Security

Hi All,

I got a use-case, where a device roams from one floor to another, within same SSID, but different so-called Policy Tag in Cisco 9800 WLC. Different floor different policy tag.
This Policy Tag appends at RADIUS:NAS-Identifier and I put a Role Mapping rule like below:
- If policy tag = L1 -> assign WLAN VLAN L1 clearpass role
- If policy tag = L2 -> assign WLAN VLAN L2 clearpass role
Role mapping evaluation algorithm is the evaluate-all.
I ask my network team, for some reason they cannot name L1 and L2 with same vlan name with different vlan id at their backend.

So the issue with this, is when a user connects to L1, and then moving to L2 within 5 minutes policy cache result, this endpoint will have both L1 and L2 clearpass roles at the same time , whereby at the enforcement policy, first-applicable rule is applied: L2 rule is below L1, and this 'use cached Roles and Posture attributes from previous session' is checked, because I have posture attribute that needs to take into account as well.

If I change the role mapping evaluation algorithm to first-applicable, it is still possible for the user to hold two clearpass roles at the same time in this scenario.

So, at the end, could I request please, to have multiple options to tick the 'use cached Roles' separately from the 'use cached Posture' ?
Definitely in this case I do not want to tick the 'use cached Roles' because if ticked, it will make the same enforcement mistakes. At the same time Posture cache is a must so if you separate it, I will tick the Posture ONLY.

PS: actually we can create multiple Service with multiple policy tag as the service rule, but imagine we have so many floors with the SSID broadcasted everywhere... it will be so many Service lines seen at the Services page, and the enforcement policy should become a lot as well.

Hi All,

I got a use-case, where a device roams from one floor to another, within same SSID, but different so-called Policy Tag in Cisco 9800 WLC. Different floor different policy tag.
This Policy Tag appends at RADIUS:NAS-Identifier and I put a Role Mapping rule like below:
- If policy tag = L1 -> assign WLAN VLAN L1 clearpass role
- If policy tag = L2 -> assign WLAN VLAN L2 clearpass role
Role mapping evaluation algorithm is the evaluate-all.
I ask my network team, for some reason they cannot name L1 and L2 with same vlan name with different vlan id at their backend.

So the issue with this, is when a user connects to L1, and then moving to L2 within 5 minutes policy cache result, this endpoint will have both L1 and L2 clearpass roles at the same time , whereby at the enforcement policy, first-applicable rule is applied: L2 rule is below L1, and this 'use cached Roles and Posture attributes from previous session' is checked, because I have posture attribute that needs to take into account as well.

If I change the role mapping evaluation algorithm to first-applicable, it is still possible for the user to hold two clearpass roles at the same time in this scenario.

So, at the end, could I request please, to have multiple options to tick the 'use cached Roles' separately from the 'use cached Posture' ?
Definitely in this case I do not want to tick the 'use cached Roles' because if ticked, it will make the same enforcement mistakes. At the same time Posture cache is a must so if you separate it, I will tick the Posture ONLY.

PS: actually we can create multiple Service with multiple policy tag as the service rule, but imagine we have so many floors with the SSID broadcasted everywhere... it will be so many Service lines seen at the Services page, and the enforcement policy should become a lot as well.

Hi All,

I got a use-case, where a device roams from one floor to another, within same SSID, but different so-called Policy Tag in Cisco 9800 WLC. Different floor different policy tag.
This Policy Tag appends at RADIUS:NAS-Identifier and I put a Role Mapping rule like below:
- If policy tag = L1 -> assign WLAN VLAN L1 clearpass role
- If policy tag = L2 -> assign WLAN VLAN L2 clearpass role
Role mapping evaluation algorithm is the evaluate-all.
I ask my network team, for some reason they cannot name L1 and L2 with same vlan name with different vlan id at their backend.

So the issue with this, is when a user connects to L1, and then moving to L2 within 5 minutes policy cache result, this endpoint will have both L1 and L2 clearpass roles at the same time , whereby at the enforcement policy, first-applicable rule is applied: L2 rule is below L1, and this 'use cached Roles and Posture attributes from previous session' is checked, because I have posture attribute that needs to take into account as well.

