ClearPass Enforcement Profile Generator for Egress-VLAN-ID Attribute


During the last couple of years and many ClearPass projects, I had to deal with multi-vendor environments quit often. And as the ClearPass Policies are best kept simple it is somewhat good practice to use the IETF Attributes as much as possible. For our typical untagged VLAN enforcement this is easy.
But what about tagged VLANs for VoIP phones or Access Points? 

In RFC4675 the Egress-VLAN-ID attribute is specified. With this attribute you can send back one or multiple VLANs to the network access devices. One of these VLANs can be untagged.
The RFC specifies a hex-format, which is somewhat easy to read. You only need to interpret the last 3 digits as a hex value for the VLAN ID.
In ClearPass these values need to specify as a decimal value, causing the values to become somewhat unrecognizable to the human eye.

But what about Egress-VLAN-Name???

I have used the Egress-VLAN-Name attribute in many projects and in estimated 50 percent of the projects this was unusable, due to the VLANs not named consistently across vendors, departments, world wild locations etc. 
You get it ;-) 
If you can use the VLAN-Name attribute, go for it! If not, continue reading! 

Problems solved:

With my online tool you can convert the decimal values encountered in ClearPass back to a human readable form and also generate a XML enforcement profile for importing into ClearPass.  

1.) Convert decimal value back to human readable

If you encounter the decimal value in the ClearPass Enforcement Profile you can convert it back.
Valid values are between 822083585 (VLAN ID 1 tagged) and 838864894 (VLAN ID 4094 untagged).

2.) Create Enforcement Profile

You can add different VLANs and optionally set the port to Device/Infrastructure Mode for AOS-S or AOS-CX.
With the port set to device/infrastructure mode instead of user mode, only the first device on the ports gets authenticated and clients (mac addresses) seen afterwards, are free to communicate.
This is used in conjunction with Access Points or desktop switches, where the AP/Switch is used the authenticate future clients.

For AOS-S there are two attributes for the device mode. One attribute for MAC Auth, the other for Dot1x/Radius Auth.
You need to select the appropriated method for your use case, depending on whether the device is authenticated via MAC or via dot1x. 

Access the tool

The tool can be found here: https://philipp-koch.net/cppm/rfc4675.html

As the tool is plain javascript and runs in your browser no customer data is ever transmitted to my server. You can even save the website for offline use!