Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass Service Rule parameters

This thread has been viewed 7 times

  • 1.  ClearPass Service Rule parameters

    Posted Aug 14, 2017 04:51 PM

    I'm trying to create two separate services that are very similar.  One of them is for a group of vendors, the other is for our internal IT employees.  What I'd like to do is something like this:

     

    Service "Vendor access" which triggers if the user attempting auth is accessing a specific device group (ie. Connection:NAD-IP-Address belong_to_group routers) AND user belongs to AD group "Vendors"

     

    Then after that in order is an employee policy which is not restrictive at all and permits all access.  As of right now I am unable to find a way for the service policy to be triggered by both the connection device group and an AD group.  Is that possible? Or should I have one service rule for the device group, then use a role mapping policy?



  • 2.  RE: ClearPass Service Rule parameters
    Best Answer

    EMPLOYEE
    Posted Aug 14, 2017 04:57 PM
    This is not possible as authorization occurs after service categorization and authentication. Use the same service with different enforcement rules and/or role mapping.


  • 3.  RE: ClearPass Service Rule parameters

    Posted Aug 14, 2017 05:00 PM

    Thanks Tim! That definitely does make things easier and was the direction I was leaning toward... I just wanted to make sure it wasn't possible with service parameters first.