If I change the role mapping evaluation algorithm to first-applicable, it is still possible for the user to hold two clearpass roles at the same time in this scenario.

So, at the end, could I request please, to have multiple options to tick the 'use cached Roles' separately from the 'use cached Posture' ?
Definitely in this case I do not want to tick the 'use cached Roles' because if ticked, it will make the same enforcement mistakes. At the same time Posture cache is a must so if you separate it, I will tick the Posture ONLY.

PS: actually we can create multiple Service with multiple policy tag as the service rule, but imagine we have so many floors with the SSID broadcasted everywhere... it will be so many Service lines seen at the Services page, and the enforcement policy should become a lot as well.

Hi All,

I got a use-case, where a device roams from one floor to another, within same SSID, but different so-called Policy Tag in Cisco 9800 WLC. Different floor different policy tag.
This Policy Tag appends at RADIUS:NAS-Identifier and I put a Role Mapping rule like below:
- If policy tag = L1 -> assign WLAN VLAN L1 clearpass role
- If policy tag = L2 -> assign WLAN VLAN L2 clearpass role
Role mapping evaluation algorithm is the evaluate-all.
I ask my network team, for some reason they cannot name L1 and L2 with same vlan name with different vlan id at their backend.

So the issue with this, is when a user connects to L1, and then moving to L2 within 5 minutes policy cache result, this endpoint will have both L1 and L2 clearpass roles at the same time , whereby at the enforcement policy, first-applicable rule is applied: L2 rule is below L1, and this 'use cached Roles and Posture attributes from previous session' is checked, because I have posture attribute that needs to take into account as well.

If I change the role mapping evaluation algorithm to first-applicable, it is still possible for the user to hold two clearpass roles at the same time in this scenario.

So, at the end, could I request please, to have multiple options to tick the 'use cached Roles' separately from the 'use cached Posture' ?
Definitely in this case I do not want to tick the 'use cached Roles' because if ticked, it will make the same enforcement mistakes. At the same time Posture cache is a must so if you separate it, I will tick the Posture ONLY.

PS: actually we can create multiple Service with multiple policy tag as the service rule, but imagine we have so many floors with the SSID broadcasted everywhere... it will be so many Service lines seen at the Services page, and the enforcement policy should become a lot as well.

Hi All,

I got a use-case, where a device roams from one floor to another, within same SSID, but different so-called Policy Tag in Cisco 9800 WLC. Different floor different policy tag.
This Policy Tag appends at RADIUS:NAS-Identifier and I put a Role Mapping rule like below:
- If policy tag = L1 -> assign WLAN VLAN L1 clearpass role
- If policy tag = L2 -> assign WLAN VLAN L2 clearpass role
Role mapping evaluation algorithm is the evaluate-all.
I ask my network team, for some reason they cannot name L1 and L2 with same vlan name with different vlan id at their backend.

So the issue with this, is when a user connects to L1, and then moving to L2 within 5 minutes policy cache result, this endpoint will have both L1 and L2 clearpass roles at the same time , whereby at the enforcement policy, first-applicable rule is applied: L2 rule is below L1, and this 'use cached Roles and Posture attributes from previous session' is checked, because I have posture attribute that needs to take into account as well.

If I change the role mapping evaluation algorithm to first-applicable, it is still possible for the user to hold two clearpass roles at the same time in this scenario.

So, at the end, could I request please, to have multiple options to tick the 'use cached Roles' separately from the 'use cached Posture' ?
Definitely in this case I do not want to tick the 'use cached Roles' because if ticked, it will make the same enforcement mistakes. At the same time Posture cache is a must so if you separate it, I will tick the Posture ONLY.

PS: actually we can create multiple Service with multiple policy tag as the service rule, but imagine we have so many floors with the SSID broadcasted everywhere... it will be so many Service lines seen at the Services page, and the enforcement policy should become a lot as well.

