Contributor II

Clearpass - Limit number of devices per AD user (With different groups)



Long story short.


I'm authenticating users agains active directory and I have, lets say Group1 where UserGroup1 belongs and Group2 where UserGroup2 belongs.


Users that belong to group1 are only authorized to use 1 device. 

Users that belong to group2 are only authorized to use 2 devices.


I created 2 services based on 802.1X Wireless wizard with:


- Authorization Option

- Endpoint Repository as additional authorization source

- Set an Enforcement rule like:


(Authorization:AD_Server_Test:memberOf CONTAINS Group2) 802.1X Wireless Group2, Update Username Endpoint
(Authorization:[Endpoints Repository]:Unique-Device-Count GREATER_THAN 2) Deny


My thinking was: since I want to limit different number of devices based on the group that a user belongs I would have to create different services for each group.


The problem is Default Enforcement Profile.


What happens:



1 - Group1 Service

2 - Group2 Service


If I try to authenticate a user that belongs to Group2 from AD it will be done inside "Group1 Service" (because the service rules match) and since it is inside "Group1 Service"without any Enforcement Condition for group2 to be matched it will end on the Default Enforcement Profile without "passing" to the next Service.


How can I achieve my goal?



Search Airheads
Showing results for 
Search instead for 
Did you mean: