I am attempting to integrate my F5 SSLVPN policy with a clearpass service to apply ACL's. I'm in the early stages, so right now I am just authenticating a user in the local DB of CPPM, and using RADIUS enforcement profiles to return cisco AV-Pair attributes that include the syntax for each ACL. F5 APM understands how to parse cisco AV-pair and dynamically creates the ACL base don the radius response.
Here is my issue, I am able to get it to work with all of the cisco AV pairs in one enforement profile. I am trying to split the ACL's into different enforcement profiles so I can re-use them for other Policies/Services/etc. The minute I try to use multiple enforcement profiles in one policy, I can see the RADIUS response sent from the first enforcement profile, but not the second, even though both enforcement profiles appear in the monitoring output log.
This example works, access is allowed to the first IP and all other access is denied. The RADIUS response shows both ACL's returned.
enf_prof_1 with attributes as follows:
RADIUS:Cisco:Cisco AV-Pair=ip:inacl#10=permit ip any host 192.168.10.183 log
RADIUS:Cisco:Cisco AV-Pair=ip:inacl#15=deny ip any any log
This example does not work, access is allowed to .183 as well as everything else. The RADIUS response shows only one ACL returned.
enf_prof_1 with attributes as follows:
RADIUS:Cisco:Cisco AV-Pair=ip:inacl#10=permit ip any host 192.168.10.183 log
enf_prof_2 with attributes as follows:
RADIUS:Cisco:Cisco AV-Pair=ip:inacl#15=deny ip any any log
Is there something I need to do in CPPM so multiple responses are sent using multiple enforcement profiles within one policy? Unsure whether I should start with troubleshooting CPPM or F5 (I would think CPPM since I am not seeing the RADIUS response contain everything from my enforcement profiles).
Any help very much appreciated!
-Greg