Higher Education

last person joined: 2 days ago 

Got questions on how to enable mobility in education? Submit them here!
Expand all | Collapse all

Clearpass Enforcement Policy

  • 1.  Clearpass Enforcement Policy

    Posted Aug 18, 2017 07:30 AM

    Hi ,

     

    I have a question related to a senario,where in i want to push a firewall role (Controller) from Clearpass. I am having a hardtime to understand how we can implement this .

     

    For example: I want to block certian type of traffic for a user group . I have created a Firewall rule on controller. when i define a enforcement policy where shall i define this enforcement ? Because in Enforecment profile i dont see any condiction related to pushing a firewall rule .

     

    Regards,

    MD

     

     



  • 2.  RE: Clearpass Enforcement Policy

    Posted Aug 18, 2017 07:34 AM
      |   view attached

    @MDTCS wrote:

    Hi ,

     

    I have a question related to a senario,where in i want to push a firewall role (Controller) from Clearpass. I am having a hardtime to understand how we can implement this .

     

    For example: I want to block certian type of traffic for a user group . I have created a Firewall rule on controller. when i define a enforcement policy where shall i define this enforcement ? Because in Enforecment profile i dont see any condiction related to pushing a firewall rule .

     

    Regards,

    MD

     

     


    We define the user roles in the controllers and send the Aruba-User-Role VSA from the ClearPass enforcement profile.

     

     



  • 3.  RE: Clearpass Enforcement Policy

    Posted Aug 18, 2017 07:44 AM

    Thanks for the reply Bruce.

    What should be the attr value  in this case, plain text Aruba firewall role created in controller ?

     

    For example : I have created firewall role as " Block youtube"  ,so my enforcment profile attr would be .

     Type: Radius:Aruba

    Name : Aruba-user-role 1

    vale : Block youtube

     

    Is this correct understanding ?

     

    Could you also help me to understand,on what basis we select an appropriate attrb?

     

    Appriceate you help

    Thanks 

    MD



  • 4.  RE: Clearpass Enforcement Policy

    Posted Aug 18, 2017 07:52 AM

    I am assuming you have PEFNG firewall licenses on your controller . The user-role would contain your ACL. If you wish to just block things, you must add the allowall ACL (policy) as the last ACL since there is an implicit denyall in a role which blocks anything.

     If your controller user-role containing your ACLs is named "Block-Youtube" then your ClearPass Enforcement Profile would send back

     

    Type   : Radius:Aruba

    Name: Aruba-User-Role

    Value : Block-Youtube

     

    I recommend not using spaces in names on the controller. You can use underscores and dashes instead, just be consistent. 



  • 5.  RE: Clearpass Enforcement Policy

    Posted Aug 18, 2017 08:31 AM

    Also don't forget about downloadable roles from CPPM. That way you can manage the roles in one place and push them to any switch or controller.

     

    http://www.arubanetworks.com/techdocs/ClearPass/Aruba_CPPMOnlineHelp/Content/CPPM_UserGuide/Enforce/EPAruba_Downloadable_Role.htm

     



  • 6.  RE: Clearpass Enforcement Policy

    Posted Aug 18, 2017 08:36 AM

    That requires ClearPass 6.6.7, correct? I do not currently recommend that release.

    Our roles have so many ACL lines that downloading them for each user might not be too efficient. I may research this when I have time.



  • 7.  RE: Clearpass Enforcement Policy

    Posted Aug 18, 2017 08:38 AM

    No sir. We have been using downloadble roles for the last four years.



  • 8.  RE: Clearpass Enforcement Policy

    Posted Aug 18, 2017 08:40 AM

    OK, thanks for the correction.

    I was just looking at the switch release notes and it requires 6.6.7.



  • 9.  RE: Clearpass Enforcement Policy

    Posted Aug 18, 2017 09:51 AM

    Just to clarify here, the first time a user requires the downloadable role, it is downloaded from ClearPass. Each additional user that requies the same role will use the controller's dowloaded copy of the role unless a change to the role has occured in ClearPass.

     

    tl;dr it's not downloaded every time.



  • 10.  RE: Clearpass Enforcement Policy

    Posted Aug 18, 2017 10:02 AM

    Hi Tim,

     

    Are you  saying we can create firewall roles/ACls(Downloadable) in clearpass and firstime user will download it from clearpass and controller will also download it . Next time new user will downlaod it from controller?

     

    I am not able to understand it correctly.

