Wired Intelligent Edge

I'm using ClearPass to create DUR's  for users connected to a 6200 switch and it's working really well.  I would like to add a description to the DUR's that are being sent so that, from the switch, I can know what the device is without having to look it up in our inventory management database.  I've added the description in the Enforcement Profile which now looks like this

When I look at Access Tracker the description in the DUR is set to the device name from the Authorization Source just like I want it to be.
Does anyone know why that would be happening or how I can fix it?  This isn't a critical feature but it sure would be nice and it seems like it should work.

Thanks

------------------------------
David King
------------------------------

My understanding is that It is unsupported to have variables in a DUR, as the role with the serial number is supposed not to change from device to device, which is what you are doing here. When the next device authenticates to the same role, CX_DUR_Local_VLAN44-3050-4, the switch will not download the role again, but use the cached version, including the Snipe:Name. The serial number (policy 3050, version 4) will only change if you change the policy in ClearPass, and the switch will download the new version at the next device authenticating. With a role per unique device, the number of roles in the switch and ClearPass would explode.

The fact that the role shows up in Access Tracker, with the replacement, looks confusing to me. If you can, please open a TAC case to verify my statement above and have a look at the Access Tracker output.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jul 01, 2021 07:25 AM
From: David King
Subject: Using ClearPass variables in DUR for CX switches

I'm using ClearPass to create DUR's  for users connected to a 6200 switch and it's working really well.  I would like to add a description to the DUR's that are being sent so that, from the switch, I can know what the device is without having to look it up in our inventory management database.  I've added the description in the Enforcement Profile which now looks like this

When I look at Access Tracker the description in the DUR is set to the device name from the Authorization Source just like I want it to be.

But on the switch the description is the unresolved variable name instead of the device name

Does anyone know why that would be happening or how I can fix it?  This isn't a critical feature but it sure would be nice and it seems like it should work.

Thanks

------------------------------
David King
------------------------------

That makes total sense.  I'll verify with TAC and let you know what they say.

Thanks!

------------------------------
David King
------------------------------

Original Message:
Sent: Jul 02, 2021 04:00 AM
From: Herman Robers
Subject: Using ClearPass variables in DUR for CX switches

My understanding is that It is unsupported to have variables in a DUR, as the role with the serial number is supposed not to change from device to device, which is what you are doing here. When the next device authenticates to the same role, CX_DUR_Local_VLAN44-3050-4, the switch will not download the role again, but use the cached version, including the Snipe:Name. The serial number (policy 3050, version 4) will only change if you change the policy in ClearPass, and the switch will download the new version at the next device authenticating. With a role per unique device, the number of roles in the switch and ClearPass would explode.

The fact that the role shows up in Access Tracker, with the replacement, looks confusing to me. If you can, please open a TAC case to verify my statement above and have a look at the Access Tracker output.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 01, 2021 07:25 AM
From: David King
Subject: Using ClearPass variables in DUR for CX switches

I'm using ClearPass to create DUR's  for users connected to a 6200 switch and it's working really well.  I would like to add a description to the DUR's that are being sent so that, from the switch, I can know what the device is without having to look it up in our inventory management database.  I've added the description in the Enforcement Profile which now looks like this

When I look at Access Tracker the description in the DUR is set to the device name from the Authorization Source just like I want it to be.

But on the switch the description is the unresolved variable name instead of the device name

Does anyone know why that would be happening or how I can fix it?  This isn't a critical feature but it sure would be nice and it seems like it should work.

Thanks

------------------------------
David King
------------------------------