Security

last person joined: 12 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Enforcement policy based upon network/device group

Jump to Best Answer
  • 1.  Enforcement policy based upon network/device group

    Posted Dec 02, 2014 06:09 AM

    Hi,

    We are an HP site  and have both Procurve and Comware switches. In clearpass I have a list of switch IP addresses that I've assigned to two  device groups HP(Procurve) and HP(Comware).

     

    When the network team want to log onto a switch, clearpass needs to send back a vendor specific attribute based upon the switch type in order to be granted appropriate access. Given the fact that I have 2 device groups, can I incorporate a condition in my  enforcement policy that checks for the network device being in one of the above device groups? If so, what's the format? I've had a look round but can't see anything obvious.

     

    Rgds

    Alex

     



  • 2.  RE: Enforcement policy based upon network/device group
    Best Answer

    Posted Dec 02, 2014 06:17 AM
    Two ways:

    1) In your enforcement policy, add two rules with different group names:

    Connection: NAD-IP-Address BELONGS_TO_GROUP


  • 3.  RE: Enforcement policy based upon network/device group

    Posted Dec 02, 2014 06:30 AM

    Cool!

    I'd got part of the way there in that I'd already tied two enforcement profiles to my device groups, so as you said, all I had to do was put both profiles into the enforcement policy role.

     

    Thanks

    Rgds

    A



  • 4.  RE: Enforcement policy based upon network/device group

    Posted Dec 08, 2014 02:00 PM

    I understand #1, and for #2 I understand how you can tie a device group to the enfrc profile, but how do you apply both profiles to the same rule?



  • 5.  RE: Enforcement policy based upon network/device group

    Posted Dec 08, 2014 02:00 PM

    Just add both enforcement profiles.



  • 6.  RE: Enforcement policy based upon network/device group

    Posted Dec 08, 2014 02:10 PM

    Ah, OK so the policy will be the same as for option #1 except no "and Connection:NAD-IP-Address...".



  • 7.  RE: Enforcement policy based upon network/device group

    Posted Dec 08, 2014 02:15 PM

    Right.

     

    1 rule with 2 enforcement profiles.



  • 8.  RE: Enforcement policy based upon network/device group

    Posted Jun 16, 2017 09:57 AM

    Only one policy and be associated with a service correct? Would I need a rule in matching a device group in my policy to direct Nexus devices to a different enforcement profile?   Thanks for you input.



  • 9.  RE: Enforcement policy based upon network/device group

    Posted Jun 16, 2017 11:27 AM

    Yup. In your enforcement  policy you can have multiple profiles. In the profile you can (optionally) specify a device group associated with the profile.

    So you could have

    profiles that are applied to all devices

    profiles that are only applied to specific groups of devices.

    e.g. profile for HP switches and another for ComWare devices

     



  • 10.  RE: Enforcement policy based upon network/device group

    Posted Apr 20, 2020 07:24 AM

    Hi,

    I work for a telecomunication company using only Cisco switches.


    I have tried both ways and none of them works for me. If i set 2 belong_to_group the authorization do not work anymore. If I don't apply the belong_to_group enforcement it do authorize but do not run well the permisions.

    I have 2 different profiles, each one with different permisions. The role is the same for both profiles. At the same time I have 2 different devices groups (each profile linked to one of these). 
    ClearPass do read the tag of the different profiles when authorize their connection but do not apply the defined permisions per each profile. 

     

    Could you help me with this please?

     

    Best regards,