Security

Hi all,

We are using Clearpass to dynamically put a device in a VLAN based on (for example) its mac-address. However, all these ports are labeled access-ports. Would it be possible to label a port which has a printer connected "Printer", a port connected to an iphone "IP-Phone" and so on and so on. This would make life a little easier when doing a show int descriptions :)
We are using Juniper switches..

Kind regards

EDG341

Hi

Short answer is: Probably no.

The longer answer is that as far as I know the description can't be sent as a generic RADIUS attribute. If Juniper have a specific VSA for this it will be possible. But I'm not familiar with Juniper VSA.

But you can implement a CLI enforcement to do configuration of the description. This will have some things to consider. First ClearPass must be able to access all switches over SSH and have an account to perform SSH authentication. This account must have the correct permissions to configure description on ports. As this command will only be executed when a device authenticates on a port, the port will keep the description even though the device has disconnected.

To implement this from ClearPass perspective you have to enable CLI Access on the Network Device

Also you need to create an enforcement profile with the CLI command you need to run

In the Command row you specify the command to execute.

Assign the enforcement profile in the enforcement policy in addition to your current VLAN profiles etc.

I have only tested similar functions in lab environment.  Make sure to test and verify in lab before rolling out in production.

Hi all,

We are using Clearpass to dynamically put a device in a VLAN based on (for example) its mac-address. However, all these ports are labeled access-ports. Would it be possible to label a port which has a printer connected "Printer", a port connected to an iphone "IP-Phone" and so on and so on. This would make life a little easier when doing a show int descriptions :)
We are using Juniper switches..

Kind regards

EDG341

Like Jonas said, it's not possible. Other option is to send back an username via RADIUS. I believe you can use the command: show dot1x interface brief on Junos to show the authenticated users and usernames. 

Hi

Short answer is: Probably no.

The longer answer is that as far as I know the description can't be sent as a generic RADIUS attribute. If Juniper have a specific VSA for this it will be possible. But I'm not familiar with Juniper VSA.

But you can implement a CLI enforcement to do configuration of the description. This will have some things to consider. First ClearPass must be able to access all switches over SSH and have an account to perform SSH authentication. This account must have the correct permissions to configure description on ports. As this command will only be executed when a device authenticates on a port, the port will keep the description even though the device has disconnected.

To implement this from ClearPass perspective you have to enable CLI Access on the Network Device

Also you need to create an enforcement profile with the CLI command you need to run

In the Command row you specify the command to execute.

Assign the enforcement profile in the enforcement policy in addition to your current VLAN profiles etc.

I have only tested similar functions in lab environment.  Make sure to test and verify in lab before rolling out in production.

Hi all,

We are using Clearpass to dynamically put a device in a VLAN based on (for example) its mac-address. However, all these ports are labeled access-ports. Would it be possible to label a port which has a printer connected "Printer", a port connected to an iphone "IP-Phone" and so on and so on. This would make life a little easier when doing a show int descriptions :)
We are using Juniper switches..

Kind regards

EDG341

Hi

Short answer is: Probably no.

The longer answer is that as far as I know the description can't be sent as a generic RADIUS attribute. If Juniper have a specific VSA for this it will be possible. But I'm not familiar with Juniper VSA.

But you can implement a CLI enforcement to do configuration of the description. This will have some things to consider. First ClearPass must be able to access all switches over SSH and have an account to perform SSH authentication. This account must have the correct permissions to configure description on ports. As this command will only be executed when a device authenticates on a port, the port will keep the description even though the device has disconnected.

To implement this from ClearPass perspective you have to enable CLI Access on the Network Device

Also you need to create an enforcement profile with the CLI command you need to run

In the Command row you specify the command to execute.

Assign the enforcement profile in the enforcement policy in addition to your current VLAN profiles etc.

I have only tested similar functions in lab environment.  Make sure to test and verify in lab before rolling out in production.

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Jul 31, 2025 08:56 AM
From: EDG341
Subject: Port description through Clearpass

Hi all,

We are using Clearpass to dynamically put a device in a VLAN based on (for example) its mac-address. However, all these ports are labeled access-ports. Would it be possible to label a port which has a printer connected "Printer", a port connected to an iphone "IP-Phone" and so on and so on. This would make life a little easier when doing a show int descriptions :)
We are using Juniper switches..

Kind regards

EDG341

-------------------------------------------

Thank you for your answers!

Original Message:
Sent: Aug 01, 2025 06:44 AM
From: jonas.hammarback
Subject: Port description through Clearpass

Hi

Short answer is: Probably no.

The longer answer is that as far as I know the description can't be sent as a generic RADIUS attribute. If Juniper have a specific VSA for this it will be possible. But I'm not familiar with Juniper VSA.

But you can implement a CLI enforcement to do configuration of the description. This will have some things to consider. First ClearPass must be able to access all switches over SSH and have an account to perform SSH authentication. This account must have the correct permissions to configure description on ports. As this command will only be executed when a device authenticates on a port, the port will keep the description even though the device has disconnected.

To implement this from ClearPass perspective you have to enable CLI Access on the Network Device

Also you need to create an enforcement profile with the CLI command you need to run

In the Command row you specify the command to execute.

Assign the enforcement profile in the enforcement policy in addition to your current VLAN profiles etc.

I have only tested similar functions in lab environment.  Make sure to test and verify in lab before rolling out in production.

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Jul 31, 2025 08:56 AM
From: EDG341
Subject: Port description through Clearpass

Hi all,

We are using Clearpass to dynamically put a device in a VLAN based on (for example) its mac-address. However, all these ports are labeled access-ports. Would it be possible to label a port which has a printer connected "Printer", a port connected to an iphone "IP-Phone" and so on and so on. This would make life a little easier when doing a show int descriptions :)
We are using Juniper switches..

Kind regards

EDG341

-------------------------------------------