Security

Reply

ClearPass with Cisco WLC for blocking applications and URLs

Hi gurus,

 

I know ClearPass and Cisco WLC can be integrated for 802.1X Role Based Access:

 

https://community.arubanetworks.com/t5/Education-Australia-New-Zealand/Aruba-ClearPass-with-Cisco-WLC-802-1X-Role-Based-Access/gpm-p/455879

 

With this, users can have access to different network segments according to the user's role.

But, is possible to allow/deny access to differents applications and URLs according to the user's role? I believe ClearPass should reference a Cisco WLC's AVC profile, which in turn can control the recognized applications (drop, mark). Thanks in advance.

 

Regards,

Julián 

Re: ClearPass with Cisco WLC for blocking applications and URLs

Hi,

 

It seems it can't be done. The Aruba ClearPass with Cisco WLC 802.1X Role Based Access post uses the Airespace-ACL-Name and the Airespace-Interface-Name attributes for referencing the ACL and VLAN respectively. But the Airespace RADIUS dictionary has no attributes which reference an AVC profile:

 

airespace.PNG

Then I think I can't block or allow applications according to the user role when using ClearPass along with Cisco WLC. Any ideas?

 

Regards,

Julián

Re: ClearPass with Cisco WLC for blocking applications and URLs

Did you try using av-pair and return avc-profile-name and role.

 

Look at the bottom half of following link. I beleive it will work:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-5/AVC_dg7point5.html

JayBee
ACDX | ACCX| CCIE (RnS/SP,DC) | ACCP | ACMP | ACSA | ACMA | CWNA | JNCIS | JNCIA
If the provided solution resolves your issue, please mark it as accepted solution to help others.

Re: ClearPass with Cisco WLC for blocking applications and URLs

Hi JayBee,

 

Do you mean ClearPass return an attribute string "avc-profile-name" with value that matches "av-pair"?

 

Regards,

Julián

Re: ClearPass with Cisco WLC for blocking applications and URLs

Thats correct. Somthing like this:

image.png

 

And then on WLC, under Wireless-> Application Visibility and Control -> AVC profiles, try creating an AVC profile with a similar name and required policies.

JayBee
ACDX | ACCX| CCIE (RnS/SP,DC) | ACCP | ACMP | ACSA | ACMA | CWNA | JNCIS | JNCIA
If the provided solution resolves your issue, please mark it as accepted solution to help others.

Re: ClearPass with Cisco WLC for blocking applications and URLs

Ha, then it may work. I thought ClearPass doesn't have the Cisco-AVPair attribute, but actually it is in the Cisco RADIUS dictionary and not in the Airespace one.

cisco_radius.PNG

Thanks very much!

Julián

Re: ClearPass with Cisco WLC for blocking applications and URLs

Try that and please let me know as well if it works.

JayBee
ACDX | ACCX| CCIE (RnS/SP,DC) | ACCP | ACMP | ACSA | ACMA | CWNA | JNCIS | JNCIA
If the provided solution resolves your issue, please mark it as accepted solution to help others.

Re: ClearPass with Cisco WLC for blocking applications and URLs

Yeah, I'll let you know. But because this is for a planned PoC I need to schedule and arrange all the requirements with customer, and it will take some time.

 

Regards,

Julián

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: