Security

Hi Airheads,

I am doing a policy design for a customer and was thinking of adding a rule in the TACACS service that matches on Vendor, device type, and OS. Customer has literally thousands of devices that are different vendors, and not a 1:1 mapping of vendor:subnet. So I can't match on device groups - not without adding each individual device to a group anyway.

Is there a known database somewhere that lists the vendors, device types, and OS that I can reference in my TACACS service? At least for the more common Vendors and device types (Cisco, Aruba, Nexus etc)?

This way I could say: IF vendor x and os x THEN apply enforcement profile x in one service, then, IF vendor y and os y THEN apply enforcement profile y in another service

I am in a situation where I need to at least make an attempt at the policy design before the kit devices arrive, so I can't test the devices to see what attributes are passed to ClearPass in the TACACS connection to write the policy.

Or is there a better way of doing this?

------------------------------
Regards,

Brett V
------------------------------

Hi, I don't know about a list but you could use the atributtes of the Network Devices like Vendor when you're adding the Device or just edit it if it is already there. After that you can even use a single service and using role mapping/enforcement prolicy you will send the appropiate to either vendor.

Hope this helps

------------------------------
Ulises Cazares
------------------------------

Original Message:
Sent: Mar 22, 2022 08:24 PM
From: Brett Verney
Subject: ClearPass TACACs Service match on Vendor name, type, and OS

Hi Airheads,

I am doing a policy design for a customer and was thinking of adding a rule in the TACACS service that matches on Vendor, device type, and OS. Customer has literally thousands of devices that are different vendors, and not a 1:1 mapping of vendor:subnet. So I can't match on device groups - not without adding each individual device to a group anyway.

Is there a known database somewhere that lists the vendors, device types, and OS that I can reference in my TACACS service? At least for the more common Vendors and device types (Cisco, Aruba, Nexus etc)?

This way I could say: IF vendor x and os x THEN apply enforcement profile x in one service, then, IF vendor y and os y THEN apply enforcement profile y in another service

I am in a situation where I need to at least make an attempt at the policy design before the kit devices arrive, so I can't test the devices to see what attributes are passed to ClearPass in the TACACS connection to write the policy.

Or is there a better way of doing this?

------------------------------
Regards,

Brett V
------------------------------

This is where you do it from



------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: Mar 23, 2022 11:44 AM
From: Ulises Cazares
Subject: ClearPass TACACs Service match on Vendor name, type, and OS

Hi, I don't know about a list but you could use the atributtes of the Network Devices like Vendor when you're adding the Device or just edit it if it is already there. After that you can even use a single service and using role mapping/enforcement prolicy you will send the appropiate to either vendor.

Hope this helps

------------------------------
Ulises Cazares

Original Message:
Sent: Mar 22, 2022 08:24 PM
From: Brett Verney
Subject: ClearPass TACACs Service match on Vendor name, type, and OS

Hi Airheads,

I am doing a policy design for a customer and was thinking of adding a rule in the TACACS service that matches on Vendor, device type, and OS. Customer has literally thousands of devices that are different vendors, and not a 1:1 mapping of vendor:subnet. So I can't match on device groups - not without adding each individual device to a group anyway.

Is there a known database somewhere that lists the vendors, device types, and OS that I can reference in my TACACS service? At least for the more common Vendors and device types (Cisco, Aruba, Nexus etc)?

This way I could say: IF vendor x and os x THEN apply enforcement profile x in one service, then, IF vendor y and os y THEN apply enforcement profile y in another service

I am in a situation where I need to at least make an attempt at the policy design before the kit devices arrive, so I can't test the devices to see what attributes are passed to ClearPass in the TACACS connection to write the policy.

Or is there a better way of doing this?

------------------------------
Regards,

Brett V
------------------------------

Yes but it is strange, you can already set the vendor (and it is mandatory) and you need to add attribute too

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCL: Powershell Module to use Aruba Central

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281
------------------------------

Original Message:
Sent: Mar 25, 2022 07:15 PM
From: Ariya Parsamanesh
Subject: ClearPass TACACs Service match on Vendor name, type, and OS

This is where you do it from



------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Mar 23, 2022 11:44 AM
From: Ulises Cazares
Subject: ClearPass TACACs Service match on Vendor name, type, and OS

Hi, I don't know about a list but you could use the atributtes of the Network Devices like Vendor when you're adding the Device or just edit it if it is already there. After that you can even use a single service and using role mapping/enforcement prolicy you will send the appropiate to either vendor.

Hope this helps

------------------------------
Ulises Cazares

Original Message:
Sent: Mar 22, 2022 08:24 PM
From: Brett Verney
Subject: ClearPass TACACs Service match on Vendor name, type, and OS

Hi Airheads,

I am doing a policy design for a customer and was thinking of adding a rule in the TACACS service that matches on Vendor, device type, and OS. Customer has literally thousands of devices that are different vendors, and not a 1:1 mapping of vendor:subnet. So I can't match on device groups - not without adding each individual device to a group anyway.

Is there a known database somewhere that lists the vendors, device types, and OS that I can reference in my TACACS service? At least for the more common Vendors and device types (Cisco, Aruba, Nexus etc)?

This way I could say: IF vendor x and os x THEN apply enforcement profile x in one service, then, IF vendor y and os y THEN apply enforcement profile y in another service

I am in a situation where I need to at least make an attempt at the policy design before the kit devices arrive, so I can't test the devices to see what attributes are passed to ClearPass in the TACACS connection to write the policy.

Or is there a better way of doing this?

------------------------------
Regards,

Brett V
------------------------------