AOS-W 6.5.3.x | User Guide ClearPass Policy Manager Integration | 402
Chapter 17
ClearPass Policy Manager Integration
AOS-W and ClearPass Policy Manager (CPPM) include support for centralized policy definition and distribution.
AOS-W now supports downloadable roles. By using this feature, when ClearPass Policy Manager successfully
authenticates a user, the user is assigned a role by ClearPass Policy Manager and if the role is not defined on
the switch, the role attributes can also be automatically downloaded.
This chapter contains the following sections:
l Introduction on page 402
l Important Points to Remember on page 402
l Enabling Downloadable Role on a Switch on page 403
l Sample Configuration on page 403
Introduction
In order to provide highly granular per-user level access, user roles can be created when a user has been
successfully authenticated. During the configuration of a policy enforcement profile at ClearPass Policy
Manager, the administrator can define a role that should be assigned to the user after successful
authentication. In RADIUS authentication, when ClearPass Policy Manager successfully authenticates a user,
the user is assigned a role by ClearPass Policy Manager and if the role is not defined on the switch, the role
attributes can also be automatically downloaded. This feature supports roles obtained by the following
authentication methods:
n 802.1X (wireless and wired users)
n MAC authentication
n Captive Portal
Important Points to Remember
n Under Advanced mode, ClearPass Policy Manager does not perform any error checking to confirm accuracy
of the role definition. Therefore, it is recommended that you review the role defined in ClearPass Policy
Manager prior to enabling this feature.
n Attributes that are listed below, herein referred to as whitelist role attributes, can be defined in ClearPass
Policy Manager.
l netdestination
l netservice
l ip access-list eth
l ip access-list mac
l ip access-list session
l user-role
n The above attributes that are referred to by a role definition must either be defined within the role
definition itself or configured on the switch before the policy is downloaded.
n In ClearPass Policy Manager, two or more attributes (as listed above) should not have the same name. The
example below is considered invalid, as both the attributes have test as the profile/net destination name.
qos-profile test
netdestination test
To Next Page
Loading...