Security

 View Only
last person joined: 21 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Trigger Enforcement after adding/editing Endpoint attribute

This thread has been viewed 41 times
  • 1.  Trigger Enforcement after adding/editing Endpoint attribute

    Posted Aug 05, 2022 04:42 AM
    Hello Everyone,

    We need to trigger enforcements after adding/editing the Endpoint attributes.

    Is there an easy way or do we need to edit the whole process to profile our endpoints manualy ?

    Currently clearpass is configured as following:

    Switch Aruba 6100 - MAC Auth

    Service:

    Role Mapping:

    Enforcement:

    Thanks


  • 2.  RE: Trigger Enforcement after adding/editing Endpoint attribute

    EMPLOYEE
    Posted Aug 05, 2022 07:08 AM
    To be able to trigger an enforcement profile after you have updated an attribute in Endpoint db, you need to generate a new auth request.
    You can do that by have a switch-port bounce in either enforcement policy or use profiler and trigger a specific classification with a port bounce.
    Generally port bounce will cause the device to reconnect resulting in a new auth request.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 3.  RE: Trigger Enforcement after adding/editing Endpoint attribute

    Posted Aug 08, 2022 03:42 AM
    Hi ariyap,

    ive tried the enforcement profile with setting the device to known in the endpoint db.

    After editing the attribute nothing happens.

    Do i miss something ?


  • 4.  RE: Trigger Enforcement after adding/editing Endpoint attribute

    EMPLOYEE
    Posted Aug 08, 2022 05:50 AM
    as i said earlier, the enforcement policy that runs the post auth update endpoint attribute to known, should be configured to run a switch port bounce enforcement profile.
    The switch port bounce will force the client to reauth that generates a new auth session which should then match your condition for endpoint status = known.


    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 5.  RE: Trigger Enforcement after adding/editing Endpoint attribute

    Posted Aug 08, 2022 05:56 AM
    Right.

    Ive configured as you told above.

    I think the problem is that the port bounce not happens.
    I can not see any bounce



  • 6.  RE: Trigger Enforcement after adding/editing Endpoint attribute

    EMPLOYEE
    Posted Aug 08, 2022 09:07 AM
    Can you see the 'RADIUS Dynamic Authorization' tab in Access Tracker for these clients?
    Can you successfully do a (manual) 'Change Status' from Access Tracker and do the AOS-CX Bounce Switch port successfully?
    Can you double-check that the Network Device (NAD) in ClearPass is set to vendor Aruba? If it is not, the AOS-CX - Bounce Switch Port will be ignored.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 7.  RE: Trigger Enforcement after adding/editing Endpoint attribute

    Posted Aug 08, 2022 09:45 AM
    Hi Herman !

    Can you see the 'RADIUS Dynamic Authorization' tab in Access Tracker for these clients?

    No, its missing:

    Can you successfully do a (manual) 'Change Status' from Access Tracker and do the AOS-CX Bounce Switch port successfully?

    Yes, this is working fine


    Device on Port 1/1/3

    ...

    Can you double-check that the Network Device (NAD) in ClearPass is set to vendor Aruba? If it is not, the AOS-CX - Bounce Switch Port will be ignored.




  • 8.  RE: Trigger Enforcement after adding/editing Endpoint attribute

    EMPLOYEE
    Posted Aug 09, 2022 05:12 AM
    In the first screenshot, Access Tracker, I don't see in Enforcement the [AOS-CX Bounce Switch Port] in the list, but it could be that it is just scrolled out of the window. Is it there?

    BTW, regardless if it is there, or not, it may be best to open a case with support to run some interactive view through your policy/configuration to see what is wrong. Manual CoA works, so there is no good reason why an automatic CoA through the policy wouldn't work (provided the policy is triggered and you didn't by accident select a different enforcement policy that doesn't include the CoA).

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------