04-21-2014 11:50 AM
I'm working with a client that has a unique VPN requirement. We have a Clearpass OnGuard install that utilizes the unified VIA VPN client and performs posture checking.
We're going to setup a system that ties the rights and privileges of a VIA user role to a specific AD group. This part is pretty straightforward to setup. The question they had is, if a user is in multiple groups, can they have the rights of those multiple roles?
The way that I am thinking of doing this would be:
1. Come up with the restricions for group #1 and create an Aruba user role #1
2. Come up with the restricions for group #2 and create an Aruba user role #2
3. Design an Aruba user role #3 and only pass that from Clearpass if a user has group membership in group #1 AND group #2
Do you think this is the best way to do this? I'd definitely appreciate if there's a way to stack Aruba user role #1 + #2 at the same time, but I'm not holding my breath.
Solved! Go to Solution.
04-21-2014 01:33 PM
In the Role mappings in ClearPass, you use "Evaluate All" , which will tag an incoming authentication with all the "Roles" that they match. In the enforcement policy you use "Evaluate-First" and you check to see if the incoming authentication equals both roles. You would then send back the Enforcement Policy for that third condition.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
04-21-2014 02:12 PM
And do you know of a way to stack two Aruba user roles on each other at the same time? Or, is the way I described the third option the way that I'll have to go. I'm 99% sure I can't do multiple user roles, that I'd have to send a 3rd role - figured it can't hurt to ask.
04-21-2014 02:13 PM