Security

I'm testing clearpass. Authentication works with our AD.
We have 25 Aruba switch stacks and 5 types of Workstations with different names like PC-W1, PC-W2 .. PC-W5.

For each Workstation type we want to use a different VLAN. 

Stack 1   PC-W1      VLAN 11
Stack 1   PC-W2      VLAN 12

...

Stack 2   PC-W1      VLAN 21
Stack 2   PC-W2      VLAN 22

....

I don't want to make a lot of policies.

By devices I can use an attribute and put an value in it. By example for Stack 1 I made a custom attribute Vlan-Prefix=1 

In the policy I want to combine the VLAN-Prefix with a number. By Example:

If Stack 1 and PC-W2 -> combine the VLAN-Prefix (1) + 2. The policy wille then use 12 for the VLAN.

If Stack 2 and PC-W4 -> combine the VLAN-Prefix (2) + 4. The policy wille then use 24 for the VLAN.

Is something like this possible?

Mark

Yes, you can apply it. You can for example save an attribute for each NAS and used it en the enforcement. You can combine it with other attribute too.

In this example you can save an attribute in the NAS:

 An other attribute in the Endpoint:

 The enforcement looks like this:

 And this is the result:

It works with my custom attribute %{device:Vlan Prefix}

Thanks

Hi,

not exactly what you asked for, but maybe something below helps...

(hopefully I understood you right)

First idea:

Instead of combining prefixes and suffixes just send enforcement profile.

The way you are thinking about below, you already have to define 125 if clauses (25 Stacks multiplied by 5 workstation types). If you also define 125 enformcement profiles for the different VLANs, you do not need the prefix thing...

if NAS=Stack1 and AD-Group=PCW1 then VLANID=11

if NAS=Stack1 and AD-Group=PCW2 then VLANID=12

 ...

if NAS=Stack25 and AD-Group=PCW5 then VLANID=255

Second idea: (depends on model and version of your switch)

name the five VLANs identical on the stacks and pass vlan by name.

Stack1, VLANID 11, VLAN-Name PC-W1-VLAN

...

Stack 25, VLANid 255, VLAN-Name PC-W1-VLAN

then you simply need 5 if clauses:

if AD-Group=PC-W1 then VLAN-Name=PC-W1-VLAN

...

if AD-Group=PC-W5 then VLAN-Name=PCW5-VLAN

I didn't test this myself. But others did.

Search community to find information on this.

One reference: https://community.arubanetworks.com/t5/Security/Assign-Tagged-VLAN-via-Radius-attribute-using-quot-HP-Egress/m-p/274863/highlight/true#M27509

The answer of networkingsire shows information about assignement by name.

Third idea: (depends on model and version of your switch)

Use the new aruba role features of newer switches. define roles for the 5 pc types on the stacks and assign vlans to the roles as needed.

Again you just need 5 if clauses to assing the roles.

if AD-Group=PC-W1 then Role=PC-W1-Role

...

if AD-Group=PC-W5 then Role=PC-W5-Role

What you cannot use this way is downloadable roles to download them from clearpass. You'd need 125 different roles and if clauses again to do this. (each stack needs to download its own set of roles...)

Regards, Jö