Frequent Contributor II

ClearPass Service Rule parameters

I'm trying to create two separate services that are very similar.  One of them is for a group of vendors, the other is for our internal IT employees.  What I'd like to do is something like this:


Service "Vendor access" which triggers if the user attempting auth is accessing a specific device group (ie. Connection:NAD-IP-Address belong_to_group routers) AND user belongs to AD group "Vendors"


Then after that in order is an employee policy which is not restrictive at all and permits all access.  As of right now I am unable to find a way for the service policy to be triggered by both the connection device group and an AD group.  Is that possible? Or should I have one service rule for the device group, then use a role mapping policy?

rwin = 0
Guru Elite

Re: ClearPass Service Rule parameters

This is not possible as authorization occurs after service categorization and authentication. Use the same service with different enforcement rules and/or role mapping.

| Tim Cappalli | Aruba Security | @timcappalli | |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor II

Re: ClearPass Service Rule parameters

Thanks Tim! That definitely does make things easier and was the direction I was leaning toward... I just wanted to make sure it wasn't possible with service parameters first.

rwin = 0
Search Airheads
Showing results for 
Search instead for 
Did you mean: