Wireless Access

All,

I'm working with a client that has a unique VPN requirement. We have a Clearpass OnGuard install that utilizes the unified VIA VPN client and performs posture checking. 

We're going to setup a system that ties the rights and privileges of a VIA user role to a specific AD group. This part is pretty straightforward to setup. The question they had is, if a user is in multiple groups, can they have the rights of those multiple roles?

The way that I am thinking of doing this would be:

1. Come up with the restricions for group #1 and create an Aruba user role #1

2. Come up with the restricions for group #2 and create an Aruba user role #2

3. Design an Aruba user role #3 and only pass that from Clearpass if a user has group membership in group #1 AND group #2

Do you think this is the best way to do this? I'd definitely appreciate if there's a way to stack Aruba user role #1 + #2 at the same time, but I'm not holding my breath.

Thanks!

-Mike

boston1630,

In the Role mappings in ClearPass, you use "Evaluate All" , which will tag an incoming authentication with all the "Roles" that they match.  In the enforcement policy you use "Evaluate-First" and you check to see if the incoming authentication equals both roles.  You would then send back the Enforcement Policy for that third condition.

Colin,

And do you know of a way to stack two Aruba user roles on each other at the same time? Or, is the way I described the third option the way that I'll have to go. I'm 99% sure I can't do multiple user roles, that I'd have to send a 3rd role - figured it can't hurt to ask.

Thanks!

-Mike

Colin,

Thanks - that's what I figured!

-Mike