Security

Hi everyone,

We are new to Clearpass and are in the middle of building out our profiles. We have user roles in the controllers that are specific to the building where they are used. This is basically to limit buildings from talking to other buildings in the network (We do not have a firewall in each building to do this for us). Because of this, we have to build out a Service profile for each building, which will be over 200 profiles.

Someone made a suggestion the other day that if I could use a variable to select an enforcement profile or user role, it would solve my issues. The closest one I could see is the AP Group. All buildings have an unique AP group that has the name in the beginning. If I could somehow within the enforcement policy or profile define something like this

"%{{Radius:Aruba:Aruba-AP-Group}-"-WiFi_Group"}-employee

Basically taking the AP Group, truncating the end of it and attaching "-employee" at the end. It would make life easier.

Any opinions or suggestions?

This will only work on first authentication, if a client roams to another building it is still limited with the policies from the other building, as it does not re-authenticate after every roam to another AP or AP group.

Thanks for the response. 

I understand what you are saying however we already have the user roles in place.  Clients are currently running through a Free RADIUS setup for authentication.  Most clients do not roam building to building and we have over 20 clusters with only about 10 or so buildings pointed to each cluster. If they were to roam, either the idle timeout or just hitting a different cluster would force a reauth.

With implementing Clearpass to replace the Free RADIUS setup, I am just trying to avoid having over 200 services which is why a variable in the enforcement policy or profile would work out perfectly.