Security

Hi

I have a similar question as in this thread https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=32088.

Is it possible to automate the detection of the different switch families sending requests to ClearPass instead of manually add switches or subnets to Network Device Groups?

In a specific case I have a mix of many different Aruba and HPE switches. Old Comware switches, Aruba 2530, Aruba 2930F and some Aruba CX 6300 switches.

The intention is to implement Downloadable User Roles on the 2930F and CX switches, but as they need different DUR's I need to identify the type of switch sending the request to be able to assign correct enforcement profiles. I also need to be able to identify 2530 and Comware switches to send correct VLAN enforcements to them.

I would prefer if it's possible to automatically identify the switch type based on the Radius request without any manual input at all. If that's not possible, is there any attribute we can modify on the switch to send a specific value for each switch model and in ClearPass use this value to assign correct Roles and Enforcements?

I have not tried, but you should be able in your service matching rules to match on specific RADIUS attributes that are sent by the different solutions and match the devices in the right service based on that.

What probably will not work is to return the correct CoA as the Vendor is bound to the RADIUS client definition, but you could even try if that is working.

One out-of-the-box option would be to 'if not part of device groups' do an HTTP enforcement, which in the background triggers an API call to create a network device of the right type.

And what you could explore as well is to use RADSEC and make sure the switch type can be determined from the switch's client certificate (not tested, just thinking aloud).

Hi

I have a similar question as in this thread https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=32088.

Is it possible to automate the detection of the different switch families sending requests to ClearPass instead of manually add switches or subnets to Network Device Groups?

In a specific case I have a mix of many different Aruba and HPE switches. Old Comware switches, Aruba 2530, Aruba 2930F and some Aruba CX 6300 switches.

The intention is to implement Downloadable User Roles on the 2930F and CX switches, but as they need different DUR's I need to identify the type of switch sending the request to be able to assign correct enforcement profiles. I also need to be able to identify 2530 and Comware switches to send correct VLAN enforcements to them.

I would prefer if it's possible to automatically identify the switch type based on the Radius request without any manual input at all. If that's not possible, is there any attribute we can modify on the switch to send a specific value for each switch model and in ClearPass use this value to assign correct Roles and Enforcements?

Interesting thoughts, I will investigate the different types of attributes sent from the switches and see if I'm able to differentiate the switch families. 
If I can't distinguish the switches I will try the NAS-Identifier attribute as proposed by alagoutte.

As the customer just have Aruba or old HPE switches, I assume the CoA will work as intended. Otherwise I have to find a way to handle that too.

The method to trigger an HTTP enforcement and create a network device of the right type is really interesting. But I will try the other ways first.

Thanks for feedback!

I have not tried, but you should be able in your service matching rules to match on specific RADIUS attributes that are sent by the different solutions and match the devices in the right service based on that.

What probably will not work is to return the correct CoA as the Vendor is bound to the RADIUS client definition, but you could even try if that is working.

One out-of-the-box option would be to 'if not part of device groups' do an HTTP enforcement, which in the background triggers an API call to create a network device of the right type.

And what you could explore as well is to use RADSEC and make sure the switch type can be determined from the switch's client certificate (not tested, just thinking aloud).

Hi

I have a similar question as in this thread https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=32088.

Is it possible to automate the detection of the different switch families sending requests to ClearPass instead of manually add switches or subnets to Network Device Groups?

In a specific case I have a mix of many different Aruba and HPE switches. Old Comware switches, Aruba 2530, Aruba 2930F and some Aruba CX 6300 switches.

The intention is to implement Downloadable User Roles on the 2930F and CX switches, but as they need different DUR's I need to identify the type of switch sending the request to be able to assign correct enforcement profiles. I also need to be able to identify 2530 and Comware switches to send correct VLAN enforcements to them.

I would prefer if it's possible to automatically identify the switch type based on the Radius request without any manual input at all. If that's not possible, is there any attribute we can modify on the switch to send a specific value for each switch model and in ClearPass use this value to assign correct Roles and Enforcements?

not sure if it is possible to modify NAS-ID on all device (i have already see this issue on some device...)

But the idea of API is good ! (with PowerArubaCP for example !)

You don't have a IPAM with list of switch with device type ? (or excel file ?)

Interesting thoughts, I will investigate the different types of attributes sent from the switches and see if I'm able to differentiate the switch families. 
If I can't distinguish the switches I will try the NAS-Identifier attribute as proposed by alagoutte.

As the customer just have Aruba or old HPE switches, I assume the CoA will work as intended. Otherwise I have to find a way to handle that too.

The method to trigger an HTTP enforcement and create a network device of the right type is really interesting. But I will try the other ways first.

Thanks for feedback!

I have not tried, but you should be able in your service matching rules to match on specific RADIUS attributes that are sent by the different solutions and match the devices in the right service based on that.

What probably will not work is to return the correct CoA as the Vendor is bound to the RADIUS client definition, but you could even try if that is working.

One out-of-the-box option would be to 'if not part of device groups' do an HTTP enforcement, which in the background triggers an API call to create a network device of the right type.

And what you could explore as well is to use RADSEC and make sure the switch type can be determined from the switch's client certificate (not tested, just thinking aloud).

Hi

I have a similar question as in this thread https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=32088.

Is it possible to automate the detection of the different switch families sending requests to ClearPass instead of manually add switches or subnets to Network Device Groups?

In a specific case I have a mix of many different Aruba and HPE switches. Old Comware switches, Aruba 2530, Aruba 2930F and some Aruba CX 6300 switches.

The intention is to implement Downloadable User Roles on the 2930F and CX switches, but as they need different DUR's I need to identify the type of switch sending the request to be able to assign correct enforcement profiles. I also need to be able to identify 2530 and Comware switches to send correct VLAN enforcements to them.

I would prefer if it's possible to automatically identify the switch type based on the Radius request without any manual input at all. If that's not possible, is there any attribute we can modify on the switch to send a specific value for each switch model and in ClearPass use this value to assign correct Roles and Enforcements?

Hi

I have a similar question as in this thread https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=32088.

Is it possible to automate the detection of the different switch families sending requests to ClearPass instead of manually add switches or subnets to Network Device Groups?

In a specific case I have a mix of many different Aruba and HPE switches. Old Comware switches, Aruba 2530, Aruba 2930F and some Aruba CX 6300 switches.

The intention is to implement Downloadable User Roles on the 2930F and CX switches, but as they need different DUR's I need to identify the type of switch sending the request to be able to assign correct enforcement profiles. I also need to be able to identify 2530 and Comware switches to send correct VLAN enforcements to them.

I would prefer if it's possible to automatically identify the switch type based on the Radius request without any manual input at all. If that's not possible, is there any attribute we can modify on the switch to send a specific value for each switch model and in ClearPass use this value to assign correct Roles and Enforcements?