Security

Hello all,

In ClearPass I have 2 services both of them are Aruba 802.1X Wireless templates. The 1st service policy controls multiple user groups and vlan assignments but without posture compliance. The 2nd service policy is a test policy to test out posture compliance. When I test the 2nd service it fails and when I check the access tracker it shows "Policies Used" as the 1st service not the 2nd service as needed. Is there a reason the policy match stops instead of continuing down the list looking for another match? The "Service Rule" conditions are the same in both policies which I think is where my issue lies. Is there any way to use both policies with the same "Service Rule" conditions?

Thanks,

Service categorization works like a firewall rule. Top down, first match.

As Tim said, it is the first match, so if both services have the same matching conditions, only the first will match. The second will never be evaluated.

Maybe you can explain what you try to achieve. If that is that OnGuard/posture is optional, you just enable posture in the service and in your enforcement policy you can check if there is posture information and depending on both the availability (status: UNKNOWN) or a known status (HEALTHY, INFECTED, QUARANTINE, etc), you can decide what access attributes to return. Merge the two services into a single one.

I've been reworking my entire service catalog - now that I've learned what I should have done when I started ;)

My process is to copy a service, add a match condition for just my lab NAD or just my endpoint or device-group etc. Then I move the copy up the list to just above the one I copied.

That way my test devices will match the copy and I can mess with them and all other devices will pass by adn match the original service.

If I happen to get the test service working I remove the added conditions and watch the Access Tracker for a while.