You would probably have the same service, as it is for the same network device. Then in the enforcement policy, make sure it's set to 'First Match' and put the most specific rule first (Part of OU AND Machine Authenticated) and the less specific (Machine Authenticated) below that.
BTW, if you reuse the OU membership in other services, like for other brand switches, or WLAN, you could create a Role Mapping and do a 'if OU contains <whatever>' assign role 'member-of-ou'; then in enforcement if role eq member-of-ou and role eq machine authenticated -> enforcement profile for that; second just role eq machine auth -> profile for that.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Apr 17, 2025 03:11 AM
From: amarshirish.bidkar@infosys.com
Subject: ClearPass enforcement Policy
Hi Team,
We have service for Cisco Wired which checks the service match rules as below :
Radius:IETF "NAS-Port-Type " BELONGS_TO Ethernet (15)
Connection Client-Mac-Address NOT_EQUALS %{Radius:IETF:User-Name}
Connection NAD-IP-Address BELONGS_TO_GROUP Cisco Remote Site Switches
which in turn calls for a Enforcement policy which has below profilr/rule:
Enforcement profile
Condition : Tips: Role: [Machine Authenticated]
Action : Assign a Corp VLAN
Now, we will be having match condition for devices belonging specific OU which will have a different VLAN assignment. I was initially thinking to create a separate Service policy for this but then I realized I cannot have another Wired service with same matching rules with different enforcement policy as if I keep this rule 1st , it will be hit before Corp Service which I already have. So I have questions
1. If I want to create another service, can we have a service rule matching OU of the device, what will be the type, name and operator.
2. If point 1 is not possible, can I add another rule in existing Corp enforcement policy as below :
Condition :
Tips: Role: [Machine Authenticated]
AND
Type: Authorization:01.SGRE.ONE AD-->Name: UserDN-->CONTAINS-->Value OU=Restricted Clinet New
Action : Assign a new VLAN
but doing that , do I need to keep it before current Corp rule in sequence or I need add below and condition in corp rule?
And type: Authorization:01.SGRE.ONE AD-->Name: UserDN-->NOT_CONTAINS-->Value OU=Restricted Clinet New
Action : Assign a new VLAN
Thank you in advance.