Security

I would like to dynamically assign a VLAN to a port without having an enforcement profile by using a variable for assigning the vlan.

my question is which variable I could/should use for that?

Is this possible via assigning a user role? If not, is there any other way I could assign a value to a variable during the authentication process and use that value for the vlan assignment?

Try this:  https://community.arubanetworks.com/t5/Security/ClearPass-best-practice-assigning-VLANs-with-multiple-sites/td-p/227426

Hi cjoseph,

thanks for the link. That is actually the link that I found before that let me think this might be possible.
However in that link the VLAN is preconfigured on the device, a switch.

I want to use this for users though, so if a user is authenticated the process would "somehow" pass the vlan-id value to the enforcement profile via a variable.... this "somehow" is unclear for me though how I could achieve this

What exactly is your situation?  I don't want to send you alot of information without knowing your problem.

maybe I explained it too complicated, sorry.

I want to authenticate users via dot1x and MAB and assign the correct VLAN, a basic use case.

however I would like to avoid creating an enforcement profile for every single VLAN I would assign, I would much rather use a "Dynamic VLAN assignment" enforcement profile which would use a variable as the VLAN which I could somehow assign during the authentication process.

Got it.

What would determine the VLAN, then, the user group membership in AD?

that depends on various things, could be a certain field in the certificate, the hostname, the AD user group or mac address. I would still need to "manually" assign the VLAN name/id but this way I could get by with a single enforcement profile and not have so much clutter...

using many enforcement profiles would work but doing it with a variable that gets assigned during the process is much cooler with a single enforcement profile

@cjoseph is there a way to do this or do I have to stay with one enforcement profile per VLAN?

thanks

I would need a detailed example to answer that.  The regular if/then for roles and enforcement policies allows you to assign a VLAN.  If you combine that with the namespaces in the link that I sent before, you can set VLANs based on the switch/device that the user is connected to.

Example (location/switch independent!):

Laptop1 with company computer certificate XYZ connects and needs to go into VLAN 100.

Laptop2 with company computer certificate XYZ and hostname starting with ABC needs to go into VLAN101

Laptop3 with company computer certificate ZZZ connects and needs to go into VLAN102

Laptop4 without certificate but in local MAB database connects and needs to go into VLAN99

etc.

now is this possible with a single enforcement profile by assigning some kind of variable during the process that the enforcement profile can use?

So would an attribute on the certificate would be the variable? 

no, i would need to create the variable in the process, e.g. with some rules?

I would still have the "manual" mapping of the VLAN but wouldnt have the clutter of several enforcement profiles.

if its not doable its no issue, I will stay with multiple enforcement profiles, i just thought after reading that post, that this might be doable.

thanks

@cjoseph possible or does it need one profile per VLAN?

@cjoseph possible?

I honestly have re-read this thread twice to try to give you a good answer.  Can you please give me a real-world example of what you are trying to do?  Maybe I am just not understanding.

Hi cjoseph, sorry, this was the real-world example...

I can try to re-explain with a more elaborate but fictional example:

MAC Authentication for all devices:

- if the MAC contains aabb then the device should go into VLAN 123

- if the MAC contains bbcc then the device should go into VLAN 234

- if the MAC contains ccdd then the device should go into VLAN 345

- if the MAC contains ddee then the device should go into VLAN 654

I can do this with four different Enforcement Profiles without an issue....

is there a way to do this with a single Enforcement profile instead somehow with the use of some kind of variable?

@cjoseph am I explaining it too complicated?

You would need only a single enforcement profile policy .  You would need 4 lines in your policy statement, however...

yes, that would be exactly what I would be looking for!

how could I do this?

So an enforcement policy is a rule or list of rules to be checked to do an action.  Enforcement profiles are what gets sent to a device to make that change.  Essentially, you will have a single enforcement policy but 4 enforcement profiles tied to those policies, depending on what you want to send:

yes, thats what I have now but was wondering if I could use just a single enforcement profile and pass the vlan ID somehow via a variable that is set during authorization?

@cjoseph ?

How would the VLAN variable be defined?  What would it be tied to, a location or a network device?  How many different VLANs are we talking?

Well, that was actually my question... is it possible and if so, how would the variable be defined during authorization.

Number of VLANs should of course be scalable.

I am guessing from the looks of it, it would work if the attribute is already assigned to the endpoint but not if it should be dynamically assigned as e.g. per the example I wrote.

As far as I know that is correct.