Security

Reply
Contributor I

Service Rule Contains multiple options (OR)

In Service rules, you can setup matches for CONTAINS. How can you list multiple values, like an OR list? I haven't found a delimiter that makes this work yet. I suppose the alternative is RegEx but a simple delimited OR list would just be a lot simpler. 

 

Thanks. 

Guru Elite

Re: Service Rule Contains multiple options (OR)

You can use BELONGS_TO with a comma separated list.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: Service Rule Contains multiple options (OR)

Looks like 'BELONGS_TO' has to match a full string? I need to find a piece of text within a string.. 

 

I have AP names like ap-abc-01, ap-xyz-01, etc. So I need a search string to find 'abc' or 'xyz' to match a rule. 

BELONGS_TO "abc,xyz" didn't work, neither did "*abc*,*xyz*"

 

I'm on Cisco, and CPPM doesn't properly fill out the AP-Name or AP-Group variables, so this is the only alternative I have figured out. 

Guru Elite

Re: Service Rule Contains multiple options (OR)

You'd need to use regex then.

ClearPass parses what Cisco provides correctly. They don't send AP name as it's own VSA like most other vendors.



TIM CAPPALLI

Aruba Security

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: Service Rule Contains multiple options (OR)

I've gone ahead and tinkered with Regex, looks like i've got it working.

 

Cisco will send AP name, it just sends it in the Radius:IETF:Called-Station-Id field (when you change the setting). I would think Aruba could just parse that field and drop the result into AP-Name. From what i've noticed, i can't use Radius:IETF:Called-Station-Id in an enforcement policy rule, which is why i have to create new services and use service rules. If i could use AP-Name, that I can put in an enforcement policy.. Unless I'm missing where I can use Radius:IETF:Called-Station-Id in an enforcement policy..?

Guru Elite

Re: Service Rule Contains multiple options (OR)

We can't automatically parse it because Cisco allows the CSID to be changed.

You can use the CSID in role mapping. You don't have to make individual services.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite

Re: Service Rule Contains multiple options (OR)

We can't automatically parse it because Cisco allows the CSID to be changed.

You can use the CSID in role mapping. You don't have to make individual services.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: Service Rule Contains multiple options (OR)

Ahh, good point. I'll give it a shot with role mapping and see if that's easier. 

 

Thanks. 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: