Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Hi , clearpass policy will override the police defined in user role on the controller, is it correct

This thread has been viewed 0 times

  • 1.  Hi , clearpass policy will override the police defined in user role on the controller, is it correct

    Posted Dec 09, 2015 07:43 AM

    Hi , clearpass policy will override the police defined in user role on the controller, is it correct? Anyone can advise, thanks.



  • 2.  RE: Hi , clearpass policy will override the police defined in user role on the controller, is it correct

    EMPLOYEE
    Posted Dec 09, 2015 07:51 AM
    If the user-role is defined on the controller, that role and policing will be applied.

    Sent from Nine


  • 3.  RE: Hi , clearpass policy will override the police defined in user role on the controller, is it correct

    Posted Dec 09, 2015 08:02 AM

    Hi Tim, thanks for your kind reply.  Here the user role , you mean the initial role or 802.1x role, we are using authentication WPA2, encryption AES, clearpass for authentication.

     AAA profile like below

    initial role: logon

    802.1x role: deny 

    (role "deny" configured on controller, but on clearpass allow all)

    Please advise

    Thanks

     

     

     



  • 4.  RE: Hi , clearpass policy will override the police defined in user role on the controller, is it correct

    EMPLOYEE
    Posted Dec 09, 2015 08:19 AM
    If you're sending back allow-all from the controller, then allow-all is the role the user will get.

    Sent from Nine


  • 5.  RE: Hi , clearpass policy will override the police defined in user role on the controller, is it correct

    Posted Dec 09, 2015 08:25 AM

    If I defined initial role "guest" and policy on the controller, then still configure clearpass as authenticator. Like this, will use guest policy (firewall rule) defined on the controller, right?



  • 6.  RE: Hi , clearpass policy will override the police defined in user role on the controller, is it correct

    Posted Dec 09, 2015 08:55 AM

    Yes, the role returned by Clearpass - if any - will determine the role the client get.

    Normally you do this by returning a Radius:IETF:Filter-ID or Radius:Aruba:Aruba-User-Role (Radius-CoA).

    The role returned has to exist on the Controller

    If CoA - you need to have configured RFC-3756 in the AAA profile..

     

     



  • 7.  RE: Hi , clearpass policy will override the police defined in user role on the controller, is it correct
    Best Answer

    EMPLOYEE
    Posted Dec 09, 2015 08:59 AM
    Yes, whatever you send back as the Aruba-User-Role will be used as long as it exists on the controller. If it doesn't exist on the controller, the default role will be used.

    Sent from Nine


  • 8.  RE: Hi , clearpass policy will override the police defined in user role on the controller, is it correct

    Posted Dec 09, 2015 09:40 AM

    thanks a lot to both of you.