last person joined: 10 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Service selection based upon multiple device groups

This thread has been viewed 5 times
  • 1.  Service selection based upon multiple device groups

    Posted Jul 01, 2021 06:25 AM
    Hi all
    Have a requirement to have a service selected only  if the NAS-IP is in one of 2 defined Network Device groups

    As you can't have nested groups , whats the best way of doing this?

    a). use  BELONGS TO  <group1 name>, <group 2 name>

    b).  use regex to select group name e.g.  " ND\(monitor|live\)" to select either of  ND(monitor) or ND(live) - Does this even work ?

    c). Just  create another group with members from original 2 groups


    Alex Sharaz

  • 2.  RE: Service selection based upon multiple device groups

    Posted Jul 02, 2021 10:39 AM
    If you tested option A, and it works, I would go for that.

    I'm not a big fan of using regexes unless it makes sense. Regex matching is 'relatively computational expensive', as well for many people unfamiliar with regex, it may be hard to understand.

    Herman Robers
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

  • 3.  RE: Service selection based upon multiple device groups

    Posted Jul 05, 2021 04:43 AM
    A different approach that you haven't offered is to associate the NAS with a specific attribute, typically Location or Device Type - these are reserved attributes, interestingly I notice that in new 6.9.x installs allow you to edit then). For example I can create an attribute Device:Type and associate it with device type values:

    Making this attribute mandatory means that when you add a NAD you have to associate it with a site:

    Annoyingly you have to "drag-down" to the bottom on the page to see this extra mandatory attribute.

    When a endpoint connects to this NAD in the incoming RADIUS authentication request will present this NAS's Device:Type:


    You can use this within the Service Match logic:

    Within the Operator I have the following options:

    Derin Mellor