Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Can you have nested device groups

This thread has been viewed 19 times

  • 1.  Can you have nested device groups

    Posted Jul 26, 2021 12:47 PM
    Got a large estate comprising multiple sites, each site has multiple switches.


    like to group site switches in their own group

    Then have services that are selected based upon colledtion nad-ip-address belongs to <group name>

    ... but you cant select multiple groups at this point.

    Would be nice if we had nested groups so
    top level group = "wholeorganisation"
    which had as members  groups

    site1,site2 .....

     The servie selected by  connection nad-ip-address belongs to-group wholeorganisation


    or is there another way to do same thing?
    A​

    ------------------------------
    Alex Sharaz
    ------------------------------


  • 2.  RE: Can you have nested device groups

    Posted Jul 26, 2021 06:11 PM
    You'd have to use custom NAD attributes in a tag-like manner.

    ------------------------------
    Tim C
    ------------------------------

    Original Message


  • 3.  RE: Can you have nested device groups

    Posted Jul 27, 2021 03:28 AM
    You can define Device attribute in Device settings.


    And then use this attribute in your Service definition, Role Mappings or Enforcement policies.

     Best, Gorazd

    ------------------------------
    Gorazd Kikelj
    ------------------------------


  • 4.  RE: Can you have nested device groups

    Posted Jul 28, 2021 03:54 AM
    Thanks for this, o.k. makws sense but if you can have up to 60 locations plus that you want to have a service applied to starts gettingf messy .

    Plan here is to roll out NAC over a  multi site  estate so theory is


    Create 2 identical services except 1 runs in monitor mode
    Have the monitor mode service selecred by a device group called MONITOR
    Assign switches at a site to monitor group to check stuff is working as it should
    After tested, move switch to an "active"  device group ( or use the location example youve described) , removing it from the monitor group so the active service picks it up


    This is a phased rollout so switches will move from the monitor service to the active service

    we're talking 1000's switches over 60+sites

    So would be selecting  a service bqsed upon an OR of your location attribute  .... sort of seems messsy

    A


    ------------------------------
    Alex Sharaz
    ------------------------------

    Original Message