Security

Reply
Super Contributor I
Posts: 293
Registered: ‎02-07-2013

Enforcement policy based upon network/device group

Hi,

We are an HP site  and have both Procurve and Comware switches. In clearpass I have a list of switch IP addresses that I've assigned to two  device groups HP(Procurve) and HP(Comware).

 

When the network team want to log onto a switch, clearpass needs to send back a vendor specific attribute based upon the switch type in order to be granted appropriate access. Given the fact that I have 2 device groups, can I incorporate a condition in my  enforcement policy that checks for the network device being in one of the above device groups? If so, what's the format? I've had a look round but can't see anything obvious.

 

Rgds

Alex

 

Guru Elite
Posts: 8,322
Registered: ‎09-08-2010

Re: Enforcement policy based upon network/device group

Two ways:

1) In your enforcement policy, add two rules with different group names:

Connection: NAD-IP-Address BELONGS_TO_GROUP

2) You can tie an enforcement profile to a device group and then add both enforcement profiles to the same rule. ClearPass will return the appropriate action based on the device.

So for example, in your pro curve profile, select the device group from the drop down on the first tab.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor I
Posts: 293
Registered: ‎02-07-2013

Re: Enforcement policy based upon network/device group

Cool!

I'd got part of the way there in that I'd already tied two enforcement profiles to my device groups, so as you said, all I had to do was put both profiles into the enforcement policy role.

 

Thanks

Rgds

A

Contributor I
Posts: 23
Registered: ‎09-17-2012

Re: Enforcement policy based upon network/device group

I understand #1, and for #2 I understand how you can tie a device group to the enfrc profile, but how do you apply both profiles to the same rule?

Guru Elite
Posts: 8,322
Registered: ‎09-08-2010

Re: Enforcement policy based upon network/device group

Just add both enforcement profiles.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 23
Registered: ‎09-17-2012

Re: Enforcement policy based upon network/device group

Ah, OK so the policy will be the same as for option #1 except no "and Connection:NAD-IP-Address...".

Guru Elite
Posts: 8,322
Registered: ‎09-08-2010

Re: Enforcement policy based upon network/device group

Right.

 

1 rule with 2 enforcement profiles.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: