Security

 View Only

  • 1.  Clearpass dynamic acl not working

    Posted Apr 15, 2025 06:51 AM

    this is working fine.... the requirement is block communication through the dynamic acl between subnet to subnet  for example traffic from 10.10.20.0 to 10.10.30.0 must be block....

    i tried multiple format but none of these are working....

    this format shows the error on the switch 

    a request to all community member kindly give me solution for this.....

    ClearPass Policy Manager 6.11.1.251304 on CLABV 

    Aruba 2930f switch


  • 2.  RE: Clearpass dynamic acl not working

    Posted Apr 16, 2025 10:41 AM

    According to the rule syntax, source can only be any.

    You may have a look at Downloadable User Roles as an alternative.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 3.  RE: Clearpass dynamic acl not working

    Posted 29 days ago
    Edited by Rajat Sharma 29 days ago

    Hi Herman,

    I have a lab setup in my office using an Aruba IAP 505 & Aruba 2930f switch , but I currently don't have a public HTTPS certificate available. I'm working on a few test scenarios and would appreciate your input or guidance on the following:

    1. Downloadable User Role (DUR) Testing with Aruba switch 2930f

      • Can DUR testing be performed in a lab environment without a public HTTPS certificate?

      • If yes, could you please share a detailed document or best practices for configuring and validating this?

    2. want to achieve this using DUR.

      • I want to block access specifically from source IP 10.10.20.10 to destination 10.10.30.10.

      • I'd appreciate any configuration examples or tips on implementing this using user roles or access control lists on the IAP.

    3. Guest Self-Registration (HTTP Only)

      • As part of testing, I'd like to configure guest self-registration using HTTP instead of HTTPS (since it's a closed lab setup).

      • Are there any recommendations or known limitations with using HTTP for captive portal testing in Aruba IAP 505?

    Thanks in advance for your support. Let me know if you need any config files or further details from my end.

    Best regards,
    Rajat Sharma


    Original Message


  • 4.  RE: Clearpass dynamic acl not working

    Posted 24 days ago

    You can do DUR without a public HTTPS certificate, but I'm quite sure that you need a PKI issued certificate. That can be from a private CA but self-signed is unlikely to work,

    For the DUR, I would recommend that you configure the policy and role first in the switch manually, test/validate that it does what you want it to do, then you can take that configuration and add it as an advanced downloadable user role. You use the switch to do the syntax checking and know it works.

    I would not deploy guest without a public HTTPS certificate. I have not tried myself it but have heard about people that got stuck at some point while attempting to configure it. With cert is best-practice and may save a lot of troubleshooting.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 5.  RE: Clearpass dynamic acl not working

    Posted 23 days ago


    Hello
    We use DUR here and it works perfectly with blocking networks and even stations, we use this ACL 


    Enforcement - Profiles - Atributos 

    efetuar a criação do Prodile 

    class ipv4 "DHCP"
    match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
    exit
    class ipv4 "DNS"
    match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53
    exit
    class ipv4 "NET-01"
    match ip 0.0.0.0 255.255.255.255 10.3.0.0 0.0.255.255
    exit
    class ipv4 "NET-02"
    match ip 0.0.0.0 255.255.255.255 172.20.0.0 0.1.255.255
    exit
    class ipv4 "IP-ANY-ANY"
    match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
    exit

    policy user "POL-151"
    class ipv4 "DHCP" action permit
    class ipv4 "DNS" action permit
    class ipv4 "NET-01" action deny
    class ipv4 "NET-02" action deny
    class ipv4 "IP-ANY-ANY" action permit
    exit

    aaa authorization user-role name "RL-151"
    policy "POL-151"
    exit

    2 -  Network


    Create a group within Devices
    Devices Group
    Devices network - NAD-Teste
    Add to network Group Created
      
    3 -Services 

    (Tips:Role  EQUALS  RL-151)
    AND(Connection:NAD-IP-Address  BELONGS_TO_GROUP  NAD-Teste
      
      


    Original Message


Related Content