Security

Reply
Highlighted
MVP

Enforcement Profiles and Device Group List

Hi,

 

Just wondering what the purpose of the Device Group List is when configuring Enforcement Profiles.

 

How is the Device Group List used within a profile?

 

Cheers


Accepted Solutions
Highlighted
Moderator

Re: Enforcement Profiles and Device Group List

In your policy, you could specify multiple enforcement profiles and ClearPass would send he correct one to the NAD based on the source of the request.

For example, using a single service for multiple vendors (I personally wouldn't recommend this).



TIM CAPPALLI

Aruba Security

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

View solution in original post


All Replies
Highlighted
Moderator

Re: Enforcement Profiles and Device Group List

If you assign a device group to a profile, you can return multiple enforcement profiles at the same time and ClearPass will send only the one that matches the source NAD.

It's a niche feature for some unique use cases and isn't commonly used.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted
MVP

Re: Enforcement Profiles and Device Group List

When you "you can return multiple enforcement profiles at the same time" what exactly do me mean?

Do you mean that a single client request can be answered with multiple enforcemnt profiles? Or that he enforcement profile will be sent out to multiple devices contained with the device list?

 

What would be a situation where you would want to do something like this?

Highlighted
Moderator

Re: Enforcement Profiles and Device Group List

In your policy, you could specify multiple enforcement profiles and ClearPass would send he correct one to the NAD based on the source of the request.

For example, using a single service for multiple vendors (I personally wouldn't recommend this).



TIM CAPPALLI

Aruba Security

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

View solution in original post

Highlighted
MVP

Re: Enforcement Profiles and Device Group List

I appreciate you taking the time the explain in more detail.

I think I understand what you are saying.

 

Good to know what it is for. I don't have a user for it, but good to know what it is there for.

 

Cheers

Highlighted
Contributor II

Re: Enforcement Profiles and Device Group List

Hi
For this that you said can you show us a config example please.
I need to add to my clearpass two aruba controller as nad, i know how make he group list, but i don`t know how to apply to the enforcement profile and then to the enforcement policy for.my service.

I had to confiure two service, one for each controller (nad)
Highlighted
Occasional Contributor II

Re: Enforcement Profiles and Device Group List

An appropriate use of this feature might be for Palo Alto where the return information is different for Firewalls and Panorama. 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: