Higher Education

last person joined: 16 days ago 

Got questions on how to enable mobility in education? Submit them here!
Back to discussions
Expand all | Collapse all

ClearPass enforcement Profile

This thread has been viewed 15 times

  • 1.  ClearPass enforcement Profile

    Posted Aug 20, 2015 02:23 PM

    Probably this question have been addressed previously.

     

    I would like to provide a different role and vlan to student based on AP-Group on the same SSID.

     

    Basically if the student is in the classroom = Student Role

    Student is now at the dorms = Studentdorm Role

     

    This way i can provide a different vlan addressing and firewall policies to students on campus.

     

    On clearPass the long way to do this is the create a separate service and then match the incoming request on ap-group but then you have to create a new enforcement profile and push the roles. (Duplicate work)

     

    Can i do this within one Clearpass service configuration and do the classification on the enforecment profile? if so how?

     

    Currently i have Clearpass 802.1x service configurated matching the SSID then the enforecment profile based on AD membership groups. The problem is that on AD all campus student fall wihin the same group. So i need to find another way to differentiate a student in the classroom vs a student in the dorms.

     

    Thank you

    Nils.

     

     

     

     

     



  • 2.  RE: ClearPass enforcement Profile

    EMPLOYEE
    Posted Aug 20, 2015 02:24 PM
    Are the two different groups of APs on different controllers?


  • 3.  RE: ClearPass enforcement Profile

    Posted Aug 20, 2015 02:34 PM

    Cappalli

     

     



  • 4.  RE: ClearPass enforcement Profile

    EMPLOYEE
    Posted Aug 20, 2015 02:38 PM

    I wouldn't move your APs around just for this without looking at the overall topology.

     

    Like Bruce said, you can just use the ap-group VSA in your role mapping to give the device a TIPS role like LOCATION_DORM and reference that TIPS role in your enforcement policy.



  • 5.  RE: ClearPass enforcement Profile

    Posted Aug 20, 2015 02:55 PM

    I agree abour the ap-group moving fact because i originally group all physically close buildings to the controller. That would means near by bldgs would end up terminate in different controller with diff l3 add schema.

     

    From the messages it seams the role mapping would be the best strategy. I will test this out.



  • 6.  RE: ClearPass enforcement Profile

    MVP
    Posted Aug 20, 2015 02:27 PM

    Can't you just refrence the AP Group in the role mapping rule?

    Either that or have your Enforcement Policy rule look for the Student role AND the AP Group to point at the proper policy.



  • 7.  RE: ClearPass enforcement Profile

    Posted Aug 20, 2015 02:52 PM

    So,

     

    I can create a Role Mapping to push the roles based on AP-Group. Then in the enforecment profile i use the role mapping to push the roles to the controller, can the enforecment profile coexist with the AD-membership groups.

     

    Ideally if you can do something like:

     

    Enforecment profile

     

    Authorization: AP-Group or based on the controller ip                = Studentsdorms.

    Authorization: Clearpass to AD  member of contains  AllStudents  = Students

     

    The students when in classroom connect to a different ap-group diff controller, then we they go to the dorm then a differnt ap-group diff controller.



  • 8.  RE: ClearPass enforcement Profile

    EMPLOYEE
    Posted Aug 20, 2015 03:29 PM
    Yes, you can combine as many TIPS roles as you want in an enforcement rule.