Security

Is it possible to update (an Attribute in) the Endpoint with information from the Radius Response (Output tab in the access tracker)?

I would like to update an Endpoint with the vlan ID in an attribute.

I created an extra Attribute (string) for the Endpoint, called VLAN.

Then I made an Enforcement profile, to update this attrbibute (Post_Authentication), to set %{Radius:IETF:Tunnel-Private-Group-Id} as the value of this attribute.

The result is that %{Radius:IETF:Tunnel-Private-Group-Id} is set as a string to be the value of this attribute instead of the vlan ID I would like to see.

Best regards,

Rob Hassing

You can only set values from the input tab of Access Tracker in this way. The VLAN is part of the access decision and under the output tab.

If you want output values, like the assigned VLAN or role to be added to the Endpoint Database you can do that with a ClearPass Entity Update Enforcement, there just replicate what you send back as Tunnel-Private-Group-Id and update the same in your endpoint.  So both do the VLAN enforcement and the corresponding ClearPass Entity Update enforcement.

Is there no way to use the variable?

Do I have to make an Enforcement Profile for each vlan?

Please describe your exact workflow specifically and what you want to do.  You mention updating the VLAN in the endpoints database, but you also describe setting a VLAN for devices when they connect.  Exactly how do you want this to work specifically?

EDIT:  Please see if the thread here gives you an idea:  https://community.arubanetworks.com/t5/Security/ClearPass-best-practice-assigning-VLANs-with-multiple-sites/td-p/227426

When a device connects to the network using EAP-TLS 802.1X authentication, it should be placed in a certain vlan. This part is no problem of course.

But then I would like to set the vlan id, the device is placed in, to be set as an attribute in the Endpoint Database.

The question, is is the VLAN determined by the NAD (switch or wireless controller it is connected to) or the type of device it is?  If it is based on the switch you are connected to, you can set a variable in the switch's entry to determine that.  If it is based on the specific device, you would then have to maintain a large database of device to VLAN mappings in ClearPass that will not necessarily scale..

The vlan is based on the type of device, so the only way to do this is probably to have a ClearPass Entity Update Enforcement per vlan that can be set.

So, the first time a device connects, you dont know what type of device it is.  What mechanism do you plan to use to identify it?  The device would have to be disconnected and then you would have to have it authenticate again, assuming you have identified it and then you would derive the vlan based on that?

I don't see how this information is relevant? The configuration is already in place and working as expected. So we don't need to change anthing on that.

My only question is:

Once a device authenticates and profiled into a vlan, how can I update the Endpoint in the Endpoint database and set an attribute with the vlan it is connected to.

It is relevant, because I'm trying to find a way to get information that is derived from role or enforcement policy logic back into an endpoint, and I'm not sure there is a way based on your description, unless I am misinformed.

Asking you how you are doing things is me trying to find a way.

If you laid out a process that you are following, we might be able to find a way to update the endpoint through that process.

Ok, sounds fair :-)

A newly installed PC is connected to the network is placed in a provisioning/staging vlan. It will then receive a certificate and will join the domain and will receive all neccessary profiles.

After a reboot it will do 802.1x autentication and based on the membership of a domain group it will be placed in a vlan.

This vlan it will be placed in should be added as an attribute to the Endpoint.