Hi All,

I got a use-case, where a device roams from one floor to another, within same SSID, but different so-called Policy Tag in Cisco 9800 WLC. Different floor different policy tag.
This Policy Tag appends at RADIUS:NAS-Identifier and I put a Role Mapping rule like below:
- If policy tag = L1 -> assign WLAN VLAN L1 clearpass role
- If policy tag = L2 -> assign WLAN VLAN L2 clearpass role
Role mapping evaluation algorithm is the evaluate-all.
I ask my network team, for some reason they cannot name L1 and L2 with same vlan name with different vlan id at their backend.

So the issue with this, is when a user connects to L1, and then moving to L2 within 5 minutes policy cache result, this endpoint will have both L1 and L2 clearpass roles at the same time , whereby at the enforcement policy, first-applicable rule is applied: L2 rule is below L1, and this 'use cached Roles and Posture attributes from previous session' is checked, because I have posture attribute that needs to take into account as well.

If I change the role mapping evaluation algorithm to first-applicable, it is still possible for the user to hold two clearpass roles at the same time in this scenario.

So, at the end, could I request please, to have multiple options to tick the 'use cached Roles' separately from the 'use cached Posture' ?
Definitely in this case I do not want to tick the 'use cached Roles' because if ticked, it will make the same enforcement mistakes. At the same time Posture cache is a must so if you separate it, I will tick the Posture ONLY.

PS: actually we can create multiple Service with multiple policy tag as the service rule, but imagine we have so many floors with the SSID broadcasted everywhere... it will be so many Service lines seen at the Services page, and the enforcement policy should become a lot as well.

Hi All,

I got a use-case, where a device roams from one floor to another, within same SSID, but different so-called Policy Tag in Cisco 9800 WLC. Different floor different policy tag.
This Policy Tag appends at RADIUS:NAS-Identifier and I put a Role Mapping rule like below:
- If policy tag = L1 -> assign WLAN VLAN L1 clearpass role
- If policy tag = L2 -> assign WLAN VLAN L2 clearpass role
Role mapping evaluation algorithm is the evaluate-all.
I ask my network team, for some reason they cannot name L1 and L2 with same vlan name with different vlan id at their backend.

So the issue with this, is when a user connects to L1, and then moving to L2 within 5 minutes policy cache result, this endpoint will have both L1 and L2 clearpass roles at the same time , whereby at the enforcement policy, first-applicable rule is applied: L2 rule is below L1, and this 'use cached Roles and Posture attributes from previous session' is checked, because I have posture attribute that needs to take into account as well.

If I change the role mapping evaluation algorithm to first-applicable, it is still possible for the user to hold two clearpass roles at the same time in this scenario.

So, at the end, could I request please, to have multiple options to tick the 'use cached Roles' separately from the 'use cached Posture' ?
Definitely in this case I do not want to tick the 'use cached Roles' because if ticked, it will make the same enforcement mistakes. At the same time Posture cache is a must so if you separate it, I will tick the Posture ONLY.

PS: actually we can create multiple Service with multiple policy tag as the service rule, but imagine we have so many floors with the SSID broadcasted everywhere... it will be so many Service lines seen at the Services page, and the enforcement policy should become a lot as well.

@GorazdKikelj @ariyap

Do I have to register all the APs under Network > Devices ?
My APs are not fat APs/controllerless, it's with controller so the NAS-IP-Address at the incoming RADIUS is never the AP IP.

I actually have been trying to add post-enforcement update to Endpoint Repository, updating the particular MAC's location with %NAS-Identifier, then upon update I use this location to map to a certain vlan. But, it changes my authentication workflow and after trying this, I still feel it could be better if I can separate the cached roles and posture​, because in the end it is just what I want (I dont want to use the cached role in my enforcement policy).

Hi All,

I got a use-case, where a device roams from one floor to another, within same SSID, but different so-called Policy Tag in Cisco 9800 WLC. Different floor different policy tag.
This Policy Tag appends at RADIUS:NAS-Identifier and I put a Role Mapping rule like below:
- If policy tag = L1 -> assign WLAN VLAN L1 clearpass role
- If policy tag = L2 -> assign WLAN VLAN L2 clearpass role
Role mapping evaluation algorithm is the evaluate-all.
I ask my network team, for some reason they cannot name L1 and L2 with same vlan name with different vlan id at their backend.

