Security

Is there any documentation on how to configure ClearPass for offloading the RAP whitelist?  I'm pretty sure I've got it figured out, but would like to compare it against any documentation that may be out there.

 

Also, I'm trying to figure out how to assign a unique ap name for each RAP via the offload RAP whitelist method.  My understanding is that the name is pushed via the RADIUS response "aruba-location-id" and the RAP name as the value.  However, would this not require a unique enforcement profile for each RAP if the goal is to assign a unique name to each RAP in the RADIUS response?

Compnerd,

 

Both of the Radius:Aruba attributes below are the ones that are needed to push the ap-group and the ap-name.  Please note that this enforcement profile points to Activate Attributes that were populated from CPPM synching to Activate.  The %Device Folder and the %Device Name are just attributes added to the endpoint database from the device Sync.  This enforcement profile just points to the Device Folder attribute and the device name attribute to populate the Ap-Group and the AP-Name.  Get it?..

 

Yes, makes if you're using activate. If not than I don't see how to push the name without creating multiple profiles.

thecompnerd,

 

The name of the AP must exist as an attribute in the endpoint database the endpoint reference can be changed to point to whatever attribute you have listed as the access point.  That means you will have to add an attribute to endpoint database that will contain the name and change the radius attribute to point to that.  You can do that with the same enforcement profile.  does that make sense?

Maybe I could accomplish the same thing by adding the Raps to the endpoint database and referencing the attribute like in your example.

---

@thecompnerd wrote:
Maybe I could accomplish the same thing by adding the Raps to the endpoint database and referencing the attribute like in your example.

---

DING DING DING!

Haha! Thanks for the info.