Security

This is regarding web-authentication on CPPM. We currently have switches from various OEM's. We are configuring web-auth services and we want to have seperate web-auth services for each of the OEM.

As web-auth is between the client and the clearpass Guest login, the Endpoint has very less attributes to match before the authentication. We have tried differntiating the web servicesprofiles by taking the help of subnet grouping ( identifying the client ip'). We really dont see this as a scalable solution.

What are the possible ways to differentiate webservices for wired users for different OEM's and different OEM's have different AV pairs?

You can tie each enforcement profile to a set of devices (so a group of
Aruba NADs for example) and return multiple enforcement profiles in each
policy. It will then only return the profile appropriate for the NAS.

we thought of  this but we are stuck at configuring the  default profile. We can have only one default profile and we want to mention a re-auth/terminate session in our default profile. Different vendors have different VSA's for terminating/re-authenticating  the sessions, hence how can one default profile suffice.

 

We are also thking of having seperate URL's for each OEM. Can we create a service rule based on the url and then enforce.