Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Device Group use cases

This thread has been viewed 11 times

  • 1.  Device Group use cases

    Posted Feb 03, 2013 06:41 PM
    Can someone please explain how a device group could be used and why you would apply it to an Enforcement Profile?


  • 2.  RE: Device Group use cases

    EMPLOYEE
    Posted Feb 03, 2013 11:38 PM

    From the CPPM User guide:

     

    "Adding and Modifying Device Groups

    Policy Manager groups devices into Device Groups, which function as a component in Service and Role Mapping rules. Device Groups can also be associated with Enforcement Profiles; Policy Manager sends the attributes associated with these profiles only if the request originated from a device belonging to the device groups.

     

    Administrators configure Device Groups at the global level. They can contain the members of the IP address of a specified subnet (or regular expression-based variation), or devices previously configured in the Policy Manager database. "

     

    Chapter 15, enforcement:

     

    "Optionally, each Enforcement Profile can have an associated group of NADs; when this occurs, Enforcement Profiles are only sent if the request is received from one of the NADs in the group. For example, you can have the same rule for VPN, LAN and WLAN access, with enforcement profiles associated with device groups for each type of access. If a device group is not associated with the enforcement profile, attributes in that profile are sent regardless of where the request originated. "



  • 3.  RE: Device Group use cases

    Posted Feb 04, 2013 12:25 AM

    Thanks cjoseph.  I saw the first quote in the user guide before, but wasn't sure that I was understanding it correctly.  Chapter 15's quote really clears it up, "you can have the same rule for VPN, LAN, and WLAN access..."  So instead of creating many identical rules in an enforcement policy, but with different NADs and enforcement profiles, I can just create a single rule and add many enforcement profiles to it with device groups assigned to each.  If the NAD is within the group(s) specified in any of those profiles, then those profile attributes are sent.

     

    The use case I was thinking of is in a multi-story building, where each floor has it's own switches with unique VLANs, and every workstation in the building matches one policy rule.  Instead of creating rules and a profile for each floor's VLAN to assign to a workstation, a single rule could be used along with an enforcement profile for each floor's workstation VLAN.  All workstations would be evaluated against a single rule and matched to the correct VLAN based on the location of the switch they're connected to.  That is, if I'm understanding this correctly.



  • 4.  RE: Device Group use cases

    EMPLOYEE
    Posted Feb 04, 2013 01:03 AM

    Exactly!



  • 5.  RE: Device Group use cases

    MVP
    Posted Oct 21, 2014 09:03 AM

    How do you use the "device group" as a service rule? I've looked and can't seem to find it.



  • 6.  RE: Device Group use cases

    Posted Oct 21, 2014 09:20 AM

    2014-10-21 09_19_05-ClearPass Policy Manager - Aruba Networks.png

     

    2014-10-21 09_18_53-ClearPass Policy Manager - Aruba Networks.png



  • 7.  RE: Device Group use cases

    MVP
    Posted Oct 21, 2014 09:21 AM

    Awesome, thank you!