@bourne wrote:
cjoseph,
Thank you for your response it is very much appreciated.
Those are all great suggestions and I will investigate them further.
Using a Role Mapping rule is quite interesting I hadn't thought of that. That would allow me to cut down on my services if I chose to do so!
So I should see some differences in the request information that is received on the CPPM?
Sorry to ask such a weird question this will be the first real cluster I have worked with and I don't really know what is "normal" I guess you could say.
And this should included 802.1x based request as well?
The primary purpose for being able to distinguish the requests is so that for our primary 802.1x SSID we can respond with the correct VLAN depending on where the request originates from.
Is there any chance that perhaps the information in the user request could get over written by the publisher so that all requests appear as though they are coming from the location of the publisher?
Thank you,
Cheers
Bourne,
The CPPM policy model is that you:
- Gather as much information as you can about an incoming request and in the role mapping policy, you "Tag" it with internal CPPM roles.
- When you write that role mapping policy, you use "Evaluate-all" so that an incoming authentication can be tagged with as much information (roles) as possible.
- In the enforcement policy, you check to see what combination of roles is tagged by the role mapping and you send back a command to the NAS using an enforcement profile based on what combination of your CPPM-defined roles are tagged on an incoming authentication. You normally use first-applicable here because you want to send back instructions to your WLC as soon as your combination of roles is seen, in the order that they are seen.
It is all designed that you can process as much policy as possible in a service.
In the access tracker, under Input, you can see all of the attributes that can be used to tag an incoming authentication in the role mapping policy, and then send back an enforcemnt profile using the enforcement policy.
Why would you want the incoming user authentication to be overwritten by the publisher? Please be specific, so we can advise you on what best to do. What is the use case?
If you have two CPPM servers in the same cluster, the location of the client would not change if it is on the same controller, so you should send the same VLAN or role back.
If the access point(s) failed over to a different controller, in the CPPM enforcement profile you could send back an Aruba-Named-Vlan attribute, which would mean one VLAN on the first controller, but a different VLAN on the second controller. Hopefully that is the use case. CPPM would send the same attribute back, but on each individual controller the name would be translated to a different VLAN: