@beconnect wrote:
Hi,
I assume the confusion is in my head. Reading cppm guide should clarify...
AS I understand Policy manager after handshake on authentication method, checks for:
1. Role Mapping policy
2. apllies enforcement policy
3.send enforcement profile to the switch.
Based on this and assuming I am correct ;), I have made some improvements and now I need only one Ssid "Enterprise"s
1. Create a role mapping policy corporate You only need one role mapping policy which will contain all of your rules.
a. with rule for vlan A and assume a role A
b. if belong to group static host list and then go to Vlan B and Role B.
c. adding also endpoint equals apple iphone or android goes to a role guest
Am I correct and less confusing now?
Could a,b,c be done under one service only ?
Basically if the user mac address is on the static list it goes to vlan B and Role B.
If not goes to Vlan A and role A.
Regards
1. You only need/can configure a single role mapping policy in a service, and you place all of your rules in there. An incoming authentication can be tagged with a number of CPPM roles in the role mapping policy to make a decision on later. For example, I have a CPPM Student Role, A Teacher Role and a created in CPPM under Identity> Roles. I then write a role mapping policy in the service to detect if a user is a teacher, tag him with the teacher role. If he is a student, tag him with the student role. They both look at the memberOf attribute to see if the incoming username is a member of that group. If the device is an Apple Device, I tage it with the iPhone role. If the OS of the device is an Android then I tag it with that. Since I used "Select all matches", it will be able to tag Student,Iphone or Teacher, iPhone or any combination.
2.. Later in my enforcement policy, I want to tie this together:
I check to see if anybody has the "Android" role. if they do, I send them the Guest Caching Enforcement policy, which in the background sends the guest role back to the controller. The role on the controller will switch that device to the guest VLAN.
I check to see if the user is a teacher AND has machine authenticated (built-in role), and if that is the case, I just allow all, which will place him into the VLAN on the virtual AP on the internal network. Does that make sense?