I have a similar question as in this thread https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=32088.
Is it possible to automate the detection of the different switch families sending requests to ClearPass instead of manually add switches or subnets to Network Device Groups?
In a specific case I have a mix of many different Aruba and HPE switches. Old Comware switches, Aruba 2530, Aruba 2930F and some Aruba CX 6300 switches.
The intention is to implement Downloadable User Roles on the 2930F and CX switches, but as they need different DUR's I need to identify the type of switch sending the request to be able to assign correct enforcement profiles. I also need to be able to identify 2530 and Comware switches to send correct VLAN enforcements to them.
I would prefer if it's possible to automatically identify the switch type based on the Radius request without any manual input at all. If that's not possible, is there any attribute we can modify on the switch to send a specific value for each switch model and in ClearPass use this value to assign correct Roles and Enforcements?
I have not tried, but you should be able in your service matching rules to match on specific RADIUS attributes that are sent by the different solutions and match the devices in the right service based on that.
What probably will not work is to return the correct CoA as the Vendor is bound to the RADIUS client definition, but you could even try if that is working.
One out-of-the-box option would be to 'if not part of device groups' do an HTTP enforcement, which in the background triggers an API call to create a network device of the right type.
And what you could explore as well is to use RADSEC and make sure the switch type can be determined from the switch's client certificate (not tested, just thinking aloud).
Interesting thoughts, I will investigate the different types of attributes sent from the switches and see if I'm able to differentiate the switch families. If I can't distinguish the switches I will try the NAS-Identifier attribute as proposed by alagoutte.
As the customer just have Aruba or old HPE switches, I assume the CoA will work as intended. Otherwise I have to find a way to handle that too.
The method to trigger an HTTP enforcement and create a network device of the right type is really interesting. But I will try the other ways first.
Thanks for feedback!
not sure if it is possible to modify NAS-ID on all device (i have already see this issue on some device...)
But the idea of API is good ! (with PowerArubaCP for example !)
You don't have a IPAM with list of switch with device type ? (or excel file ?)
I think you are right about the issue there it's not possible to modify the NAS-ID on some device types.
This is a new customer for me, so I don't know the status of IPAM or CMDB yet.
PowerArubaCP is something I have never utilized, but thanks for the tips! I will take a look on that.
Do you have look to configure NAS-ID for example ? (on the switch)
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.