12-02-2014 03:09 AM
We are an HP site and have both Procurve and Comware switches. In clearpass I have a list of switch IP addresses that I've assigned to two device groups HP(Procurve) and HP(Comware).
When the network team want to log onto a switch, clearpass needs to send back a vendor specific attribute based upon the switch type in order to be granted appropriate access. Given the fact that I have 2 device groups, can I incorporate a condition in my enforcement policy that checks for the network device being in one of the above device groups? If so, what's the format? I've had a look round but can't see anything obvious.
Solved! Go to Solution.
12-02-2014 03:17 AM
1) In your enforcement policy, add two rules with different group names:
Connection: NAD-IP-Address BELONGS_TO_GROUP
2) You can tie an enforcement profile to a device group and then add both enforcement profiles to the same rule. ClearPass will return the appropriate action based on the device.
So for example, in your pro curve profile, select the device group from the drop down on the first tab.
12-02-2014 03:29 AM
I'd got part of the way there in that I'd already tied two enforcement profiles to my device groups, so as you said, all I had to do was put both profiles into the enforcement policy role.
06-16-2017 06:56 AM
Only one policy and be associated with a service correct? Would I need a rule in matching a device group in my policy to direct Nexus devices to a different enforcement profile? Thanks for you input.
06-16-2017 08:26 AM
Yup. In your enforcement policy you can have multiple profiles. In the profile you can (optionally) specify a device group associated with the profile.
So you could have
profiles that are applied to all devices
profiles that are only applied to specific groups of devices.
e.g. profile for HP switches and another for ComWare devices