Security

Reply
MVP
Posts: 777
Registered: ‎03-25-2009

Policy enforcement after radius proxy?

[ Edited ]

So I'm configuring an eduroam network here.

Proxying off the unknown domains into the eduroam cloud. This works just fine. My test user gets authenticated, receives an accept and gets network access in the default vlan.

 

Now I need to push these other institutions users into different vlans depending on what  AP-groups their request originated from.

Seemed simple enough.. so I created a rolemapping and then used a simply "tips role equals" in my enforcement profole hoping that would get enforced but no such luck.

 

Access tracker has all the correct roles, but gives me an error "No radius enforcement profiles applicable for this device. Allowing Access".

 

Even after enabling "Use cached Roles and Posture attributes from previous sessions" I still cannot get anything enforced. 

 

So what am I missing here? How can I get those eduroam clients forced into the correct vlans?

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: Policy enforcement after radius proxy?

In Access Tracker > Input > Radius Request , do you see the AP-Group listed ?

Your Role Mapping should be something like this : Radius: Aruba : Aruba-AP-Group : <Tips Role Name>

And then use that Tips Role Name in your policy

 

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 777
Registered: ‎03-25-2009

Re: Policy enforcement after radius proxy?

As I said in the opneing post.

Access tracker does have all the correct roles. The enforcement profile is a simple "Tips Role equals .." but it ignored that completely. My enforcement profile has a default reject but even that is not applied.

My guess would be that Clearpass just 'forwards' the answer of the eduroam proxy which is a simple accept. 

 

But then I woudl have expected that the role caching would allow me to 'rewrite' that accept into whatever I have defined in my enforcement profile. But again.. this is completely ignored.

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
MVP
Posts: 777
Registered: ‎03-25-2009

Re: Policy enforcement after radius proxy?

[ Edited ]

Uch thanks for the assist but I'm an idiot.

Will correct my stupid mistake, verify it works and get back with confirmation.

 

Yup I'm an idiot. 

I was only pushing back enforcement profiles with aruba-user-vlan attributed and limited to aruba devices. So the service didnt't have anything to push and apparently defaulted to an allow.

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: