I'd like to apply different ClearPass services based on whether or not a device is connected to an Aruba switch or an Aruba 303H access point. If a device is connected to a switch, it would get an enforcement policy with a downloadble user role, while a device connected to an access point would get a role like a wireless device. Is there a way to determine to what type of switch or AP a device is connected wired? Am I approaching this correctly?
You could use Access Tracker in ClearPass and see what service they are connecting too.
Let me clarify things a bit. I have two services, one for devices connected to wired switches and one for devices connected wired to 303H access points. They are both 802.1X wired services. Devices connected to switches get a different enforcement policy than those connected to 303H access points. The access points tunnel back to the controllers and roles and ACLs are applied at the controller. On the otherhand, switches will use an enforcement policy that will apply downloadble user roles and ACLs that will apply at the switch or at the controller depending on whether or not the user device is in a role that is tunnelled back to the controller or not. The enforcement policy applied should be determined by whether or not the user device is connected to a switch or a 303H.
For switches, the service can look at device group membership to determine if a service should be applied. I'd like to be able to do something similar for the 303H service and restrict the service to 303Hs. Right now, if the 303H wired service is before the switch wired service, it is applied even if the device is connected to a switch. I think service ordering could take care of this by putting the switch service before the 303H service, but I'd rather have more control over it than that as if I forget and change the order in the future, it could break things.
Here is an example of service rules to match a MAC auth off the wired interfaces of an AP.
Thanks Tim. What is the Aruba-Port-ID 0? A quick glance seems to show it to always be zero from the 303H. A short bit of testing seems to show this to be working. If this is the case, would the group be needed?
As for the group, I'd create a group with the IP addresses of the 303Hs?
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.