last person joined: 4 days ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Roles rules by Switch & Port in Clearpass

Jump to Best Answer
This thread has been viewed 2 times
  • 1.  Roles rules by Switch & Port in Clearpass

    Posted Aug 01, 2018 02:10 PM

    We are jsut starting to leverage Clearpass for authentication on our switches and I'm trying to find the right way to assign roles based on a combination of switch and port. 


    These are third party switches, and the best I've been able to figure out it to make individual role rule entries using the IETF-NAS-Identifier and IETF-NAS-Port.  Since those are two seperate values I have to make individual entries for each pair.


    For example, if I want to identify specific ports on our network allowed to service PCI related devices, I have to put in individual entries for each switch/port pair.    Event if I could find a value that was the switch/port pair, that would make that a *lot* cleaner.


    Am I missing something somewhere, is there a better way to do that?  (I hope!)


    Many Thanks.



  • 2.  RE: Roles rules by Switch & Port in Clearpass
    Best Answer

    Posted Aug 01, 2018 02:13 PM
    You could create a custom attribute on each Network Device definition that contains a set of numbers. Then use a parameterized variable in your policy to compare the Network Device to the IETF NAS-Port-Id from the RADIUS request.

  • 3.  RE: Roles rules by Switch & Port in Clearpass

    Posted Aug 01, 2018 02:17 PM

    That is an interesting idea, and I could probably manage the list externally via API.  I'll experiment with that.   Thanks!