Security

Reply
Occasional Contributor II
Posts: 12
Registered: ‎12-24-2015

Multiple clearpass enforcement profiles

I am attempting to integrate my F5 SSLVPN policy with a clearpass service to apply ACL's. I'm in the early stages, so right now I am just authenticating a user in the local DB of CPPM, and using RADIUS enforcement profiles to return cisco AV-Pair attributes that include the syntax for each ACL. F5 APM understands how to parse cisco AV-pair and dynamically creates the ACL base don the radius response.

 

Here is my issue, I am able to get it to work with all of the cisco AV pairs in one enforement profile. I am trying to split the ACL's into different enforcement profiles so I can re-use them for other Policies/Services/etc. The minute I try to use multiple enforcement profiles in one policy, I can see the RADIUS response sent from the first enforcement profile, but not the second, even though both enforcement profiles appear in the monitoring output log.

 

This example works, access is allowed to the first IP and all other access is denied. The RADIUS response shows both ACL's returned.

 

enf_prof_1 with attributes as follows:

RADIUS:Cisco:Cisco AV-Pair=ip:inacl#10=permit ip any host 192.168.10.183 log

RADIUS:Cisco:Cisco AV-Pair=ip:inacl#15=deny ip any any log

 

This example does not work, access is allowed to .183 as well as everything else. The RADIUS response shows only one ACL returned.

 

enf_prof_1 with attributes as follows:

RADIUS:Cisco:Cisco AV-Pair=ip:inacl#10=permit ip any host 192.168.10.183 log

enf_prof_2 with attributes as follows:

RADIUS:Cisco:Cisco AV-Pair=ip:inacl#15=deny ip any any log

 

Is there something I need to do in CPPM so multiple responses are sent using multiple enforcement profiles within one policy? Unsure whether I should start with troubleshooting CPPM or F5 (I would think CPPM since I am not seeing the RADIUS response contain everything from my enforcement profiles).

 

Any help very much appreciated! 

 

-Greg

Guru Elite
Posts: 8,798
Registered: ‎09-08-2010

Re: Multiple clearpass enforcement profiles

Can you confirm via PCAP on ClearPass that only one is being sent?



You can do a pcap under Server Configuration > select a server > Collect
Logs > Packet Capture

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 12
Registered: ‎12-24-2015

Re: Multiple clearpass enforcement profiles

I will try that. I was basing that off the RADIUS output log that only showed one cisco av pair being sent. Stay tuned. 

Search Airheads
Showing results for 
Search instead for 
Did you mean: