One other trick I found useful. If I create a policy (ACL) that is for one particular role I name it "role-" and then the role name. That makes policy management much easier.
For example, we have a couple of guest roles
guest-limited is bandwidth restricted.
guest-full has no bandwidth restriction.
Both use the policy role-guest-limited. ( Most of our guests are bandwidth limited.)
------------------------------
Bruce Osborne ACCP ACMP
Liberty University
The views expressed here are my personal views and not those of my employer
------------------------------
Original Message:
Sent: Sep 10, 2021 10:10 AM
From: Michael Dickson
Subject: assigned vlan within role vs vlan assignment via clearpass policy
Thanks. I'll try to test that if I get a chance. We dropped this role into production so I'll have to start new. We have many granular and specific authenticated roles!
------------------------------
Michael Dickson
Network Engineer
University of Massachusetts Amherst
Original Message:
Sent: Sep 10, 2021 07:27 AM
From: Bruce Osborne
Subject: assigned vlan within role vs vlan assignment via clearpass policy
We decided to assign Vlan to the role but use a named vlan pool. That gives us the flexibility of using different Vlan Ids per controller if necessary.
I also believe it is not recommended to use the authenticated role. Create a role more descriptive & granular if possible.
------------------------------
Bruce Osborne ACCP ACMP
Liberty University
The views expressed here are my personal views and not those of my employer
Original Message:
Sent: Sep 09, 2021 11:02 AM
From: Michael Dickson
Subject: assigned vlan within role vs vlan assignment via clearpass policy
Hi all,,
AOS 6.5 and Clearpass 6.8
Have two ways to do something and looking for the most appropriate. I create an authenticated role on the controller and can assign a vlan to it. Or I can not assign a vlan to the role and through policy have Clearpass pass the role and also assign a vlan.
Six of one? Any advantages of one options over the other?
Thanks,
Mike
------------------------------
Michael Dickson
Network Engineer
University of Massachusetts Amherst
------------------------------