Security

 View Only
  • 1.  Create ACL within User Role in Clearpass

    Posted Apr 29, 2026 09:45 AM

    Hello all,

    I'm looking to see if it's possible to create an ACL in the Enforcement Profile that users devices download when connecting to a switch.  

    I've created a test Enforcement Profile that assigns the VLAN via the Access VLAN Name.  Then I tried creating a Policy within the profile by piecing together multiple Classes and setting them to either Permit or deny.

    Here's the Policy Staff_Limit:

    The client seems to follow the lowest rule in the policy.  So if I permit the AnyAny class, then the client can still reach anything internally.  If I remove that, then the client is blocked from everything in the Staff_Deny class.  So I'm assuming piecing these different classes together like this doesn't function like a typical ACL would.

    Any ideas what I'm doing wrong, or if it's even possible to restrict clients this way?

    Thanks!



    -------------------------------------------


  • 2.  RE: Create ACL within User Role in Clearpass

    Posted Apr 29, 2026 10:01 AM

    When I create a policy like this I create classes based on ip, network or ports. In the policy I select if the class should be allows or not.

    The syntax of the role ACL can be seen in the summary tab



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: Create ACL within User Role in Clearpass

    Posted Apr 29, 2026 10:34 AM

    So does the summary list the classes in the order that the ACL rules are applied?  For example, in the policy your have DHCP class set as #1, yet in the summary it's listed as the fourth set of rules applied.

    -------------------------------------------



  • 4.  RE: Create ACL within User Role in Clearpass

    Posted Apr 30, 2026 03:05 AM
    Edited by JH-09f195 Apr 30, 2026 03:06 AM

    The rules are applied in the order as they are numbered in the policy.

    Can you share the output of both the versions of the policy you have tried?

    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: Create ACL within User Role in Clearpass

    Posted Apr 30, 2026 10:34 AM

    Here's with the Apply All class added at the end:

    Here's the summary.  The only other option I tried was to take the AnyAny class off of it, and that just blocked everything.

    Appreciate you taking a look!

    -------------------------------------------