Security

Reply
New Contributor
Posts: 4
Registered: ‎08-05-2013

Differentiate web-authentication services for wired users connected to two different vendors

This is regarding web-authentication on CPPM. We currently have switches from various OEM's. We are configuring web-auth services and we want to have seperate web-auth services for each of the OEM.

As web-auth is between the client and the clearpass Guest login, the Endpoint has very less attributes to match before the authentication. We have tried differntiating the web servicesprofiles by taking the help of subnet grouping ( identifying the client ip'). We really dont see this as a scalable solution.

What are the possible ways to differentiate webservices for wired users for different OEM's and different OEM's have different AV pairs?

Guru Elite
Posts: 8,056
Registered: ‎09-08-2010

Re: Differentiate web-authentication services for wired users connected to two different vendors

You can tie each enforcement profile to a set of devices (so a group of
Aruba NADs for example) and return multiple enforcement profiles in each
policy. It will then only return the profile appropriate for the NAS.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
New Contributor
Posts: 4
Registered: ‎08-05-2013

Re: Differentiate web-authentication services for wired users connected to two different vendors

we thought of  this but we are stuck at configuring the  default profile. We can have only one default profile and we want to mention a re-auth/terminate session in our default profile. Different vendors have different VSA's for terminating/re-authenticating  the sessions, hence how can one default profile suffice.

 

We are also thking of having seperate URL's for each OEM. Can we create a service rule based on the url and then enforce.

Search Airheads
Showing results for 
Search instead for 
Did you mean: