Clearpass - Limit number of devices per AD user (With different groups)
09-12-2014 02:28 AM
Long story short.
I'm authenticating users agains active directory and I have, lets say Group1 where UserGroup1 belongs and Group2 where UserGroup2 belongs.
Users that belong to group1 are only authorized to use 1 device.
Users that belong to group2 are only authorized to use 2 devices.
I created 2 services based on 802.1X Wireless wizard with:
- Authorization Option
- Endpoint Repository as additional authorization source
- Set an Enforcement rule like:
(Authorization:AD_Server_Test:memberOf CONTAINS Group2) 802.1X Wireless Group2, Update Username Endpoint
(Authorization:[Endpoints Repository]:Unique-Device-Count GREATER_THAN 2) Deny
My thinking was: since I want to limit different number of devices based on the group that a user belongs I would have to create different services for each group.
The problem is Default Enforcement Profile.
1 - Group1 Service
2 - Group2 Service
If I try to authenticate a user that belongs to Group2 from AD it will be done inside "Group1 Service" (because the service rules match) and since it is inside "Group1 Service"without any Enforcement Condition for group2 to be matched it will end on the Default Enforcement Profile without "passing" to the next Service.
How can I achieve my goal?