I have a question related to a senario,where in i want to push a firewall role (Controller) from Clearpass. I am having a hardtime to understand how we can implement this .
For example: I want to block certian type of traffic for a user group . I have created a Firewall rule on controller. when i define a enforcement policy where shall i define this enforcement ? Because in Enforecment profile i dont see any condiction related to pushing a firewall rule .
@MDTCS wrote:Hi , I have a question related to a senario,where in i want to push a firewall role (Controller) from Clearpass. I am having a hardtime to understand how we can implement this . For example: I want to block certian type of traffic for a user group . I have created a Firewall rule on controller. when i define a enforcement policy where shall i define this enforcement ? Because in Enforecment profile i dont see any condiction related to pushing a firewall rule . Regards,MD
We define the user roles in the controllers and send the Aruba-User-Role VSA from the ClearPass enforcement profile.
Thanks for the reply Bruce.
What should be the attr value in this case, plain text Aruba firewall role created in controller ?
For example : I have created firewall role as " Block youtube" ,so my enforcment profile attr would be .
Name : Aruba-user-role 1
vale : Block youtube
Is this correct understanding ?
Could you also help me to understand,on what basis we select an appropriate attrb?
Appriceate you help
I am assuming you have PEFNG firewall licenses on your controller . The user-role would contain your ACL. If you wish to just block things, you must add the allowall ACL (policy) as the last ACL since there is an implicit denyall in a role which blocks anything.
If your controller user-role containing your ACLs is named "Block-Youtube" then your ClearPass Enforcement Profile would send back
Type : Radius:Aruba
Value : Block-Youtube
I recommend not using spaces in names on the controller. You can use underscores and dashes instead, just be consistent.
Also don't forget about downloadable roles from CPPM. That way you can manage the roles in one place and push them to any switch or controller.
That requires ClearPass 6.6.7, correct? I do not currently recommend that release.
Our roles have so many ACL lines that downloading them for each user might not be too efficient. I may research this when I have time.
No sir. We have been using downloadble roles for the last four years.
OK, thanks for the correction.
I was just looking at the switch release notes and it requires 6.6.7.
Just to clarify here, the first time a user requires the downloadable role, it is downloaded from ClearPass. Each additional user that requies the same role will use the controller's dowloaded copy of the role unless a change to the role has occured in ClearPass.
tl;dr it's not downloaded every time.
Are you saying we can create firewall roles/ACls(Downloadable) in clearpass and firstime user will download it from clearpass and controller will also download it . Next time new user will downlaod it from controller?
I am not able to understand it correctly.
User Bob is assigned Role A. Version 1 of the role downloads from ClearPass.
User Alice authenticates 5 minutes later and is assigned Role A. This role is still on version 1. It is not redownloaded.
Once the last user that is assigned the role disconnects, the role is flushed.
ClearPass becomes your only role definition point. That is very attractive to many customers.
We see much higher usage and interest on the wired side due to the sheer number of switches. With ArubaOS 8.X with Mobility Master, there might not be as big of a need on the wireless side.
We love the fact that once a role is applied to a user (or AD group in our case), the user gets the same role no matter if they are wired or wireless and changes only have to be made in one location.
Sounds like downloadable roles would be perfect for you!
We too have 3 masters and look forward to ArubaOS 8.x to consolidate our configuration into one configuration tree.
Scalability is an issue many times.
I suspect your network is larger than most HPE customers but we thank you for stressing the products to their limit, improving them.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.