Device Groups feature in ClearPass Policy Manager can be very handy in configuration. In the previous post, I discussed how to use Device Groups with both service rules and role mapping policies. In this post, I will cover the third option of using it in enforcement policies.
Using Device Group in Enforcement Policies
Whenever you add a Radius Client / NAD device, you can associate it with a device group as shown in previous post. Later on when you create an enforcement profile, you associate the profile with a particular device group as shown below.
Finally, in your enforcement policy, you associate multiple enforcement profiles which apply to different device groups in the same enforcement policy condition. ClearPass is intelligent enough to only apply the relevant enforcement profile depending on device group membership.
For example, in the below policy, we defined two profiles P1 and P2.
- P1 profile will be only applied if the request come from a NAD device that belongs to AOS8_GROUP
- P2 profile will be only applied if the request come from a NAD device that belongs to DEMO_GROUP
Even though there are two conflicting profiles in the enforcement policy returning different roles, ClearPass is intelligent enough to apply only the right enforcement profile based on the device group membership. For example, in the below screenshot, I logged in from AOS 8 NAD device, ClearPass only returned the DemoUserRole..
I used this technique in my ACCX exam. I defined different enforcement profiles for Instant APs and different enforcement profiles for Controllers. As such, I was able to gain time instead of replicating similar services.
Let me know your feedback and comments.