So the issue with this, is when a user connects to L1, and then moving to L2 within 5 minutes policy cache result, this endpoint will have both L1 and L2 clearpass roles at the same time , whereby at the enforcement policy, first-applicable rule is applied: L2 rule is below L1, and this 'use cached Roles and Posture attributes from previous session' is checked, because I have posture attribute that needs to take into account as well.

If I change the role mapping evaluation algorithm to first-applicable, it is still possible for the user to hold two clearpass roles at the same time in this scenario.

So, at the end, could I request please, to have multiple options to tick the 'use cached Roles' separately from the 'use cached Posture' ?
Definitely in this case I do not want to tick the 'use cached Roles' because if ticked, it will make the same enforcement mistakes. At the same time Posture cache is a must so if you separate it, I will tick the Posture ONLY.

PS: actually we can create multiple Service with multiple policy tag as the service rule, but imagine we have so many floors with the SSID broadcasted everywhere... it will be so many Service lines seen at the Services page, and the enforcement policy should become a lot as well.

@GorazdKikelj @ariyap

Do I have to register all the APs under Network > Devices ?
My APs are not fat APs/controllerless, it's with controller so the NAS-IP-Address at the incoming RADIUS is never the AP IP.

I actually have been trying to add post-enforcement update to Endpoint Repository, updating the particular MAC's location with %NAS-Identifier, then upon update I use this location to map to a certain vlan. But, it changes my authentication workflow and after trying this, I still feel it could be better if I can separate the cached roles and posture​, because in the end it is just what I want (I dont want to use the cached role in my enforcement policy).

Hi All,

I got a use-case, where a device roams from one floor to another, within same SSID, but different so-called Policy Tag in Cisco 9800 WLC. Different floor different policy tag.
This Policy Tag appends at RADIUS:NAS-Identifier and I put a Role Mapping rule like below:
- If policy tag = L1 -> assign WLAN VLAN L1 clearpass role
- If policy tag = L2 -> assign WLAN VLAN L2 clearpass role
Role mapping evaluation algorithm is the evaluate-all.
I ask my network team, for some reason they cannot name L1 and L2 with same vlan name with different vlan id at their backend.

So the issue with this, is when a user connects to L1, and then moving to L2 within 5 minutes policy cache result, this endpoint will have both L1 and L2 clearpass roles at the same time , whereby at the enforcement policy, first-applicable rule is applied: L2 rule is below L1, and this 'use cached Roles and Posture attributes from previous session' is checked, because I have posture attribute that needs to take into account as well.

If I change the role mapping evaluation algorithm to first-applicable, it is still possible for the user to hold two clearpass roles at the same time in this scenario.

So, at the end, could I request please, to have multiple options to tick the 'use cached Roles' separately from the 'use cached Posture' ?
Definitely in this case I do not want to tick the 'use cached Roles' because if ticked, it will make the same enforcement mistakes. At the same time Posture cache is a must so if you separate it, I will tick the Posture ONLY.

PS: actually we can create multiple Service with multiple policy tag as the service rule, but imagine we have so many floors with the SSID broadcasted everywhere... it will be so many Service lines seen at the Services page, and the enforcement policy should become a lot as well.

Hi All,

I got a use-case, where a device roams from one floor to another, within same SSID, but different so-called Policy Tag in Cisco 9800 WLC. Different floor different policy tag.
This Policy Tag appends at RADIUS:NAS-Identifier and I put a Role Mapping rule like below:
- If policy tag = L1 -> assign WLAN VLAN L1 clearpass role
- If policy tag = L2 -> assign WLAN VLAN L2 clearpass role
Role mapping evaluation algorithm is the evaluate-all.
I ask my network team, for some reason they cannot name L1 and L2 with same vlan name with different vlan id at their backend.

So the issue with this, is when a user connects to L1, and then moving to L2 within 5 minutes policy cache result, this endpoint will have both L1 and L2 clearpass roles at the same time , whereby at the enforcement policy, first-applicable rule is applied: L2 rule is below L1, and this 'use cached Roles and Posture attributes from previous session' is checked, because I have posture attribute that needs to take into account as well.

If I change the role mapping evaluation algorithm to first-applicable, it is still possible for the user to hold two clearpass roles at the same time in this scenario.

So, at the end, could I request please, to have multiple options to tick the 'use cached Roles' separately from the 'use cached Posture' ?
Definitely in this case I do not want to tick the 'use cached Roles' because if ticked, it will make the same enforcement mistakes. At the same time Posture cache is a must so if you separate it, I will tick the Posture ONLY.

PS: actually we can create multiple Service with multiple policy tag as the service rule, but imagine we have so many floors with the SSID broadcasted everywhere... it will be so many Service lines seen at the Services page, and the enforcement policy should become a lot as well.

Hi All,

I got a use-case, where a device roams from one floor to another, within same SSID, but different so-called Policy Tag in Cisco 9800 WLC. Different floor different policy tag.
This Policy Tag appends at RADIUS:NAS-Identifier and I put a Role Mapping rule like below:
- If policy tag = L1 -> assign WLAN VLAN L1 clearpass role
- If policy tag = L2 -> assign WLAN VLAN L2 clearpass role
Role mapping evaluation algorithm is the evaluate-all.
I ask my network team, for some reason they cannot name L1 and L2 with same vlan name with different vlan id at their backend.

So the issue with this, is when a user connects to L1, and then moving to L2 within 5 minutes policy cache result, this endpoint will have both L1 and L2 clearpass roles at the same time , whereby at the enforcement policy, first-applicable rule is applied: L2 rule is below L1, and this 'use cached Roles and Posture attributes from previous session' is checked, because I have posture attribute that needs to take into account as well.

If I change the role mapping evaluation algorithm to first-applicable, it is still possible for the user to hold two clearpass roles at the same time in this scenario.

So, at the end, could I request please, to have multiple options to tick the 'use cached Roles' separately from the 'use cached Posture' ?
Definitely in this case I do not want to tick the 'use cached Roles' because if ticked, it will make the same enforcement mistakes. At the same time Posture cache is a must so if you separate it, I will tick the Posture ONLY.

PS: actually we can create multiple Service with multiple policy tag as the service rule, but imagine we have so many floors with the SSID broadcasted everywhere... it will be so many Service lines seen at the Services page, and the enforcement policy should become a lot as well.

Hi All,

I got a use-case, where a device roams from one floor to another, within same SSID, but different so-called Policy Tag in Cisco 9800 WLC. Different floor different policy tag.
This Policy Tag appends at RADIUS:NAS-Identifier and I put a Role Mapping rule like below:
- If policy tag = L1 -> assign WLAN VLAN L1 clearpass role
- If policy tag = L2 -> assign WLAN VLAN L2 clearpass role
Role mapping evaluation algorithm is the evaluate-all.
I ask my network team, for some reason they cannot name L1 and L2 with same vlan name with different vlan id at their backend.

So the issue with this, is when a user connects to L1, and then moving to L2 within 5 minutes policy cache result, this endpoint will have both L1 and L2 clearpass roles at the same time , whereby at the enforcement policy, first-applicable rule is applied: L2 rule is below L1, and this 'use cached Roles and Posture attributes from previous session' is checked, because I have posture attribute that needs to take into account as well.

If I change the role mapping evaluation algorithm to first-applicable, it is still possible for the user to hold two clearpass roles at the same time in this scenario.

So, at the end, could I request please, to have multiple options to tick the 'use cached Roles' separately from the 'use cached Posture' ?
Definitely in this case I do not want to tick the 'use cached Roles' because if ticked, it will make the same enforcement mistakes. At the same time Posture cache is a must so if you separate it, I will tick the Posture ONLY.

PS: actually we can create multiple Service with multiple policy tag as the service rule, but imagine we have so many floors with the SSID broadcasted everywhere... it will be so many Service lines seen at the Services page, and the enforcement policy should become a lot as well.