     

    Regards,

    MD.

     

     



  • 11.  RE: Clearpass Enforcement Policy

    Posted Aug 18, 2017 10:25 AM

    User Bob is assigned Role A. Version 1 of the role downloads from ClearPass.

    User Alice authenticates 5 minutes later and is assigned Role A. This role is still on version 1. It is not redownloaded.

     

    Once the last user that is assigned the role disconnects, the role is flushed.



  • 12.  RE: Clearpass Enforcement Policy

    Posted Aug 18, 2017 10:37 AM
    What are some pros|cons of using downloadable roles vs traditionally creating them on the controller?
    How many customers are using downloadable roles?


    - Ryan -


  • 13.  RE: Clearpass Enforcement Policy

    Posted Aug 18, 2017 10:42 AM

    ClearPass becomes your only role definition point. That is very attractive to many customers.

     

    We see much higher usage and interest on the wired side due to the sheer number of switches. With ArubaOS 8.X with Mobility Master, there might not be as big of a need on the wireless side.



  • 14.  RE: Clearpass Enforcement Policy

    Posted Aug 18, 2017 11:27 AM

    We love the fact that once a role is applied to a user (or AD group in our case), the user gets the same role no matter if they are wired or wireless and changes only have to be made in one location.



  • 15.  RE: Clearpass Enforcement Policy

    Posted Aug 18, 2017 11:31 AM

    Sounds like downloadable roles would be perfect for you!



  • 16.  RE: Clearpass Enforcement Policy

    Posted Aug 18, 2017 12:12 PM
    We have multiple masters on our campus and I have wanted to use downloadable roles for some time, but have not done so yet.

    Pros I see are having a single point of definition (as Tim points out) for the roles makes it easier to implement changes across all of my controllers.

    I don’t use ClearPass for all of the Wi-Fi networks yet (and may never have all of them on ClearPass), so a con would be having to deal with multiple ways of implementing roles and managing them.

    Questions that I have had, but have not looked into (or don’t remember the answers to) are:

    * What happens when I update the role definition in ClearPass? Do all existing users keep the same rules and only subsequent users get the updated ruleset?
    * If the controller already has a role downloaded, how does it know if the role definition on ClearPass and it needs to download a new role?
    * How do you look at the characteristics of a downloadable user role from the controller (either Web UI or CLI)?
    * In HA pairs, when do backup controllers download the roles? With potentially thousands of users moving from one controller to the other how does ClearPass know to only download the role once since there would be thousands asking at virtually the same time?

    A challenge I see is that, with the exception of rebooting controllers, we never have a role with zero users, so to be sure the current role was being sent, I suppose you would have to clear the user tables for users in that role?

    Amel Caldwell
    University of Washington UW-IT
    Wi-Fi Network Engineer
    Wi-Fi Service Manager

    amelc@uw.edu
    206-543-2915

    Ask me about open Network Engineer positions on the wireless team.



    Amel Caldwell
    University of Washington UW-IT
    Wi-Fi Network Engineer
    Wi-Fi Service Manager

    amelc@uw.edu
    206-543-2915

    Ask me about open Network Engineer positions on the wireless team.


  • 17.  RE: Clearpass Enforcement Policy

    Posted Aug 18, 2017 12:24 PM
    Definitely a neat sounding feature. Amel, you [perhaps inadvertently] outlined the complexity of it beautifully. For me, I have condense our network into 3 masters, and given that user-roles should overall be rather static, I prefer to keep ClearPass out it.


  • 18.  RE: Clearpass Enforcement Policy

    Posted Aug 18, 2017 12:27 PM

    We too have 3 masters and look forward to ArubaOS 8.x to consolidate our configuration into one configuration tree.



  • 19.  RE: Clearpass Enforcement Policy

    Posted Aug 18, 2017 12:32 PM
    Braggadocious! ;) Unfortunately, we exceed single cluster limits and will continue to have multiple points of configuration. Not a bad thing though. Know what they say about [wifi] eggs in one basket…


  • 20.  RE: Clearpass Enforcement Policy

    Posted Aug 18, 2017 12:36 PM

    Scalability is an issue many times.

    I suspect your network is larger than most HPE customers but we thank you for stressing the products to their limit, improving them.



  • 21.  RE: Clearpass Enforcement Policy

    Posted Aug 18, 2017 12:57 PM
    ☺ I assume you mean stressing ourselves. :-P