Security

In Service rules, you can setup matches for CONTAINS. How can you list multiple values, like an OR list? I haven't found a delimiter that makes this work yet. I suppose the alternative is RegEx but a simple delimited OR list would just be a lot simpler. 

 

Thanks. 

You can use BELONGS_TO with a comma separated list.

Looks like 'BELONGS_TO' has to match a full string? I need to find a piece of text within a string.. 

 

I have AP names like ap-abc-01, ap-xyz-01, etc. So I need a search string to find 'abc' or 'xyz' to match a rule. 

BELONGS_TO "abc,xyz" didn't work, neither did "*abc*,*xyz*"

 

I'm on Cisco, and CPPM doesn't properly fill out the AP-Name or AP-Group variables, so this is the only alternative I have figured out. 

You'd need to use regex then.

ClearPass parses what Cisco provides correctly. They don't send AP name as it's own VSA like most other vendors.



TIM CAPPALLI

Aruba Security

I've gone ahead and tinkered with Regex, looks like i've got it working.

 

Cisco will send AP name, it just sends it in the Radius:IETF:Called-Station-Id field (when you change the setting). I would think Aruba could just parse that field and drop the result into AP-Name. From what i've noticed, i can't use Radius:IETF:Called-Station-Id in an enforcement policy rule, which is why i have to create new services and use service rules. If i could use AP-Name, that I can put in an enforcement policy.. Unless I'm missing where I can use Radius:IETF:Called-Station-Id in an enforcement policy..?

We can't automatically parse it because Cisco allows the CSID to be changed.

You can use the CSID in role mapping. You don't have to make individual services.

We can't automatically parse it because Cisco allows the CSID to be changed.

You can use the CSID in role mapping. You don't have to make individual services.

Ahh, good point. I'll give it a shot with role mapping and see if that's easier. 

 

Thanks.