Security

Reply
New Contributor

Enforcement Profile - Cisco interface description removal

Greetings, I have created an enforcement profile that sends a Cisco interface description command when a dot1x athenticated device gets plugged into a switch. The command puts the hostname/IP description of the computer on the switch interface. If I move the device to a different port, it will do the same on the new port, but the previous port still is labeled with the same description. Does anyone know how to have Clearpass remove the old port description when the device is moved to a new port?

 

Here is the enforcement profile attributes command I am using to label the port:

config terminal
interface %{Radius:IETF:NAS-Port-Id}
description CP-%{Host:Name}-%{Radius:IETF:Framed-IP-Address}

 

Here is the result on the switch:

show int desc

Gi1/0/1 up  Laptop-xyz 10.10.10.10
Gi1/0/2 down Laptop-xyz 10.10.10.10

Guru Elite

Re: Enforcement Profile - Cisco interface description removal

What type of enforcement profile are you using?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: Enforcement Profile - Cisco interface description removal

I'm using a CLI based enforcement profile

Guru Elite

Re: Enforcement Profile - Cisco interface description removal

We don't really recommend using CLI enforcement anymore.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: Enforcement Profile - Cisco interface description removal

I'm using the CLI enforcement because for example, when I use a VLAN enforcement profile, on the cisco show run interface GigabitEthernet1/0/1, it does not display the switchport access vlan XXX, you can only see the VLAN of the port in the "show int status". When CLI enforcement is used the show run of the interface actually show the correct VLAN and allows me to add an interface description.

 

Is the a better way to accomplish this with a didderent typ of enforcement profile? I just need the proper VLAN/Description of the interface and it to be removed if the device moves to another port.  Thanks!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: