Security

Hi All,

I am wondering if it is possible to drop endpoints connecting to a specific set of network ports into a different service in ClearPass. Does anyone know if this is possible? I was thinking about some sort of static list with switch port numbers defined, but I can't seem to make such a list in ClearPass.

------------------------------
Lex
------------------------------

You would need to look at how the incoming radius attributes are different for those ports and use the attributes to tag a role in CPPM and write an enforcement policy keying on that role.  Or just write an enforcement policy looking for those radius attributes.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
------------------------------

Original Message:
Sent: Jun 16, 2022 08:44 AM
From: Lex Krijnen
Subject: CPPM: Drop specific wired ports in a different service

Hi All,

I am wondering if it is possible to drop endpoints connecting to a specific set of network ports into a different service in ClearPass. Does anyone know if this is possible? I was thinking about some sort of static list with switch port numbers defined, but I can't seem to make such a list in ClearPass.

------------------------------
Lex
------------------------------

I was thinking about the same using role-mapping and will try something like:

(Connection:NAD-IP-Address  EQUALS  <IP of switch>) AND  (Radius:IETF:NAS-Port-Id  EQUALS  <ID of port>)  >> Role X

Then in enforcement: If Role X > Enforcement Y

Thanks for your reply, I will test this. However, there is no way I can define a list of ports? Using this, I have to create a separate role mapping condition for every port I want to include :/

------------------------------
Lex
------------------------------

Original Message:
Sent: Jun 16, 2022 09:58 PM
From: Colin Joseph
Subject: CPPM: Drop specific wired ports in a different service

You would need to look at how the incoming radius attributes are different for those ports and use the attributes to tag a role in CPPM and write an enforcement policy keying on that role.  Or just write an enforcement policy looking for those radius attributes.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: Jun 16, 2022 08:44 AM
From: Lex Krijnen
Subject: CPPM: Drop specific wired ports in a different service

Hi All,

I am wondering if it is possible to drop endpoints connecting to a specific set of network ports into a different service in ClearPass. Does anyone know if this is possible? I was thinking about some sort of static list with switch port numbers defined, but I can't seem to make such a list in ClearPass.

------------------------------
Lex
------------------------------

Can you describe what you are trying to do so that the community can come up with a suggestion?  You mentioned an exception for 4 ports and what I proposed does not scale for a large number of exceptions

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
------------------------------

Original Message:
Sent: Jun 17, 2022 03:03 AM
From: Lex Krijnen
Subject: CPPM: Drop specific wired ports in a different service

I was thinking about the same using role-mapping and will try something like:

(Connection:NAD-IP-Address  EQUALS  <IP of switch>) AND  (Radius:IETF:NAS-Port-Id  EQUALS  <ID of port>)  >> Role X

Then in enforcement: If Role X > Enforcement Y

Thanks for your reply, I will test this. However, there is no way I can define a list of ports? Using this, I have to create a separate role mapping condition for every port I want to include :/

------------------------------
Lex

Original Message:
Sent: Jun 16, 2022 09:58 PM
From: Colin Joseph
Subject: CPPM: Drop specific wired ports in a different service

You would need to look at how the incoming radius attributes are different for those ports and use the attributes to tag a role in CPPM and write an enforcement policy keying on that role.  Or just write an enforcement policy looking for those radius attributes.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: Jun 16, 2022 08:44 AM
From: Lex Krijnen
Subject: CPPM: Drop specific wired ports in a different service

Hi All,

I am wondering if it is possible to drop endpoints connecting to a specific set of network ports into a different service in ClearPass. Does anyone know if this is possible? I was thinking about some sort of static list with switch port numbers defined, but I can't seem to make such a list in ClearPass.

------------------------------
Lex
------------------------------

Specifically, the method I described works if you need to treat a couple ports differently, but it will not work large-scale.  An alternative is to try a "colorless" ports approach where the posture of a device is treated differently based on what you know about that device and how it authenticates, rather than securing individual ports differently.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
------------------------------

Original Message:
Sent: Jun 17, 2022 06:03 AM
From: Colin Joseph
Subject: CPPM: Drop specific wired ports in a different service

Can you describe what you are trying to do so that the community can come up with a suggestion?  You mentioned an exception for 4 ports and what I proposed does not scale for a large number of exceptions

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: Jun 17, 2022 03:03 AM
From: Lex Krijnen
Subject: CPPM: Drop specific wired ports in a different service

I was thinking about the same using role-mapping and will try something like:

(Connection:NAD-IP-Address  EQUALS  <IP of switch>) AND  (Radius:IETF:NAS-Port-Id  EQUALS  <ID of port>)  >> Role X

Then in enforcement: If Role X > Enforcement Y

Thanks for your reply, I will test this. However, there is no way I can define a list of ports? Using this, I have to create a separate role mapping condition for every port I want to include :/

------------------------------
Lex

Original Message:
Sent: Jun 16, 2022 09:58 PM
From: Colin Joseph
Subject: CPPM: Drop specific wired ports in a different service

You would need to look at how the incoming radius attributes are different for those ports and use the attributes to tag a role in CPPM and write an enforcement policy keying on that role.  Or just write an enforcement policy looking for those radius attributes.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: Jun 16, 2022 08:44 AM
From: Lex Krijnen
Subject: CPPM: Drop specific wired ports in a different service

Hi All,

I am wondering if it is possible to drop endpoints connecting to a specific set of network ports into a different service in ClearPass. Does anyone know if this is possible? I was thinking about some sort of static list with switch port numbers defined, but I can't seem to make such a list in ClearPass.

------------------------------
Lex
------------------------------