Security

Might be a silly question ...

I'm currently passing a Filter-Id attribute back to our mobility controllers and using it to apply a particular policy to a user session. This does of course mean that we have to create the ACL lists that are used on the controllers which we seem t ohave tpo do by hand either via the GUI or CLI

Is there any way of clearpass managing an ACL list contents ? e.g. something like its ability to  pass ACL rules down to a provision switch in an Access Accept packet ?

Rgds

Alex

http://community.arubanetworks.com/t5/Controller-Based-WLANs/Downloading-an-undefined-role-from-CPPM-to-Controller/ta-p/243661

In addition, if you are using clearpass, you should return the Aruba-User-Role radius attribute or the Aruba-User-Vlan attribute from clearpass, instead of using filter-id and then having to write a server derivation rule on the controller.   Using those attributes will automatically assign the role and/or vlan without having to have a corresponding server derivation rule looking for a filter-id attribute.

well everything seemed to have worked apart from the Aruba-User-Role bit.

looking at Firewall policies /[System Role|Policies] I can see the stuff I sent back 

 Clearpass is sending back

where super_user_role is the default "allowall" with logging

However, Firewall policies / User Role doesn;t have a cppmrole entry. Should I be sending back the System Role test_cppm_role_enforcement-3110-4 ?

Rgds

alex

When configuring  a session based  the acl list in CPPM, you don't seem to be able to distinguish between ipv6 and ipv4, whereas on the controller you can

Not important at the moment as we're just dipping our toes into the ipv6 pond but might be in the future

A