Wired Intelligent Edge

 View Only
last person joined: 21 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

Aruba CX ACLs with Clearpass

This thread has been viewed 23 times

  • 1.  Aruba CX ACLs with Clearpass

    Posted Mar 20, 2024 02:05 PM

    Hello everyone

    I was wondering if I could download the Aruba CX switches ACL with RADIUS IETF NAS-Filter-Rule just like I do with Aruba OS?

    Also, I wonder if the Sintaxys I was using with Cisco with the downloadable ACL will work for example this one

    permit ip any host x.x.x.x
    permit ip any host y.y.y.y.y
    deny ip any 10.0.0.0 0.255.255.255

    Permit IP any any 

    Thanks



  • 2.  RE: Aruba CX ACLs with Clearpass

    EMPLOYEE
    Posted Mar 24, 2024 02:52 AM

    see if this works

    NAS-Filter-Rule = permit in ip from any to x.x.x.x

    NAS-Filter-Rule = permit in ip from any to y.y.y.y

    NAS-Filter-Rule = deny in ip from any to 10.0.0.0/8

    NAS-Filter-Rule = permit in ip from any to any 



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------

    Original Message


  • 3.  RE: Aruba CX ACLs with Clearpass

    EMPLOYEE
    Posted Mar 27, 2024 04:45 PM

    You may be interested in checking out the Port Access Policy section of the AOS-CX Security guide (example for release 10.12) which offers some ways to obtain policies for authenticated users either locally, via RADIUS attributes, or from a ClearPass Policy Manager server.


    Original Message


  • 4.  RE: Aruba CX ACLs with Clearpass

    Posted 42 minutes ago

    Hello thanks for the post

    I tried NAS filter rule and works fine, the problem we have with it is that if i want to change the rules is not that i can move the rules or something like

    For example:

    If i have this

    NAS-Filter-Rule = permit in ip from any to x.x.x.x/24

    NAS-Filter-Rule = permit in ip from any to y.y.y.y/24

    NAS-Filter-Rule = deny in ip from any to 10.0.0.0/8

    NAS-Filter-Rule = permit in ip from any to any 

    and i needed to add something like this:

    NAS-Filter-Rule = permit in ip from any to x.x.x.x/24

    NAS-Filter-Rule = permit in ip from any to y.y.y.y/24

    NAS-Filter-Rule = permit in ip from any to z.z.z.z/24

    NAS-Filter-Rule = deny in ip from any to 10.0.0.0/8

    NAS-Filter-Rule = permit in ip from any to any 

    I would need to deled

    NAS-Filter-Rule = deny in ip from any to 10.0.0.0/8

    NAS-Filter-Rule = permit in ip from any to any 

    then add NAS-Filter-Rule = permit in ip from any to z.z.z.z/24 and add the other 2 lines

    Now imaging this scenario in a really long ACL?

    This is not like with the downloadable ACL of cisco that i had a box i could just edit it 

    There is something like the downlodable ACL for aruba CX? or this is the only thing i have?

    In my scenario i dont have gateway to do a UBT and manage it with a gateway so thats not possible

    Let me know if there is a way to go around this? or manage it in another way? 

    Thanks

    Carlos


    Original Message