Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass multiple vlan role mapping

This thread has been viewed 27 times
  • 1.  Clearpass multiple vlan role mapping

    Posted Feb 19, 2024 05:52 AM

    We are changing some of our standards and part of this is a renaming of our vlan names for refreshed sites. is there a way to use role mapping or some other method. to Interrogate the switch and see if a vlan exists if not check the next vlan name until there is a match and assigned the matched vlan?



  • 2.  RE: Clearpass multiple vlan role mapping

    EMPLOYEE
    Posted Feb 19, 2024 07:16 AM

    Not that I'm aware. What may work is using Device Groups in ClearPass and move the switches/network devices to a different Device Group.

    One other option may be to set something in the switch name that you can filter on, and check on the NAS-ID in the request to determine if you need to return the old or new VLAN (names). Benefit of that is that all is triggered from the switch/controller, where changes are done anyway.

    Others may even have smarter ideas.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Clearpass multiple vlan role mapping

    Posted Feb 19, 2024 08:39 AM

    What is the NAD?  If a Cisco switch you could use Smart Port Macros.  Not sure if something similar exists on AOS-CX.




  • 4.  RE: Clearpass multiple vlan role mapping

    Posted Feb 20, 2024 01:31 PM

    Another option is to save the VLAN name in a user-defined attribute in the network device. It's neither right nor wrong, the approach just has to fit your requirements.

    In first step you create a device attribute called Data-VLAN.

    If you need to overwrite the normally assigned VLAN for a switch, create the Attibut in the network device and set the corresponding value. You can access the Attribute-Value by entering the attribute-name prefixed with % and enclosed in curly braces, also %{Device:Data-VLAN}.

    Now you check in rolemapping or in enforcement whether Device:Data-VLAN exists. If not, set the normally assigned VLAN. if it does exist, set the value of the Device:Data-VLAN attribute.

    The enforcement profile would then look like this:

    This gives you flexibility and allows you to set a different access VLAN for each switch if required.



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: Clearpass multiple vlan role mapping

    Posted Feb 21, 2024 03:39 AM

    Seems like a feasible solution. I'll give it a try. 

    Many thanks Waldemar




  • 6.  RE: Clearpass multiple vlan role mapping

    Posted Feb 21, 2024 06:52 AM

    Hey Hatzo, you're welcome.

    This approach means you have more queries in the role mapping, but you can easily save the VLANs in the network device.

    The advantage is that the enforcement profiles do not have to be changed.

    Post your result, whether it works or not, or if you need some help.



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------