Security

Hello all, I was wondering if it was possible at Clearpass authorisation stage, to be able to "evaluate all", and send multiple snippets of ACL to the authenticating device.

EG:
User member of HR = HR ACL
User also member of VIP = append VIP ACL

Conscious that typically the HR ACL would typically have an implied deny any at the end, but can we append like this at all? 

Or even sending multiple roles to the NAD, would that work? NADs will be IAP and Aruba switches. Just to add that this HR is just one example, the intention is to have hundreds of potential combinations - clearly easier to achieve using per user VPNs etc but just wanted to explore this first.

Thanks in advance.

You can try the following. In role mapping policy use evaluate-all (default) and assign role for each group. In enforcement policy use evaluate-all and add an ACL for each role.

In this way you will get an ACL for each group that user is member of. 

It can become tricky with enforcement as all rules will be evaluated.

Did you evaluate an option to use Downloadable user roles? I'm not sure if DUR can provide what you are looking for.

Best, Gorazd

------------------------------
Gorazd Kikelj
------------------------------

Original Message:
Sent: Apr 27, 2021 06:11 AM
From: Tim Lloyd
Subject: Combining Multiple ACLs based upon Group Membership

Hello all, I was wondering if it was possible at Clearpass authorisation stage, to be able to "evaluate all", and send multiple snippets of ACL to the authenticating device.

EG:
User member of HR = HR ACL
User also member of VIP = append VIP ACL

Conscious that typically the HR ACL would typically have an implied deny any at the end, but can we append like this at all? 

Or even sending multiple roles to the NAD, would that work? NADs will be IAP and Aruba switches. Just to add that this HR is just one example, the intention is to have hundreds of potential combinations - clearly easier to achieve using per user VPNs etc but just wanted to explore this first.

Thanks in advance.

It's currently not supported to send multiple user-roles/dACL (ClearPass can send it, but switch/AP/controller will reject it), nor ClearPass can merge/combine multiple ACLs into a single role or ACL set. As you mentioned there is quite some complexity in there with conflicts or ordering challenges.

Please reach out to your local Aruba SE to discuss if you have ideas on how that should work, so it can be filed as a feature request.

For now, as mentioned, create roles for HR, HRVIP, and VIP.  I agree that doesn't scale too well.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Apr 27, 2021 06:11 AM
From: Tim Lloyd
Subject: Combining Multiple ACLs based upon Group Membership

Hello all, I was wondering if it was possible at Clearpass authorisation stage, to be able to "evaluate all", and send multiple snippets of ACL to the authenticating device.

EG:
User member of HR = HR ACL
User also member of VIP = append VIP ACL

Conscious that typically the HR ACL would typically have an implied deny any at the end, but can we append like this at all? 

Or even sending multiple roles to the NAD, would that work? NADs will be IAP and Aruba switches. Just to add that this HR is just one example, the intention is to have hundreds of potential combinations - clearly easier to achieve using per user VPNs etc but just wanted to explore this first.

Thanks in advance.

Thank you Herman, as expected, they really need a different approach to the problem.

To use ClearPass, ideally the ACLs would append from top down through the authorisation policies as users match them (only adding the "deny any" at the end once the final ACL was added). This seems to be in line with an existing solution the customer uses for firewall VPN authorisation.

Will push for the appropriate design.

------------------------------
Tim Lloyd
------------------------------

Original Message:
Sent: May 04, 2021 10:48 AM
From: Herman Robers
Subject: Combining Multiple ACLs based upon Group Membership

It's currently not supported to send multiple user-roles/dACL (ClearPass can send it, but switch/AP/controller will reject it), nor ClearPass can merge/combine multiple ACLs into a single role or ACL set. As you mentioned there is quite some complexity in there with conflicts or ordering challenges.

Please reach out to your local Aruba SE to discuss if you have ideas on how that should work, so it can be filed as a feature request.

For now, as mentioned, create roles for HR, HRVIP, and VIP.  I agree that doesn't scale too well.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Apr 27, 2021 06:11 AM
From: Tim Lloyd
Subject: Combining Multiple ACLs based upon Group Membership

Hello all, I was wondering if it was possible at Clearpass authorisation stage, to be able to "evaluate all", and send multiple snippets of ACL to the authenticating device.

EG:
User member of HR = HR ACL
User also member of VIP = append VIP ACL

Conscious that typically the HR ACL would typically have an implied deny any at the end, but can we append like this at all? 

Or even sending multiple roles to the NAD, would that work? NADs will be IAP and Aruba switches. Just to add that this HR is just one example, the intention is to have hundreds of potential combinations - clearly easier to achieve using per user VPNs etc but just wanted to explore this first.

Thanks in advance.