Occasional Contributor I

Roles rules by Switch & Port in Clearpass

We are jsut starting to leverage Clearpass for authentication on our switches and I'm trying to find the right way to assign roles based on a combination of switch and port. 


These are third party switches, and the best I've been able to figure out it to make individual role rule entries using the IETF-NAS-Identifier and IETF-NAS-Port.  Since those are two seperate values I have to make individual entries for each pair.


For example, if I want to identify specific ports on our network allowed to service PCI related devices, I have to put in individual entries for each switch/port pair.    Event if I could find a value that was the switch/port pair, that would make that a *lot* cleaner.


Am I missing something somewhere, is there a better way to do that?  (I hope!)


Many Thanks.



Guru Elite

Re: Roles rules by Switch

You could create a custom attribute on each Network Device definition that contains a set of numbers. Then use a parameterized variable in your policy to compare the Network Device to the IETF NAS-Port-Id from the RADIUS request.

Tim Cappalli | Aruba Security
@timcappalli | | ACMX #367 / ACCX #480
Occasional Contributor I

Re: Roles rules by Switch

That is an interesting idea, and I could probably manage the list externally via API.  I'll experiment with that.   Thanks!

Search Airheads
Showing results for 
Search instead for 
Did you mean: