Security

last person joined: 3 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

How does one determine if a device is connected wired to a switch or access point?

  • 1.  How does one determine if a device is connected wired to a switch or access point?

    Posted Nov 12, 2018 09:50 AM

    I'd like to apply different ClearPass services based on whether or not a device is connected to an Aruba switch or an Aruba 303H access point. If a device is connected to a switch, it would get an enforcement policy with a downloadble user role, while a device connected to an access point would get a role like a wireless device.  Is there a way to determine to what type of switch or AP a device is connected wired? Am I approaching this correctly?

    Thanks



  • 2.  RE: How does one determine if a device is connected wired to a switch or access point?

    Posted Nov 12, 2018 09:55 AM
    The service types in ClearPass build all of the required rules for you.


  • 3.  RE: How does one determine if a device is connected wired to a switch or access point?

    Posted Nov 12, 2018 09:56 AM

    You could use Access Tracker in ClearPass and see what service they are connecting too. 



  • 4.  RE: How does one determine if a device is connected wired to a switch or access point?

    Posted Nov 12, 2018 10:28 AM

    Let me clarify things a bit. I have two services, one for devices connected to wired switches and one for devices connected wired to 303H access points. They are both 802.1X wired services. Devices connected to switches get a different enforcement policy than those connected to 303H access points. The access points tunnel back to the controllers and roles and ACLs are applied at the controller. On the otherhand, switches will use an enforcement policy that will apply downloadble user roles and ACLs that will apply at the switch or at the controller depending on whether or not the user device is in a role that is tunnelled back to the controller or not. The enforcement policy applied should be determined by whether or not the user device is connected to a switch or a 303H.

     

    For switches, the service can look at device group membership to determine if a service should be applied. I'd like to be able to do something similar for the 303H service and restrict the service to 303Hs. Right now, if the 303H wired service is before the switch wired service, it is applied even if the device is connected to a switch. I think service ordering could take care of this by putting the switch service before the 303H service, but I'd rather have more control over it than that as if I forget and change the order in the future, it could break things.



  • 5.  RE: How does one determine if a device is connected wired to a switch or access point?

    Posted Nov 12, 2018 04:15 PM

    Here is an example of service rules to match a MAC auth off the wired interfaces of an AP.

     

    Screen Shot 2018-11-12 at 4.14.38 PM.png



  • 6.  RE: How does one determine if a device is connected wired to a switch or access point?

    Posted Nov 12, 2018 04:44 PM

    Thanks Tim. What is the Aruba-Port-ID 0? A quick glance seems to show it to always be zero from the 303H. A short bit of testing seems to show this to be working. If this is the case, would the group be needed?

     

    As for the group, I'd create a group with the IP addresses of the 303Hs?



  • 7.  RE: How does one determine if a device is connected wired to a switch or access point?

    Posted Nov 12, 2018 04:48 PM
    The Port-ID is the interface which would be in the format of ap-ip:0/X so this rule looks for :0/ to determine it’s the wired interface of an AP.

    The Network Device Group would contain all of your controller IPs. I always recommend using NAD Groups as it makes the service rules more explicit when making other changes.