Security

Hi,

 

Just wondering what the purpose of the Device Group List is when configuring Enforcement Profiles.

 

How is the Device Group List used within a profile?

 

Cheers

If you assign a device group to a profile, you can return multiple enforcement profiles at the same time and ClearPass will send only the one that matches the source NAD.

It's a niche feature for some unique use cases and isn't commonly used.

When you "you can return multiple enforcement profiles at the same time" what exactly do me mean?

Do you mean that a single client request can be answered with multiple enforcemnt profiles? Or that he enforcement profile will be sent out to multiple devices contained with the device list?

 

What would be a situation where you would want to do something like this?

In your policy, you could specify multiple enforcement profiles and ClearPass would send he correct one to the NAD based on the source of the request.

For example, using a single service for multiple vendors (I personally wouldn't recommend this).



TIM CAPPALLI

Aruba Security

I appreciate you taking the time the explain in more detail.

I think I understand what you are saying.

 

Good to know what it is for. I don't have a user for it, but good to know what it is there for.

 

Cheers

Hi
For this that you said can you show us a config example please.
I need to add to my clearpass two aruba controller as nad, i know how make he group list, but i don`t know how to apply to the enforcement profile and then to the enforcement policy for.my service.

I had to confiure two service, one for each controller (nad)

An appropriate use of this feature might be for Palo Alto where the return information is different for Firewalls and Panorama.