We have multiple masters on our campus and I have wanted to use downloadable roles for some time, but have not done so yet.
Pros I see are having a single point of definition (as Tim points out) for the roles makes it easier to implement changes across all of my controllers.
I don’t use ClearPass for all of the Wi-Fi networks yet (and may never have all of them on ClearPass), so a con would be having to deal with multiple ways of implementing roles and managing them.
Questions that I have had, but have not looked into (or don’t remember the answers to) are:
* What happens when I update the role definition in ClearPass? Do all existing users keep the same rules and only subsequent users get the updated ruleset?
* If the controller already has a role downloaded, how does it know if the role definition on ClearPass and it needs to download a new role?
* How do you look at the characteristics of a downloadable user role from the controller (either Web UI or CLI)?
* In HA pairs, when do backup controllers download the roles? With potentially thousands of users moving from one controller to the other how does ClearPass know to only download the role once since there would be thousands asking at virtually the same time?
A challenge I see is that, with the exception of rebooting controllers, we never have a role with zero users, so to be sure the current role was being sent, I suppose you would have to clear the user tables for users in that role?
Amel Caldwell
University of Washington UW-IT
Wi-Fi Network Engineer
Wi-Fi Service Manager
amelc@uw.edu206-543-2915
Ask me about open Network Engineer positions on the wireless team.
Amel Caldwell
University of Washington UW-IT
Wi-Fi Network Engineer
Wi-Fi Service Manager
amelc@uw.edu206-543-2915
Ask me about open Network Engineer positions on the wireless team.