Security

So I'm configuring an eduroam network here.

Proxying off the unknown domains into the eduroam cloud. This works just fine. My test user gets authenticated, receives an accept and gets network access in the default vlan.

Now I need to push these other institutions users into different vlans depending on what  AP-groups their request originated from.

Seemed simple enough.. so I created a rolemapping and then used a simply "tips role equals" in my enforcement profole hoping that would get enforced but no such luck.

Access tracker has all the correct roles, but gives me an error "No radius enforcement profiles applicable for this device. Allowing Access".

Even after enabling "Use cached Roles and Posture attributes from previous sessions" I still cannot get anything enforced. 

So what am I missing here? How can I get those eduroam clients forced into the correct vlans?

In Access Tracker > Input > Radius Request , do you see the AP-Group listed ?

Your Role Mapping should be something like this : Radius: Aruba : Aruba-AP-Group : <Tips Role Name>

And then use that Tips Role Name in your policy

As I said in the opneing post.

Access tracker does have all the correct roles. The enforcement profile is a simple "Tips Role equals .." but it ignored that completely. My enforcement profile has a default reject but even that is not applied.

My guess would be that Clearpass just 'forwards' the answer of the eduroam proxy which is a simple accept. 

But then I woudl have expected that the role caching would allow me to 'rewrite' that accept into whatever I have defined in my enforcement profile. But again.. this is completely ignored.

Uch thanks for the assist but I'm an idiot.

Will correct my stupid mistake, verify it works and get back with confirmation.

Yup I'm an idiot. 

I was only pushing back enforcement profiles with aruba-user-vlan attributed and limited to aruba devices. So the service didnt't have anything to push and apparently defaulted to an allow.