Ok, it is for Enforcement not for Service...
What the use case ?!
------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...
PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)
PowerArubaCL: Powershell Module to use Aruba Central
PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..
ACEP / ACMX #107 / ACDX #1281
------------------------------
Original Message:
Sent: Jul 22, 2021 05:18 PM
From: Miguel Goncalves
Subject: Allowing multiple subnets in a Match ALL Service rule
Hi Mike,
I don't think alagoutte is correct. Devices are used to configured NADs, but your rule is based on Framed-IP-Address, which normally is the client's address, not the NAD's.
Maybe you can test a BELONGS_TO operator, which allows you to create a list of several options. Only, I'm not sure it will match IP subnets in CIDR format. I'm unable to do this right now, but if you can, test your rule with:
Radius:IETF Framed-IP-Address BELONGS_TO 172.24.162..0/24,172.24.3.0/22,172.24.150.0/23
------------------------------
Miguel Goncalves
Original Message:
Sent: Jul 22, 2021 09:59 AM
From: Michael Dickson
Subject: Allowing multiple subnets in a Match ALL Service rule
Alagoutte,
Could you expand on this? Would I create three separate devices each configured with a different subnet? And add a bogus shared secret (required field)? If yes I can see how I could then add these to a device group and add that as a service rule.
I would be easier to add multiple subnets in a single device group but I can't see how to do this.
Mike
------------------------------
Michael Dickson
Network Engineer
University of Massachusetts Amherst
Original Message:
Sent: Jul 22, 2021 06:44 AM
From: Alexis La Goutte
Subject: Allowing multiple subnets in a Match ALL Service rule
Hi,
use Device Group and set all needed device on the device group
------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...
PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)
PowerArubaCL: Powershell Module to use Aruba Central
PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..
ACEP / ACMX #107 / ACDX #1281
Original Message:
Sent: Jul 21, 2021 01:09 PM
From: Michael Dickson
Subject: Allowing multiple subnets in a Match ALL Service rule
I have a RADIUS Enforcement service in Clearpass that allows management access to our controllers that has a Match ALL Conditions. With a single subnet this works using the rule below.
| Radius:IETF | Framed-IP-Address | BEGINS_WITH | 172.24.162. |
I now have two additional subnets I want to allow. Any thoughts on how best to achieve this? I thought of creating three separate Devices with the separate subnets then putting them into a Device Group and allowing that, but Devices requires shared secret fields and I'm not sure if I can just enter some filler secret. I also thought I could use regular expression in a Device Group but am not sure how to make that work.
Basically, I want to allow three unique subnets into this Match ALL service, e.g.
172.24.162.0/24
172.24.3.0/22
172.24.150.0/23
Thoughts or suggestions on a better approach appreciated!
Mike
------------------------------
Michael Dickson
Network Engineer
University of Massachusetts Amherst
------------------------------