Security

Reply
Occasional Contributor II

Order of operations for ClearPass Services

Hello all,

 

In ClearPass I have 2 services both of them are Aruba 802.1X Wireless templates. The 1st service policy controls multiple user groups and vlan assignments but without posture compliance. The 2nd service policy is a test policy to test out posture compliance. When I test the 2nd service it fails and when I check the access tracker it shows "Policies Used" as the 1st service not the 2nd service as needed. Is there a reason the policy match stops instead of continuing down the list looking for another match? The "Service Rule" conditions are the same in both policies which I think is where my issue lies. Is there any way to use both policies with the same "Service Rule" conditions?

 

Thanks,

Guru Elite

Re: Order of operations for ClearPass Services

Service categorization works like a firewall rule. Top down, first match.


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Order of operations for ClearPass Services

As Tim said, it is the first match, so if both services have the same matching conditions, only the first will match. The second will never be evaluated.

 

Maybe you can explain what you try to achieve. If that is that OnGuard/posture is optional, you just enable posture in the service and in your enforcement policy you can check if there is posture information and depending on both the availability (status: UNKNOWN) or a known status (HEALTHY, INFECTED, QUARANTINE, etc), you can decide what access attributes to return. Merge the two services into a single one.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
MVP

Re: Order of operations for ClearPass Services

I've been reworking my entire service catalog - now that I've learned what I should have done when I started ;)

My process is to copy a service, add a match condition for just my lab NAD or just my endpoint or device-group etc. Then I move the copy up the list to just above the one I copied.

That way my test devices will match the copy and I can mess with them and all other devices will pass by adn match the original service.

If I happen to get the test service working I remove the added conditions and watch the Access Tracker for a while.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: