit to import the hosts was trivial and I'm sure putting hosts into an appropriate host group based upon their IP address will be just as easy, I can't help thinking that once we (eventually) move over to having clearpass as our primary authentication service things aren't going to be that simple as it was getteing the clients into clearpass.

  We are currently an HP ProCurve site. We will (real soon now) also have HP Comware stuff on campus and a whole batch of other manufacturer RAS Clients.

The though of managing group members based upon RAS Client IP addresses doesn't fill me with a great deal of joy. With the exception of one of our departments we don't assign 1 shared key to multiple devices.  Every device has its own shared key, so a group of ( for example) HP Procurve devices can have  up to 1000+ clients. While I do (sadly) know the ip addresses of some of our switches, I don't know all of them !

I may well want to write some services that are only applicable to a particular group of hosts, e.g. ProCurve switches or Comware Switches or VPN servers etc. and when you've got thousands of  hosts its realy going to be a pain to do it based upon IP address

Could we have an enhancement request to allow group membership to also be possble based upon RAS Client name?

Rgds

Alex

Is it possible to use a custom attribute for this?  It may require some input after your initial import, but may give you what you want.

First create the attribute (Administration --> Dictionaries --> Attributes)

Then create/edit your Devices as necessary and add the attribute you defined above and assign appropriately.

Finally, base your service rules off this attribute.  This example shows the attribute EQUALS a certain field, but you could use REGEX or other matching options to suit your needs.