Hi gurus,
I know ClearPass and Cisco WLC can be integrated for 802.1X Role Based Access:
https://community.arubanetworks.com/t5/Education-Australia-New-Zealand/Aruba-ClearPass-with-Cisco-WLC-802-1X-Role-Based-Access/gpm-p/455879
With this, users can have access to different network segments according to the user's role.
But, is possible to allow/deny access to differents applications and URLs according to the user's role? I believe ClearPass should reference a Cisco WLC's AVC profile, which in turn can control the recognized applications (drop, mark). Thanks in advance.
Regards,
Julián
Hi,
It seems it can't be done. The Aruba ClearPass with Cisco WLC 802.1X Role Based Access post uses the Airespace-ACL-Name and the Airespace-Interface-Name attributes for referencing the ACL and VLAN respectively. But the Airespace RADIUS dictionary has no attributes which reference an AVC profile:
Then I think I can't block or allow applications according to the user role when using ClearPass along with Cisco WLC. Any ideas?
Did you try using av-pair and return avc-profile-name and role.
Look at the bottom half of following link. I beleive it will work:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-5/AVC_dg7point5.html
Hi JayBee,
Do you mean ClearPass return an attribute string "avc-profile-name" with value that matches "av-pair"?
Thats correct. Somthing like this:
And then on WLC, under Wireless-> Application Visibility and Control -> AVC profiles, try creating an AVC profile with a similar name and required policies.
Ha, then it may work. I thought ClearPass doesn't have the Cisco-AVPair attribute, but actually it is in the Cisco RADIUS dictionary and not in the Airespace one.
Thanks very much!
Try that and please let me know as well if it works.
Yeah, I'll let you know. But because this is for a planned PoC I need to schedule and arrange all the requirements with customer, and it will take some time.
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.
