Hello. I'd like to ask for a guidance one more time.
My goal is to start working with Clearpass, and i'm trying to bring simple lab. I have Win2016server, with AD working fine, CPPM 6.7, IAP305 latest, win7 as wifi client.
The task is - on the CPPM catch up users, who are member of Grupe1, attach them a role, by that role "enforce" them to be assigned a role on IAP with simple deny icmp any any (further - denyping).
The problem is that i don't even see CPPM passing the attribute Aruba-User-Role to IAP on the packet capture and the IAP is not catching it up also.
Here is the setup:
192.168.200.222 - CPPM, 192.168.100.20 - IAP
As you can see policy is UserIsGrupe1
Policy:
Nevermind the condition, pl_test (my role) is the default role - and it is working. (see below)
Here is the enforcement profile:
... and the Attribute i'd like IAP to receive.
The Enforcemenet policy
Again, the condition might not work (thus it probably works) - but the Default Profile should work anyway.
And what i see on the packet capture:As you can see Accept-Accept, but there is no Aruba's vendor attribute. And IAP also don't see it.
Here is output from tracker:
And here is the Ouput:
Please, note - the Attribute is present, but it is not noticed on the packet capture, neither IAP recognizes it.
Here is just in case config from IAP:
All users fallback into ArubaRadio1 instead of denyping.
I understand that there is stupid-little-something that i'm missing for a such trivial case, but i can't catch it.
I'd really appretiate any advice. Thank you!