Greetings all!
We're prepping for our rollout of Clearpass to secure our wired infrastructure (Cisco switches), and I'm wondering about the best (or any suggested) way to handle VLAN assignment exceptions. I would like to use the "colourless port" model with radius based vlan assignemnt wherever possible, but I'm wondering how to handle all those wonderful excecptions to the rule. For example, say I'm assinging a "PRINTERS" vlan for all my printers, and on switch A, PRINTERS is mapped to vlan 10. But I've got that one printer that is on vlan 9 (the WORKSTATION vlan), and can't be easily moved. I think I could just set the port itself to vlan 9, and add the printer to a Static Host List that is used to match devices to an enforcement profile that doesn't send a VLAN assignment, but then it's no longer a colourless port. I was thinking of putting the VLAN as an attribute in the endpoint repository, but should I expect that to potenitally be flushed? Is there a good place to permanently store information like a VLAN override value that can be referenced for use in enforcement profiles? Or am I just looking at this the wrong way?
I'm new to Aruba and Clearpass, but' I've reviewed the Wired Policy Enforcement Solution Guide as well as other documentation, and I don't recall seeing anything about this issue.
Thanks again for any suggestions!