Security

We are changing some of our standards and part of this is a renaming of our vlan names for refreshed sites. is there a way to use role mapping or some other method. to Interrogate the switch and see if a vlan exists if not check the next vlan name until there is a match and assigned the matched vlan?

We are changing some of our standards and part of this is a renaming of our vlan names for refreshed sites. is there a way to use role mapping or some other method. to Interrogate the switch and see if a vlan exists if not check the next vlan name until there is a match and assigned the matched vlan?

We are changing some of our standards and part of this is a renaming of our vlan names for refreshed sites. is there a way to use role mapping or some other method. to Interrogate the switch and see if a vlan exists if not check the next vlan name until there is a match and assigned the matched vlan?

Another option is to save the VLAN name in a user-defined attribute in the network device. It's neither right nor wrong, the approach just has to fit your requirements.

In first step you create a device attribute called Data-VLAN.

If you need to overwrite the normally assigned VLAN for a switch, create the Attibut in the network device and set the corresponding value. You can access the Attribute-Value by entering the attribute-name prefixed with % and enclosed in curly braces, also %{Device:Data-VLAN}.

Now you check in rolemapping or in enforcement whether Device:Data-VLAN exists. If not, set the normally assigned VLAN. if it does exist, set the value of the Device:Data-VLAN attribute.

The enforcement profile would then look like this:

This gives you flexibility and allows you to set a different access VLAN for each switch if required.

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Feb 19, 2024 05:52 AM
From: Hatzo
Subject: Clearpass multiple vlan role mapping

We are changing some of our standards and part of this is a renaming of our vlan names for refreshed sites. is there a way to use role mapping or some other method. to Interrogate the switch and see if a vlan exists if not check the next vlan name until there is a match and assigned the matched vlan?

Seems like a feasible solution. I'll give it a try. 

Many thanks Waldemar

Original Message:
Sent: Feb 20, 2024 01:31 PM
From: Waldemar Ryll
Subject: Clearpass multiple vlan role mapping

Another option is to save the VLAN name in a user-defined attribute in the network device. It's neither right nor wrong, the approach just has to fit your requirements.

In first step you create a device attribute called Data-VLAN.

If you need to overwrite the normally assigned VLAN for a switch, create the Attibut in the network device and set the corresponding value. You can access the Attribute-Value by entering the attribute-name prefixed with % and enclosed in curly braces, also %{Device:Data-VLAN}.

Now you check in rolemapping or in enforcement whether Device:Data-VLAN exists. If not, set the normally assigned VLAN. if it does exist, set the value of the Device:Data-VLAN attribute.

The enforcement profile would then look like this:

This gives you flexibility and allows you to set a different access VLAN for each switch if required.

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Feb 19, 2024 05:52 AM
From: Hatzo
Subject: Clearpass multiple vlan role mapping

We are changing some of our standards and part of this is a renaming of our vlan names for refreshed sites. is there a way to use role mapping or some other method. to Interrogate the switch and see if a vlan exists if not check the next vlan name until there is a match and assigned the matched vlan?