Security

Is it possible to add multiple IPs for a device? It looks like the only options are a single IP or a network in CIDR notation. I've tried inputting several IPs separated by colons and semi-colons but CP wouldn't accept that as input. Being able to put in multiple IPs for a single device is very useful and something I've done several times in Cisco ACS. I'll submit this as a feature request if this isn't possible.

Compnerd,

 

Do you mean multiple ip addresses for a NAS device like a controller or switch?  It would be interesting to hear your setup.

I'd like to add multiple IPs for a device added to ClearPass. Let me give you two real world examples:

1) The TACACS source interface on a Cisco router needs to change. In Cisco ACS I'll add the new source interface ahead of time so that I don't have to stop and update the device's IP. This is useful when making multiple config changes on the router and you don't want to stop in the middle of your config because command authorization is enabled.

2) You want to enable TACACS for a multi-context device like a Cisco ACS. Each context will have its own unique IP as its source TACACS interface, and you want to add the physical ACS to ClearPass as a single device rather than separate (virtual) devices. In Cisco ACS, I will add the multi-context device once, and add each contexts IP. This allows you to have fewer devices in your ACS config.

These are my own use cases and have found it helpful to have this flexibility in ACS. Would like to see it in ClearPass.

thecompnerd,

 

Thank you.

 

I am sure the team will appreciate your use cases.

I've submitted this as an idea to the support portal: https://arubanetworkskb.secure.force.com/cp/ideas/viewIdea.apexp?id=08740000000LD7G