Security

I'd like to apply different ClearPass services based on whether or not a device is connected to an Aruba switch or an Aruba 303H access point. If a device is connected to a switch, it would get an enforcement policy with a downloadble user role, while a device connected to an access point would get a role like a wireless device.  Is there a way to determine to what type of switch or AP a device is connected wired? Am I approaching this correctly?

Thanks

The service types in ClearPass build all of the required rules for you.

You could use Access Tracker in ClearPass and see what service they are connecting too. 

Let me clarify things a bit. I have two services, one for devices connected to wired switches and one for devices connected wired to 303H access points. They are both 802.1X wired services. Devices connected to switches get a different enforcement policy than those connected to 303H access points. The access points tunnel back to the controllers and roles and ACLs are applied at the controller. On the otherhand, switches will use an enforcement policy that will apply downloadble user roles and ACLs that will apply at the switch or at the controller depending on whether or not the user device is in a role that is tunnelled back to the controller or not. The enforcement policy applied should be determined by whether or not the user device is connected to a switch or a 303H.

 

For switches, the service can look at device group membership to determine if a service should be applied. I'd like to be able to do something similar for the 303H service and restrict the service to 303Hs. Right now, if the 303H wired service is before the switch wired service, it is applied even if the device is connected to a switch. I think service ordering could take care of this by putting the switch service before the 303H service, but I'd rather have more control over it than that as if I forget and change the order in the future, it could break things.

Here is an example of service rules to match a MAC auth off the wired interfaces of an AP.

 

Thanks Tim. What is the Aruba-Port-ID 0? A quick glance seems to show it to always be zero from the 303H. A short bit of testing seems to show this to be working. If this is the case, would the group be needed?

 

As for the group, I'd create a group with the IP addresses of the 303Hs?

The Port-ID is the interface which would be in the format of ap-ip:0/X so this rule looks for :0/ to determine it’s the wired interface of an AP.

The Network Device Group would contain all of your controller IPs. I always recommend using NAD Groups as it makes the service rules more explicit when making other changes.