Security

last person joined: 5 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

New condition value not showing up

This thread has been viewed 22 times
  • 1.  New condition value not showing up

    Posted Sep 17, 2021 10:31 AM
    First of all I want to make it clear, I am NEW to clearpass haha with that disclaimer...

    I wan to create a new condition on clear pass as follows:
    If the device vendor is on a list of pre-selected vendors allows them

    So, I went to my policy and I clicked on "add rule" the rule editor showed up and I selected this options:
    Type: Device
    Name: Device Vendor
    Operator: [BELONGS_TO] - Also tried [CONTAINS] and other options
    Value: NOTHING, that is the problem, no option shows up, what am I doing wrong?    <<<<<<<<<

    Thanks in advance

    ------------------------------
    Andres Solano
    ------------------------------


  • 2.  RE: New condition value not showing up

    Posted Sep 17, 2021 11:24 AM
    What are you trying to do? The Type: Device, I think is about the switch/AP. If you want to check the end-user device that is connecting, Endpoint or Authorization:[Endpoint Repository] will get you information about that.

    It would help if you can in more detail describe what you are trying to set up, and even more important the functionality behind it that you want to achieve. Also what you have done already? Are you doing wired? Wireless? Type of authentication? You can do many things with ClearPass, and many things can be even done in multiple ways.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: New condition value not showing up

    Posted 30 days ago
    Thanks for your reply.

    I have configured 802.1x auth using EAP. All switches are Cisco devices, and ClearPass Manager runs version 6.9.6.
    So far I was able to get my self authenticated after enabling this on a single port of a specific switch, the next step is to roll this over to all other ports, but there are some devices that do not support 802.1x like printers, badge readers, CCTV enpoints,  ip phones, vending machines, smart TVs and more. So I was hoping to do is to allow these devices by default, either by identifying them by type or by MAC vendor or so.
    I know about the endpoint repository, but managing it would be really painful because the amount of devices is huge and could change over time with no one informing us about the new devices.
    Initially I thought on creating some sort of rule to "allow all" but creating a log that mentions it was not authenticated so we can act on it before closing the door to the device, but I guess it doesn't make any sense from the protocol/solution perspective.
    Any ideas on how to to and maintain this?

    ------------------------------
    Andres Solano
    ------------------------------



  • 4.  RE: New condition value not showing up

    Posted 29 days ago
    The best approach would be to profile these devices and leverage the profiling info like Type, family etc to return the corresponding VLAN/ACLs.
    As these devices might not be 802.1x compatible, you could enable MAB on the switch and create a new service on CPPM for MAC Auth with Allow All MAC auth while having the Profiler TAB enabled.

    ------------------------------
    SANDEEP YADAV
    Global Escalation Center, ACCP
    ------------------------------



  • 5.  RE: New condition value not showing up

    Posted 29 days ago
    Thanks Sandeep,

    Do you happen to have  sample configuration or guide for this solution you are proposing?

    Regards,

    ------------------------------
    Andres Solano
    Sr Network Engineer
    San Jose
    ------------------------------



  • 6.  RE: New condition value not showing up

    Posted 29 days ago
    You could follow the Wired Policy Guide, It has examples for both Cisco as well as Aruba Switches with Profiler config on CPPM

    https://support.hpe.com/hpesc/public/docDisplay?docId=a00091135en_us

    ------------------------------
    SANDEEP YADAV
    Global Escalation Center, ACCP
    ------------------------------