Security

Just curious if anyone out there is successfully using CLI Enforcement with ClearPass 6.3.0.  The first time I wanted to use the feature was after upgrading CP to 6.3.0, so I'm unfamiliar with what may be a bug or my own config errors.

I'm attempting to a command to my 7220 to blacklist MAC addresses that meet a very specific criteria (per our AUP).  In ClearPass, I see the enforcement profile trigger & the CLI command is generated correctly (visible in output tab), but the station is never blacklisted.  My 7220's logs also never show a login attempt from CP.

Before I go any further, CLI access is definitely enabled in the CP device config for the 7220, and the user/pass config is accurate. :)

Looking in the request log details, the only thing out of the ordinary that  I can see is the following line:

That seems odd to me.  I've tried configuring the enforcement profile to use the IP from %{Radius:IETF:NAS-IP-Address}, %{Connection:NAD-IP-Address}, and I've set it statically, but each time this warning string appears.

Anyway, just seeing if anyone else has had luck where I have not.  Request log attached in case anyone can see something I've missed! :)

Attachment(s)

Request_Logs.txt   17 KB 1 version

Quick note... request log is in html format.  Had to change the extension to attach.

Cli Enforcement in CPPM only works with Meru Controllers, unfortunately.

Ah, thanks.  I looked through tech notes & user guides, but didn't see any compatibility statements. Did I miss it somewhere?

I'm kinda surprised Aruba doesn't support this on their own controller.

This cli enforcement  was added specifically  to support external captive portal on Meru.  It might not have been expanded  beyond that....let me check.

wow, I so wish somebody had made this topic 3 months earlier :smileyembarrassed:

Hey - I wanted to check if there's been any update to the CLI enforcement profile feature for more vendors? Would someone be able to list which Cisco devices this is usable for? Thanks! 

Hi,

I think you can usce CLI enforcement for any vendor.

You can define the vendor specific ssh port as shown in the first post.

With a cli based enforcement profile, you can send back one cli command per line with the "Command" attribute.

I used it to configure a client device type related interface name to aruba-os based switches or to push specific POE settings to the NAS port.

In my opinion this should work for any device or vendor which is supporting ssh based console connections.

You have to pay attention to the logon timeout.
In case of aruba-os switches, you have to send one enter (my why to resolve this, was to send a hash key before "conf t" and other commands).

May you have longer timeouts with other products, in this case you can send more then one enter (hash per line) to address this.

But, I don't know if this is supported for another vendors beside meru.

This should be answeared by an aruba representative...