Security

Reply
Super Contributor II

Using clearpass to manage Mobility Controller ACL lists

Might be a silly question ...

 

I'm currently passing a Filter-Id attribute back to our mobility controllers and using it to apply a particular policy to a user session. This does of course mean that we have to create the ACL lists that are used on the controllers which we seem t ohave tpo do by hand either via the GUI or CLI

 

Is there any way of clearpass managing an ACL list contents ? e.g. something like its ability to  pass ACL rules down to a provision switch in an Access Accept packet ?

 

Rgds

Alex

 

Guru Elite

Re: Using clearpass to manage Mobility Controller ACL lists

http://community.arubanetworks.com/t5/Controller-Based-WLANs/Downloading-an-undefined-role-from-CPPM-to-Controller/ta-p/243661

 

In addition, if you are using clearpass, you should return the Aruba-User-Role radius attribute or the Aruba-User-Vlan attribute from clearpass, instead of using filter-id and then having to write a server derivation rule on the controller.   Using those attributes will automatically assign the role and/or vlan without having to have a corresponding server derivation rule looking for a filter-id attribute.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor II

Re: Using clearpass to manage Mobility Controller ACL lists

well everything seemed to have worked apart from the Aruba-User-Role bit.

 

looking at Firewall policies /[System Role|Policies] I can see the stuff I sent back 

 Clearpass is sending back

 

adius:Aruba:Aruba-CPPM-Roletest_cppm_role_enforcement-3110-4
ip access-list session super_user_role
    any any any permit log 
!
user-role cppmrole
    access-list session super_user_role
!
Radius:Aruba:Aruba-User-Role

cppmrole

where super_user_role is the default "allowall" with logging

 

However, Firewall policies / User Role doesn;t have a cppmrole entry. Should I be sending back the System Role test_cppm_role_enforcement-3110-4 ?

 

Rgds

alex

 

 

Guru Elite

Re: Using clearpass to manage Mobility Controller ACL lists

You won't see them in your config. Downloadable roles are added and destroyed as they're used and released.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor II

Re: Using clearpass to manage Mobility Controller ACL lists

When configuring  a session based  the acl list in CPPM, you don't seem to be able to distinguish between ipv6 and ipv4, whereas on the controller you can

Not important at the moment as we're just dipping our toes into the ipv6 pond but might be in the future

 

A

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: