Security

Hi all,

I´m using a WLAN-SSID (/w PSK) configured on APs in different AP-Groups!
Now I want to implement a Bandwidth-Policy executed with Roles on the Mobility-Controller and differentiate on base of the AP-Groups in a CPPM Policy e.g. the following both should get 2000Kbit in Up- and Download
AP-Group = X
AP-Group = Y

and AP-Group = Z use 4000Kbit/4000Kbit

I´ve got it working with MAC-Authentication Service on CPPM but when building the Role-Mappings I´m lost when I try to use multiple AP-Groups in one Policy...

maybe somebody can have a look an point me in a working direction?

Hi all,

I´m using a WLAN-SSID (/w PSK) configured on APs in different AP-Groups!
Now I want to implement a Bandwidth-Policy executed with Roles on the Mobility-Controller and differentiate on base of the AP-Groups in a CPPM Policy e.g. the following both should get 2000Kbit in Up- and Download
AP-Group = X
AP-Group = Y

and AP-Group = Z use 4000Kbit/4000Kbit

I´ve got it working with MAC-Authentication Service on CPPM but when building the Role-Mappings I´m lost when I try to use multiple AP-Groups in one Policy...

maybe somebody can have a look an point me in a working direction?

As Herman wrote, you have to replace equal with belongs_to in the condition. Currently you check if the AP group is called "AP-GRP_X,AP_GRP_Y".

You have to be careful which Rules Evaluation Algorithm you activate, "Select first match" or "Select all matches". You could use "Select all matches" and just write several conditions under each other.  It just has to match the rest of the logic of your mapping policy.

Hi all,

I´m using a WLAN-SSID (/w PSK) configured on APs in different AP-Groups!
Now I want to implement a Bandwidth-Policy executed with Roles on the Mobility-Controller and differentiate on base of the AP-Groups in a CPPM Policy e.g. the following both should get 2000Kbit in Up- and Download
AP-Group = X
AP-Group = Y

and AP-Group = Z use 4000Kbit/4000Kbit

I´ve got it working with MAC-Authentication Service on CPPM but when building the Role-Mappings I´m lost when I try to use multiple AP-Groups in one Policy...

maybe somebody can have a look an point me in a working direction?

thank you @Herman Robers and @Waldemar!

after changing to "BELONGS TO" it looks good now :)

@Herman Robers I have some more AP-Groups with different Values at the end, otherwise I´d used your advise here too!

@lord/Waldemar: unfortunatley I think I don`t understand what you mean exactly with ...you could use "Select all matches" and just write several conditions under each other.  It just has to match the rest of the logic of your mapping policy. :(

Original Message:
Sent: Feb 28, 2023 06:11 AM
From: lord
Subject: CPPM Role-Mapping Conditions usage

As Herman wrote, you have to replace equal with belongs_to in the condition. Currently you check if the AP group is called "AP-GRP_X,AP_GRP_Y".

You have to be careful which Rules Evaluation Algorithm you activate, "Select first match" or "Select all matches". You could use "Select all matches" and just write several conditions under each other.  It just has to match the rest of the logic of your mapping policy.

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACA - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Feb 27, 2023 08:31 AM
From: danW
Subject: CPPM Role-Mapping Conditions usage

Hi all,

I´m using a WLAN-SSID (/w PSK) configured on APs in different AP-Groups!
Now I want to implement a Bandwidth-Policy executed with Roles on the Mobility-Controller and differentiate on base of the AP-Groups in a CPPM Policy e.g. the following both should get 2000Kbit in Up- and Download
AP-Group = X
AP-Group = Y

and AP-Group = Z use 4000Kbit/4000Kbit

I´ve got it working with MAC-Authentication Service on CPPM but when building the Role-Mappings I´m lost when I try to use multiple AP-Groups in one Policy...

maybe somebody can have a look an point me in a working direction?

Hi danW,
the biggest weakness of ClearPass is its flexibility. Most customers and colleagues stumble over the fact that the same thing can be configured in multiple ways.

When you initially set up ClearPass, you consider what use cases you have, from that depends the number of services, e.g. one service for wired dot1x, one for wired mac-auth, one for wireless corp dot1x and so on. Then you consider if you can or want to use dedicated role-mapping and enforcement policies per service. So one role-mapping policy for wired dot1x service , another for wired mac-auth and so on. The same is true for enforcement policies. If the policies have a lot in common, then you should use one policy for multiple services, so you have less effort configuring them. Depending on your approach and the use case, one TIPS role may be sufficient for enforcement, but you may need multiple TIPS roles because you need to check multiple properties for enforcement.

So in the role-mapping policy you can say "Select first match" or "Select all matches".  With "Select first match" the role-mapping stops after the first match, no further roles are mapped. With "Select all matches" all conditions are checked. For all conditions, which are in the policy one below the other, logical OR is used. Semantically it corresponds to the if...elseif...elseif...else...endif construct. For each match a role is set. 

So depending on the evaluation algorithm you have only one TIPS role assigned or several.

And this must fit to your enforcement policy.

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACA - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Mar 04, 2023 05:17 AM
From: danW
Subject: CPPM Role-Mapping Conditions usage

thank you @Herman Robers and @Waldemar!

after changing to "BELONGS TO" it looks good now :)

@Herman Robers I have some more AP-Groups with different Values at the end, otherwise I´d used your advise here too!

@lord/Waldemar: unfortunatley I think I don`t understand what you mean exactly with ...you could use "Select all matches" and just write several conditions under each other.  It just has to match the rest of the logic of your mapping policy. :(

Original Message:
Sent: Feb 28, 2023 06:11 AM
From: lord
Subject: CPPM Role-Mapping Conditions usage

As Herman wrote, you have to replace equal with belongs_to in the condition. Currently you check if the AP group is called "AP-GRP_X,AP_GRP_Y".

You have to be careful which Rules Evaluation Algorithm you activate, "Select first match" or "Select all matches". You could use "Select all matches" and just write several conditions under each other.  It just has to match the rest of the logic of your mapping policy.

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACA - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Feb 27, 2023 08:31 AM
From: danW
Subject: CPPM Role-Mapping Conditions usage

Hi all,

I´m using a WLAN-SSID (/w PSK) configured on APs in different AP-Groups!
Now I want to implement a Bandwidth-Policy executed with Roles on the Mobility-Controller and differentiate on base of the AP-Groups in a CPPM Policy e.g. the following both should get 2000Kbit in Up- and Download
AP-Group = X
AP-Group = Y

and AP-Group = Z use 4000Kbit/4000Kbit

I´ve got it working with MAC-Authentication Service on CPPM but when building the Role-Mappings I´m lost when I try to use multiple AP-Groups in one Policy...

maybe somebody can have a look an point me in a working direction?