last person joined: 2 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).

Downloadable secondary role with VLAN steering based on CPPM variable

  • 1.  Downloadable secondary role with VLAN steering based on CPPM variable

    Posted 15 days ago
    I think I saw a previous thread on a similar subject, but my search ability is failing me.  I have a customer that would like to do the following:

    • Client connects to switch port and authentication is performed (802.1x, MAB, etc)
    • Based on policy decision by ClearPass, in certain scenarios, client is tunneled to controller (BYOD as example) with UBT2.0 config and reserved VLAN
    • When tunneled to controller, client is steered to same VLAN as wireless clients (per campus - and they have over 40 campuses)
    • Primary and secondary role are both configured as dynamic (secondary role being dynamic not a hard requirement)
    So for instance, if BYOD client at campus XYZ connects to switch port and authenticates via captive portal, client is dropped in tunnel and is placed on named VLAN "XYZ-BYOD" on the controller.
      What I would like to do is send a separate enforcement profile to the controller with RADIUS:Aruba Aruba-Named-User-Vlan = "x" where the value of "x" can include a CPPM variable like %{Device:Location}-BYOD.  But the secondary role assignment on the controller is not a RADIUS auth - it's an API call to ClearPass, so RADIUS VSA is not applicable there AFAIK.  Also, within the secondary role, I don't believe I can place a variable like the above inside the role definition, whether in standard, or advanced configuration mode (possible I fat-fingered something there).

      One way I can get this to work, for "byod-student" role as an example, is to create 40 copies of the secondary role enforcement profile, one for each campus, with the appropriate VLAN in each.  Then create 40 copies of the primary role enforcement profile, with the corresponding secondary role profile selected.  In the primary role profile, I would limit it to the defined switch device group for that campus.  Now in the enforcement policy, for the rule that handles "byod-student", I would list all 40 enforcement profiles, and only the one pertinent to that device group would take effect.

      I have tested this and it works. Downsides is that this is ugly at scale, and it means I now have 40 unique downloadable roles on the controller per actual desired user-role, with the only distinction being the VLAN defined therein.

      Hoping someone has a more elegant solution and I'm just missing something pretty simple.  Thanks for any help in advance.