Security

 View Only
last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Trigger Enforcement after adding/editing Endpoint attribute

This thread has been viewed 40 times
  • 1.  Trigger Enforcement after adding/editing Endpoint attribute

    Posted 9 days ago
    Hello Everyone,

    We need to trigger enforcements after adding/editing the Endpoint attributes.

    Is there an easy way or do we need to edit the whole process to profile our endpoints manualy ?

    Currently clearpass is configured as following:

    Switch Aruba 6100 - MAC Auth

    Service:

    Role Mapping:

    Enforcement:

    Thanks


  • 2.  RE: Trigger Enforcement after adding/editing Endpoint attribute

    EMPLOYEE
    Posted 9 days ago
    To be able to trigger an enforcement profile after you have updated an attribute in Endpoint db, you need to generate a new auth request.
    You can do that by have a switch-port bounce in either enforcement policy or use profiler and trigger a specific classification with a port bounce.
    Generally port bounce will cause the device to reconnect resulting in a new auth request.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 3.  RE: Trigger Enforcement after adding/editing Endpoint attribute

    Posted 6 days ago
    Hi ariyap,

    ive tried the enforcement profile with setting the device to known in the endpoint db.

    After editing the attribute nothing happens.

    Do i miss something ?


  • 4.  RE: Trigger Enforcement after adding/editing Endpoint attribute

    EMPLOYEE
    Posted 6 days ago
    as i said earlier, the enforcement policy that runs the post auth update endpoint attribute to known, should be configured to run a switch port bounce enforcement profile.
    The switch port bounce will force the client to reauth that generates a new auth session which should then match your condition for endpoint status = known.


    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 5.  RE: Trigger Enforcement after adding/editing Endpoint attribute

    Posted 6 days ago
    Right.

    Ive configured as you told above. 

    I think the problem is that the port bounce not happens.
    I can not see any bounce



  • 6.  RE: Trigger Enforcement after adding/editing Endpoint attribute

    EMPLOYEE
    Posted 5 days ago
    Can you see the 'RADIUS Dynamic Authorization' tab in Access Tracker for these clients?
    Can you successfully do a (manual) 'Change Status' from Access Tracker and do the AOS-CX Bounce Switch port successfully?
    Can you double-check that the Network Device (NAD) in ClearPass is set to vendor Aruba? If it is not, the AOS-CX - Bounce Switch Port will be ignored.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 7.  RE: Trigger Enforcement after adding/editing Endpoint attribute

    Posted 5 days ago
    Hi Herman !

    Can you see the 'RADIUS Dynamic Authorization' tab in Access Tracker for these clients?

    No, its missing:

    Can you successfully do a (manual) 'Change Status' from Access Tracker and do the AOS-CX Bounce Switch port successfully?

    Yes, this is working fine 


    Device on Port 1/1/3

    ...

    Can you double-check that the Network Device (NAD) in ClearPass is set to vendor Aruba? If it is not, the AOS-CX - Bounce Switch Port will be ignored.




  • 8.  RE: Trigger Enforcement after adding/editing Endpoint attribute

    EMPLOYEE
    Posted 5 days ago
    In the first screenshot, Access Tracker, I don't see in Enforcement the [AOS-CX Bounce Switch Port] in the list, but it could be that it is just scrolled out of the window. Is it there?

    BTW, regardless if it is there, or not, it may be best to open a case with support to run some interactive view through your policy/configuration to see what is wrong. Manual CoA works, so there is no good reason why an automatic CoA through the policy wouldn't work (provided the policy is triggered and you didn't by accident select a different enforcement policy that doesn't include the CoA).

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------