09-21-2015 08:47 AM
Think I've found an annoying issue with using Auhentication sources in Enforcement policy conditions.
When I create a Service/Auth Souce/Policy/Profile, I add a timestamp in its name of the form ddyymm, that way, when I'm synchronising configs between my dev and production servers its easy to see where things have changed. Some things might change frequently, some occasionally.
If I have to change something, I update the name timestamp.In general, this works fine and everywhere the item is used is updated to reflect the new name ..... except in the case of an enforcement policy condition. In this case,the condition keeps the originally defined name ... which then doesn't work because it doesn't exist.
I've got an authorization source called "get_mac_info - ddyymm" This queries a mysql db to see if a given mac address has been quarantined. As we haven't fully migrated our estate over to using clearpass, this gives us a common way of disabling a mac address on campus irrespective of whether authentication is performed using freeradius or clearpass. The source returns an integer >0 if the mac address is quarantined.
(Authorization:get_mac_info - 210915:isthisquarantined exists) AND (Authorization:get_mac_info - 210915:isthisquarantined FREATER_THAN 0)
UoY Wired Quarantine Profile - 230615
If I change the Authorization:get_mac_info name, the enforcement condition statement doesn't change and the default enforcement profile is selected. ( Rule evaluation =First applicable)
Anyone else seen this?
09-21-2015 08:51 AM
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP