Netservice and Netdestination Downloadable User Role

After netservice and Netdestination support for class filters, user can create class filters with alias. For Downloadable User Role (DUR), all the class policies are configured in ClearPass. For Netservice and Netdestination DUR, alias commands must be configured before the policy and class rule are configured in ClearPass.

Several devices can reuse downloadable configurations after changing the host or network IP specified in the net-destination.

Example

To allow ftp/dhcp/dns

netdestination "source_ip"
network 0.0.0.0/0 position 1
exit
netdestination "destination_ip"
network 0.0.0.0/0 position 1
exit
netdestination "destination_dhcp_ip"
host 255.255.255.255
exit
netservice "allowrad" udp 1812 1813
netservice "allowftp" tcp 21
netservice "allowdhcp" udp 67 68
netservice "allowdns" udp 53
class ipv4 "allow-service"
12 match alias-src "any" alias-dst "destination_ip" alias-srvc allowrad
14 match alias-src "any" alias-dst "destination_ip" alias-srvc allowftp
16 match alias-src "any" alias-dst "destination_ip" alias-srvc allowdns
10 match alias-src "any" alias-dst "destination_dhcp_ip" alias-srvc allowdhcp
exit
policy user "allow-service"
10 class ipv4 "allow-service" action permit
exit
aaa authorization user-role name "netdestrole"
policy "allow-service"
vlan-id 2098
exit

Limitations

  • There is a delay introduced during download of configuration from ClearPass to translate alias based class filters.

  • The name given to user-defined/system defaults netdestination and netservice cannot be used in dynamically configured netdestination and netservice through ClearPass.

  • The downloaded netdestination, netservice and alias based class filters are not displaced by show commands.

  • ClearPass is the only RADIUS server where downloading of netdestination and netservice support are provided.

  • ClearPass supports netservice and netdestination in advanced mode only. Standard mode is not supported.