Security

last person joined: 27 minutes ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Dynamic VLAN assignment based on custom LDAP group

  • 1.  Dynamic VLAN assignment based on custom LDAP group

    Posted Oct 24, 2017 09:22 AM

    Hello community,

     

    I'm setting up a SSID which will authorize users (assign vlan) based on their custom LDAP groups. The problem arises when I try changing their groups dynamically so that they can receive a new vlan. It doesn't work because the CPPM has cached user groups locally after the previous query to LDAP, so users still receive the old groups and old vlan after reauthentication. Due to specific requirements, the action of changing user's LDAP groups (which will translate to new vlan and new policy) will happen quite often (at least several times during working day).

     

    Do we have any ways to accomplish this? I don't want to disable cache option since it may cause performance issue with CPPM.

     

    Thank you very much,



  • 2.  RE: Dynamic VLAN assignment based on custom LDAP group

    Posted Oct 24, 2017 09:48 AM
    The only option would be to disable the cache.


  • 3.  RE: Dynamic VLAN assignment based on custom LDAP group

    Posted Oct 24, 2017 11:20 AM

    Hi Tim,

     

    I have approximately 5000 devices authenticating through CPPM. Will it cause huge performance issue if I disable the cache? And what should I do to limit the impact?

     

    Thank you,



  • 4.  RE: Dynamic VLAN assignment based on custom LDAP group

    Posted Oct 24, 2017 11:24 AM
    It varies based on the environment. You'll have to try it. I'm very curious why users are being added and removed from groups on a regular basis.


  • 5.  RE: Dynamic VLAN assignment based on custom LDAP group

    Posted Oct 24, 2017 11:21 PM

    Hi,

     

    Let me clarify the requirements. Our users want to test their products through different ISPs, so we came up with an idea to associate their accounts with different LDAP groups, and based on those settings, source route their traffic through the ISP they want to test. Since their work is just doing test like this, it will happen on a regular basis (change group -> change vlan -> change ISP).

     

    Normally the cache is very useful, but not in this case. I wonder if we can have any other solution for dynamic vlan changing except using LDAP groups?

     

    Thank you,



  • 6.  RE: Dynamic VLAN assignment based on custom LDAP group

    Posted Oct 25, 2017 09:56 AM

    I have thought about using the group (role) locally on CPPM, but looks like there's no way to map the username on LDAP to local group on CPPM.

     

    Any ideas are very welcome.