ClearPass Tiny Bite 5 – Leveraging Device Groups to Simplify Your Policies (Part 1)

Device Groups feature in ClearPass Policy Manager can be very handy in configuration. In particular, this feature can be used in

  • Service rules to match a request to a particular service
  • Role mapping rules to map a request to a particular role
  • Enforcement Policies to only apply this enforcement profile if the originating request belongs to a device in the group

These 2 tiny bites will cover this feature in more detail.

1) Using Device Group for Service Rule Categorization

Using device groups for service rules categorization is the easiest and the most commonly used option. Whenever you add a Radius Client / NAD device, you can associate it with a device group.

Later on in your service policy, you use the match criteria of NAS-IP-Address BELONGS_TO_GROUP operator. This will allow you to restrict the service match criteria to request coming from this group.

As such, you can easily differentiate between services based on the device group they belong to. This can be handy if you want to apply different policies based on the origin of the request. For example, switches in Building 1 will be in GROUP 1 while switches in Building 2 will be in Group 2. As such, you can have different services handling each building separately even though they are connecting to the same network for example.

2) Using Device Group for Role Mapping

Some ClearPass admins prefer the method mentioned above as it gives them more detailed control per service. However, some other admins prefer to minimize the number of managed services in ClearPass. As such, they leverage Device Groups in role mapping policies instead.

For example, the service policy will be generic matching the SSID name for both buildings.

However, the role mapping policy will use Connection:NAD-IP-Address BELONGS_TO_GROUP to differentiate between different groups.

As such, each group will get a different ClearPass role which can thus be used in the enforcement policy to apply different policies.

Both of these options are handy, but my favorite method is the third one which will be discussed in the next bite. I used it in my ACCX exam to gain time!

One comment

Leave a Reply