I'm working with a client that has a unique VPN requirement. We have a Clearpass OnGuard install that utilizes the unified VIA VPN client and performs posture checking.
We're going to setup a system that ties the rights and privileges of a VIA user role to a specific AD group. This part is pretty straightforward to setup. The question they had is, if a user is in multiple groups, can they have the rights of those multiple roles?
The way that I am thinking of doing this would be:
1. Come up with the restricions for group #1 and create an Aruba user role #1
2. Come up with the restricions for group #2 and create an Aruba user role #2
3. Design an Aruba user role #3 and only pass that from Clearpass if a user has group membership in group #1 AND group #2
Do you think this is the best way to do this? I'd definitely appreciate if there's a way to stack Aruba user role #1 + #2 at the same time, but I'm not holding my breath.
In the Role mappings in ClearPass, you use "Evaluate All" , which will tag an incoming authentication with all the "Roles" that they match. In the enforcement policy you use "Evaluate-First" and you check to see if the incoming authentication equals both roles. You would then send back the Enforcement Policy for that third condition.
And do you know of a way to stack two Aruba user roles on each other at the same time? Or, is the way I described the third option the way that I'll have to go. I'm 99% sure I can't do multiple user roles, that I'd have to send a 3rd role - figured it can't hurt to ask.
Thanks - that's what I figured!
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.