Thanks for your reply,
In this scenario the customer has different locations. Some VLANs are present at all locations (e.g. 2,3,4,5) and some VLANs exists only at specific locations (e.g.11,12). What I wanted to do was to create a profile that applies to all switches in general. And then one profile per location, which is attached accordingly, depending on where the request comes from. For example, the general profile would contain VLANs 2, 3, 4 and 5, which are present everywhere. In two separate profiles there would then be VLAN 10 in one profile and VLAN 11 in another.
If the request comes from location A, then Clearpass should send VLAN 2,3,4,5 and 10 and if the request comes from location B, then send VLAN 2,3,4,5 and 11.
In this way, I could have extended the general profile whenever a global VLAN was added or removed, for example.
I currently have all VLANs in the profile for each location. If a global VLAN is added, all profiles have to be adjusted.
Hence the question of whether the addition of enforcement profiles is possible :-)
------------------------------
Steffen
------------------------------
Original Message:
Sent: Sep 16, 2024 03:24 AM
From: Herman Robers
Subject: Multiple clearpass enforcement profiles
As far as I know, you can only 'accumulate' different attributes from separate enforcement profiles. What you attempt to do here is add multiple Egress-VLANID atributes, for which I can imagine that that doesn't work, and it might either ignore (conflict) or override the attributes of a certain type. Try to avoid returning the same attributes in multiple enforcement profiles.
Unsure what you try to achieve here, so hard to point to a solution.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Sep 05, 2024 06:08 AM
From: steffen_i
Subject: Multiple clearpass enforcement profiles
Hi Community,
I have a similar problem. I want to send 2 RADIUS-Enforcement Profiles back to a swtich. In Access Tracker I can see, that the 2 Enforcement Profiles are applied. And also in the Output Page of the Request Details I can see, that there are these 2 Enforcement Profiles. But in Radius Response I see only the values from the first Enforcement profile "zi-sw-allg". The second Enforcement Profile is not beeing send to the switch. When I change the sequence so that the profile "zi-sw-kl4" is on top, then only the values of this profiles are send to the switch.
Any ideas?
------------------------------
Steffen
Original Message:
Sent: Apr 13, 2016 09:58 AM
From: OldGreg
Subject: Multiple clearpass enforcement profiles
I am attempting to integrate my F5 SSLVPN policy with a clearpass service to apply ACL's. I'm in the early stages, so right now I am just authenticating a user in the local DB of CPPM, and using RADIUS enforcement profiles to return cisco AV-Pair attributes that include the syntax for each ACL. F5 APM understands how to parse cisco AV-pair and dynamically creates the ACL base don the radius response.
Here is my issue, I am able to get it to work with all of the cisco AV pairs in one enforement profile. I am trying to split the ACL's into different enforcement profiles so I can re-use them for other Policies/Services/etc. The minute I try to use multiple enforcement profiles in one policy, I can see the RADIUS response sent from the first enforcement profile, but not the second, even though both enforcement profiles appear in the monitoring output log.
This example works, access is allowed to the first IP and all other access is denied. The RADIUS response shows both ACL's returned.
enf_prof_1 with attributes as follows:
RADIUS:Cisco:Cisco AV-Pair=ip:inacl#10=permit ip any host 192.168.10.183 log
RADIUS:Cisco:Cisco AV-Pair=ip:inacl#15=deny ip any any log
This example does not work, access is allowed to .183 as well as everything else. The RADIUS response shows only one ACL returned.
enf_prof_1 with attributes as follows:
RADIUS:Cisco:Cisco AV-Pair=ip:inacl#10=permit ip any host 192.168.10.183 log
enf_prof_2 with attributes as follows:
RADIUS:Cisco:Cisco AV-Pair=ip:inacl#15=deny ip any any log
Is there something I need to do in CPPM so multiple responses are sent using multiple enforcement profiles within one policy? Unsure whether I should start with troubleshooting CPPM or F5 (I would think CPPM since I am not seeing the RADIUS response contain everything from my enforcement profiles).
Any help very much appreciated!
-Greg