Wireless Access

Reply
Occasional Contributor II

ClearPass - best practice assigning VLANs with multiple sites based on requesting network device?

Hello all,

 

Can anyone please recommend the best practice for the following scenario:

 

- multiple sites with Dell switches running dot1x, need ClearPass to return a different VLAN ID based on the site where the request originates (different VLAN IDs are used per site).

 

I had thought that I could perhaps have a different service defined per site based on a device group or device, however doesn't seem to be an option when defining the service rules.

 

There also doesn't seem to be an option for role mapping or enforcement policy based on requesting network device either - any thoughts appreciated.

 

Cheers

Trusted Contributor I

Re: ClearPass - best practice assigning VLANs with multiple sites based on requesting network device

you can certainly do it in the service selection screen. so create different services for different locations.

Guru Elite

Re: ClearPass - best practice assigning VLANs with multiple sites based on requesting network device

In your enforcement profile, you can select a network device. Create a new profile for each VLAN and add the appropriate switch(es) to the list. 

In your service, create your enforcement rule and return all of those profiles. 

ClearPass will return the appropriate VLAN ID depending on the authentication request. 


Thanks, 
Tim

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: ClearPass - best practice assigning VLANs with multiple sites based on requesting network device

Thanks for the advice guys, that's great.

 

I've added a service rule for requests from a group of devices are a site:

Type: Connection

Name: NAD-IP-Address

Operator: BELONGS_TO_GROUP

Value: <group name>

 

Cheers

Highlighted
Guru Elite

Re: ClearPass - best practice assigning VLANs with multiple sites based on requesting network device

As always with Aruba and ClearPass, there are a number of ways to do the same thing.  If you only wanted a single enforcement policy you can configure each NAS with a "Data" attribute signifying the VLAN that you would want data to be placed on.  You can use the namespace "%{Device:Attribute}" to return that value in an enforcement policy.  The namespace will replace %{Device:Attribute} with the value of the attribute pulled from the authenticating NAS (Device) and send it as a radius attribute (in this case the attribute is data).  For example, if I have a switch defined like below in ClearPass and I specify a "Data" attribute:

switch1.png

I could simply return the Value of the VLAN as a Device:<attribute> namespace like this:

enforce1.png

If an authentication comes into ClearPass from that switch and hits that enforcement profile, it will return a VLAN of 4 for that authentication.  You can define each switch with its own Data attribute to return whatever VLAN number corresponds to that switch.

 

There are many places where a few floors have one vlan for data, the next set of floors have a different vlan for data and so on and so on.  The strategy above allows you any return any value that is defined as an attribute in a NAS in CPPM as a radius attribute.  While there is definite utility for a list of rules where "NAD-IP-Address belong to group" the strategy above allows you to be more granular and have a single enforcement policy.  Again; just another way to do it.

 

I hope this helps.

 

 

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Occasional Contributor II

Re: ClearPass - best practice assigning VLANs with multiple sites based on requesting network device

That's fantastic, and simplifies everything - especially for remote sites.

 

Cheers and thanks for taking the time!

Contributor II

Re: ClearPass - best practice assigning VLANs with multiple sites based on requesting network device

Thank you for this. 

I am actually using this for one of my installs and it is working just fine. In some switches they have two different data VLANS defined on the same switch. How can that be configured using your method you have posted above? How would CPPM know to send the device to the right data VLAN?

Re: ClearPass - best practice assigning VLANs with multiple sites based on requesting network device

You can create an attribute for that particular switch or use the NAS-IP (Switch RADIUS source IP)

Sent from Mail for Windows 10
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II

Re: ClearPass - best practice assigning VLANs with multiple sites based on requesting network device

sorry, I was trying to look on my test CPPM on how this would be configured, but I couldn't fiqure it out from what you have said below. You able to provide some screenshots please on how you envisage two different data VLANS being sent back to the same switch?

Re: ClearPass - best practice assigning VLANs with multiple sites based on requesting network device

2018-07-25 16_14_47-Amazon WorkSpaces.png2018-07-25 16_18_14-Amazon WorkSpaces.png

Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: