Security

Reply

Device Group use cases

Can someone please explain how a device group could be used and why you would apply it to an Enforcement Profile?
=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite

Re: Device Group use cases

From the CPPM User guide:

 

"Adding and Modifying Device Groups

Policy Manager groups devices into Device Groups, which function as a component in Service and Role Mapping rules. Device Groups can also be associated with Enforcement Profiles; Policy Manager sends the attributes associated with these profiles only if the request originated from a device belonging to the device groups.

 

Administrators configure Device Groups at the global level. They can contain the members of the IP address of a specified subnet (or regular expression-based variation), or devices previously configured in the Policy Manager database. "

 

Chapter 15, enforcement:

 

"Optionally, each Enforcement Profile can have an associated group of NADs; when this occurs, Enforcement Profiles are only sent if the request is received from one of the NADs in the group. For example, you can have the same rule for VPN, LAN and WLAN access, with enforcement profiles associated with device groups for each type of access. If a device group is not associated with the enforcement profile, attributes in that profile are sent regardless of where the request originated. "



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: Device Group use cases

Thanks cjoseph.  I saw the first quote in the user guide before, but wasn't sure that I was understanding it correctly.  Chapter 15's quote really clears it up, "you can have the same rule for VPN, LAN, and WLAN access..."  So instead of creating many identical rules in an enforcement policy, but with different NADs and enforcement profiles, I can just create a single rule and add many enforcement profiles to it with device groups assigned to each.  If the NAD is within the group(s) specified in any of those profiles, then those profile attributes are sent.

 

The use case I was thinking of is in a multi-story building, where each floor has it's own switches with unique VLANs, and every workstation in the building matches one policy rule.  Instead of creating rules and a profile for each floor's VLAN to assign to a workstation, a single rule could be used along with an enforcement profile for each floor's workstation VLAN.  All workstations would be evaluated against a single rule and matched to the correct VLAN based on the location of the switch they're connected to.  That is, if I'm understanding this correctly.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite

Y

Exactly!



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: Y

How do you use the "device group" as a service rule? I've looked and can't seem to find it.


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com

Re: Y

2014-10-21 09_19_05-ClearPass Policy Manager - Aruba Networks.png

 

2014-10-21 09_18_53-ClearPass Policy Manager - Aruba Networks.png

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA

Re: Y

Awesome, thank you!


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: