Security

 View Only
  • 1.  ClearPass Role Mapping order

    Posted Aug 18, 2024 06:20 PM

    Suppose I have the following role mapping policy:

    1. (Authorization:[Endpoints Repository]:Category  EQUALS  Printer) Profiled_Printer
    2. (Authorization:[Endpoints Repository]:MAC Vendor  EQUALS  boca systems)
    OR  (Authorization:[Endpoints Repository]:MAC Vendor  EQUALS  HP Inc.)
    Printer_OUI
    3. (Authorization:[Endpoints Repository]:Category  EQUALS  SmartDevice) Profiled_Mobile_Device
    4. (Authorization:[Endpoints Repository]:MAC Vendor  CONTAINS  Apple) Mobile_OUI
    5. (Authorization:[Endpoints Repository]:MAC Vendor  CONTAINS  AzureWave) Computer_OUI
    6. (Authorization:[Endpoints Repository]:Category  EQUALS  Computer) Profiled_Computer

    I have an iPad that is categorized as a SmartDevice (rule #3) but it consistently gets the role Mobile_OUI (rule #4). In a role mapping policy, do devices continue to get profiled after a role is mapped. Where can I see the inner working of this behavior? Is it score-based like Cisco ISE? Thanks.



  • 2.  RE: ClearPass Role Mapping order
    Best Answer

    Posted Aug 19, 2024 04:02 AM

    Hi

    You control this in the rule mapping policy with the option below:

    If Select first match is selected the evaluation stops with the first match, with Select all matches all rules are evaluated and a device can be assigned multiple roles.

    Select first match is the default.

    If you change the behavior, make sure you don't have rules in the Enforcement policy that require multiple roles to have been assigned.

    The same option exists in Enforcement policies.

    Personally I tend to have Select all matches in rule mapping policies and Select first match in the Enforcement policies.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: ClearPass Role Mapping order

    Posted Aug 19, 2024 08:15 AM

    With ClearPass roles & policies, there are 2 places where you can set the priority of the ultimate enforcement. Im my experience, setting "first applicable on both role mapping & Enforcement Policy leads to confusion & chaos.

    What has worked best for us is to have role mapping set to "Select all matches" and have most of the Enforcement logic in the Enforcement Profile. this can lead to a very large role mapping policy but you can use a trict to categorize your role mappings. Here is a brief example. you just define Roles for the headings. With this heading rule, they will never get applied.



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 4.  RE: ClearPass Role Mapping order

    Posted Aug 19, 2024 09:09 AM

    Perfect, Thank you!