Security

Hello all,

I'm looking to see if it's possible to create an ACL in the Enforcement Profile that users devices download when connecting to a switch.  

I've created a test Enforcement Profile that assigns the VLAN via the Access VLAN Name.  Then I tried creating a Policy within the profile by piecing together multiple Classes and setting them to either Permit or deny.

Here's the Policy Staff_Limit:

The client seems to follow the lowest rule in the policy.  So if I permit the AnyAny class, then the client can still reach anything internally.  If I remove that, then the client is blocked from everything in the Staff_Deny class.  So I'm assuming piecing these different classes together like this doesn't function like a typical ACL would.

Any ideas what I'm doing wrong, or if it's even possible to restrict clients this way?

Thanks!

When I create a policy like this I create classes based on ip, network or ports. In the policy I select if the class should be allows or not.

The syntax of the role ACL can be seen in the summary tab

Hello all,

I'm looking to see if it's possible to create an ACL in the Enforcement Profile that users devices download when connecting to a switch.  

I've created a test Enforcement Profile that assigns the VLAN via the Access VLAN Name.  Then I tried creating a Policy within the profile by piecing together multiple Classes and setting them to either Permit or deny.

Here's the Policy Staff_Limit:

The client seems to follow the lowest rule in the policy.  So if I permit the AnyAny class, then the client can still reach anything internally.  If I remove that, then the client is blocked from everything in the Staff_Deny class.  So I'm assuming piecing these different classes together like this doesn't function like a typical ACL would.

Any ideas what I'm doing wrong, or if it's even possible to restrict clients this way?

Thanks!

So does the summary list the classes in the order that the ACL rules are applied?  For example, in the policy your have DHCP class set as #1, yet in the summary it's listed as the fourth set of rules applied.

Original Message:
Sent: Apr 29, 2026 10:00 AM
From: jonas.hammarback
Subject: Create ACL within User Role in Clearpass

When I create a policy like this I create classes based on ip, network or ports. In the policy I select if the class should be allows or not.

The syntax of the role ACL can be seen in the summary tab

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Apr 29, 2026 09:45 AM
From: JM11
Subject: Create ACL within User Role in Clearpass

Hello all,

I'm looking to see if it's possible to create an ACL in the Enforcement Profile that users devices download when connecting to a switch.  

I've created a test Enforcement Profile that assigns the VLAN via the Access VLAN Name.  Then I tried creating a Policy within the profile by piecing together multiple Classes and setting them to either Permit or deny.

Here's the Policy Staff_Limit:

The client seems to follow the lowest rule in the policy.  So if I permit the AnyAny class, then the client can still reach anything internally.  If I remove that, then the client is blocked from everything in the Staff_Deny class.  So I'm assuming piecing these different classes together like this doesn't function like a typical ACL would.

Any ideas what I'm doing wrong, or if it's even possible to restrict clients this way?

Thanks!

-------------------------------------------

The rules are applied in the order as they are numbered in the policy.

Can you share the output of both the versions of the policy you have tried?

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Apr 29, 2026 10:34 AM
From: JM11
Subject: Create ACL within User Role in Clearpass

So does the summary list the classes in the order that the ACL rules are applied?  For example, in the policy your have DHCP class set as #1, yet in the summary it's listed as the fourth set of rules applied.

Original Message:
Sent: Apr 29, 2026 10:00 AM
From: jonas.hammarback
Subject: Create ACL within User Role in Clearpass

When I create a policy like this I create classes based on ip, network or ports. In the policy I select if the class should be allows or not.

The syntax of the role ACL can be seen in the summary tab

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Apr 29, 2026 09:45 AM
From: JM11
Subject: Create ACL within User Role in Clearpass

Hello all,

I'm looking to see if it's possible to create an ACL in the Enforcement Profile that users devices download when connecting to a switch.  

I've created a test Enforcement Profile that assigns the VLAN via the Access VLAN Name.  Then I tried creating a Policy within the profile by piecing together multiple Classes and setting them to either Permit or deny.

Here's the Policy Staff_Limit:

The client seems to follow the lowest rule in the policy.  So if I permit the AnyAny class, then the client can still reach anything internally.  If I remove that, then the client is blocked from everything in the Staff_Deny class.  So I'm assuming piecing these different classes together like this doesn't function like a typical ACL would.

Any ideas what I'm doing wrong, or if it's even possible to restrict clients this way?

Thanks!

-------------------------------------------