ClearPass Tiny Bite 4 – Simplifying & Scaling your VLAN Assignment (Method 2)

In the previous post, I showed how we can use named-vlan to simplify our vlan assigment. In this post, I will accomplish the same outcome but using custom NAD attributes.

Method 2: USING CUSTOM NAD Attributes

If we check the diagram below, we might need to create 3 different services for corporate users.

  • If a corporate user is coming from Location 1, then apply VLAN 10.
  • If a corporate user is coming from Location 2, then apply VLAN 20.
  • If a corporate user is coming from Location 3, then apply VLAN 30.

However, a more scalable way is to associate the VLAN number with each NAD device and return the corresponding NAD attribute.

  • If a corporate user is coming from any location, then we return NAD attribute corresponding to Corporate VLAN

The trick here, in every NAD device defined on ClearPass, we create a custom attribute and set the associated value. For example, in the below example I created two custom attributes for the NAD device. CORPORATE_VLAN is set as 99 while GUEST_VLAN is set as 100.

On ClearPass side, we just return the vlan number but we populate the value based on the NAD device attribute. In below example, we are returning the value of associated with CORPORATE_VLAN that we have defined above.

The enforcement profile that is needed for all Corporate users is shown below. It uses %{Device:Attribute} notation where Attribute is the attribute we defined on the NAD device.

As such, once the user authenticates against ClearPass, it will return this radius attribute.

If the user authenticates from another location, he will still get the vlan associated with that NAD device.

I can think of many other ways to achieve the same. Which one do you prefer?

One comment

Leave a Reply