Security

Is anyone familiar with content that will deep dive into the various processes and what they due upon execution in Clearpass?  One of the things that had tripped me up is the application of Enforcement Profiles in an enforcement policy.  There doesn't seem to be a limit to how many profiles can be added to a policy; however, I don't think they always get executed.  You can adjust the order in policies but it's not clear why.  Do they execute sequentially no matter way?  If one profile contradicts another profile further up the list, does it just overwrite what was previously executed?  ie the bottom policy has the last word?

I don't like black boxes.  I want to understand more than just what buttons in Clearpass to push to make it do things.  I want to understand HOW it works.

#ClearPass

#nac

Generally speaking, if there are multiple enforcement profiles returning the same attribute, then the first instance of that attribute is returned and any other attempt to send that attribute will be ignored.  Same behavior if you attempt to set the attribute multiple times in a single rule or if your policy enforcement is set to "all applicable".

Your best option is going to be writing the policy as clearly and coherently as possible so that you aren't having to ask the question of what gets applied and when.  That may mean breaking an enforcement profile into multiple pieces to meet more dynamic needs.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Jul 15, 2025 01:47 PM
From: djwilliams-dmu
Subject: ClearPass Process Execution

Is anyone familiar with content that will deep dive into the various processes and what they due upon execution in Clearpass?  One of the things that had tripped me up is the application of Enforcement Profiles in an enforcement policy.  There doesn't seem to be a limit to how many profiles can be added to a policy; however, I don't think they always get executed.  You can adjust the order in policies but it's not clear why.  Do they execute sequentially no matter way?  If one profile contradicts another profile further up the list, does it just overwrite what was previously executed?  ie the bottom policy has the last word?

I don't like black boxes.  I want to understand more than just what buttons in Clearpass to push to make it do things.  I want to understand HOW it works.

#ClearPass

#nac

Would you say that a basic "Guest with MAC caching" template implementation has an example of that?  I pasted in a screenshot of an access tracker record for the matched service.

Generally speaking, if there are multiple enforcement profiles returning the same attribute, then the first instance of that attribute is returned and any other attempt to send that attribute will be ignored.  Same behavior if you attempt to set the attribute multiple times in a single rule or if your policy enforcement is set to "all applicable".

Your best option is going to be writing the policy as clearly and coherently as possible so that you aren't having to ask the question of what gets applied and when.  That may mean breaking an enforcement profile into multiple pieces to meet more dynamic needs.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Jul 15, 2025 01:47 PM
From: djwilliams-dmu
Subject: ClearPass Process Execution

Is anyone familiar with content that will deep dive into the various processes and what they due upon execution in Clearpass?  One of the things that had tripped me up is the application of Enforcement Profiles in an enforcement policy.  There doesn't seem to be a limit to how many profiles can be added to a policy; however, I don't think they always get executed.  You can adjust the order in policies but it's not clear why.  Do they execute sequentially no matter way?  If one profile contradicts another profile further up the list, does it just overwrite what was previously executed?  ie the bottom policy has the last word?

I don't like black boxes.  I want to understand more than just what buttons in Clearpass to push to make it do things.  I want to understand HOW it works.

#ClearPass

#nac

My recommendation, learn what each of those individual profiles is doing, figure out how all of that makes sense to you, then delete everything the wizard did and create the configuration from scratch.

But no, none of those profiles should have any overlapping attributes.

I'm very much not a fan of how the wizard names everything, my eyes get lost in the repetition of the prefix and I have to pay more attention to what is going on that I should need to.

My personal setup, I can tell you exactly what each of the profiles is doing and you can probably guess by the name, even if those last two profiles come under the heading of ClearPass black box behind the scenes magic.

Would you say that a basic "Guest with MAC caching" template implementation has an example of that?  I pasted in a screenshot of an access tracker record for the matched service.

Generally speaking, if there are multiple enforcement profiles returning the same attribute, then the first instance of that attribute is returned and any other attempt to send that attribute will be ignored.  Same behavior if you attempt to set the attribute multiple times in a single rule or if your policy enforcement is set to "all applicable".

Your best option is going to be writing the policy as clearly and coherently as possible so that you aren't having to ask the question of what gets applied and when.  That may mean breaking an enforcement profile into multiple pieces to meet more dynamic needs.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Jul 15, 2025 01:47 PM
From: djwilliams-dmu
Subject: ClearPass Process Execution

Is anyone familiar with content that will deep dive into the various processes and what they due upon execution in Clearpass?  One of the things that had tripped me up is the application of Enforcement Profiles in an enforcement policy.  There doesn't seem to be a limit to how many profiles can be added to a policy; however, I don't think they always get executed.  You can adjust the order in policies but it's not clear why.  Do they execute sequentially no matter way?  If one profile contradicts another profile further up the list, does it just overwrite what was previously executed?  ie the bottom policy has the last word?

I don't like black boxes.  I want to understand more than just what buttons in Clearpass to push to make it do things.  I want to understand HOW it works.

#ClearPass

#nac

My recommendation, learn what each of those individual profiles is doing, figure out how all of that makes sense to you, then delete everything the wizard did and create the configuration from scratch.

But no, none of those profiles should have any overlapping attributes.

I'm very much not a fan of how the wizard names everything, my eyes get lost in the repetition of the prefix and I have to pay more attention to what is going on that I should need to.

My personal setup, I can tell you exactly what each of the profiles is doing and you can probably guess by the name, even if those last two profiles come under the heading of ClearPass black box behind the scenes magic.

Would you say that a basic "Guest with MAC caching" template implementation has an example of that?  I pasted in a screenshot of an access tracker record for the matched service.

Generally speaking, if there are multiple enforcement profiles returning the same attribute, then the first instance of that attribute is returned and any other attempt to send that attribute will be ignored.  Same behavior if you attempt to set the attribute multiple times in a single rule or if your policy enforcement is set to "all applicable".

Your best option is going to be writing the policy as clearly and coherently as possible so that you aren't having to ask the question of what gets applied and when.  That may mean breaking an enforcement profile into multiple pieces to meet more dynamic needs.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Jul 15, 2025 01:47 PM
From: djwilliams-dmu
Subject: ClearPass Process Execution

Is anyone familiar with content that will deep dive into the various processes and what they due upon execution in Clearpass?  One of the things that had tripped me up is the application of Enforcement Profiles in an enforcement policy.  There doesn't seem to be a limit to how many profiles can be added to a policy; however, I don't think they always get executed.  You can adjust the order in policies but it's not clear why.  Do they execute sequentially no matter way?  If one profile contradicts another profile further up the list, does it just overwrite what was previously executed?  ie the bottom policy has the last word?

I don't like black boxes.  I want to understand more than just what buttons in Clearpass to push to make it do things.  I want to understand HOW it works.

#ClearPass

#nac