Netservice and Netdestination Downloadable User Role
After netservice and Netdestination support for class filters, user can create class filters with alias. For Downloadable User Role (DUR), all the class policies are configured in ClearPass. For Netservice and Netdestination DUR, alias commands must be configured before the policy and class rule are configured in ClearPass.
Several devices can reuse downloadable configurations after changing the host or network IP specified in the net-destination.
Example
To allow
ftp/dhcp/dns
netdestination "source_ip" network 0.0.0.0/0 position 1 exit netdestination "destination_ip" network 0.0.0.0/0 position 1 exit netdestination "destination_dhcp_ip" host 255.255.255.255 exit netservice "allowrad" udp 1812 1813 netservice "allowftp" tcp 21 netservice "allowdhcp" udp 67 68 netservice "allowdns" udp 53 class ipv4 "allow-service" 12 match alias-src "any" alias-dst "destination_ip" alias-srvc allowrad 14 match alias-src "any" alias-dst "destination_ip" alias-srvc allowftp 16 match alias-src "any" alias-dst "destination_ip" alias-srvc allowdns 10 match alias-src "any" alias-dst "destination_dhcp_ip" alias-srvc allowdhcp exit policy user "allow-service" 10 class ipv4 "allow-service" action permit exit aaa authorization user-role name "netdestrole" policy "allow-service" vlan-id 2098 exit
Limitations
There is a delay introduced during download of configuration from ClearPass to translate alias based class filters.
The name given to user-defined/system defaults netdestination and netservice cannot be used in dynamically configured netdestination and netservice through ClearPass.
The downloaded netdestination, netservice and alias based class filters are not displaced by show commands.
ClearPass is the only RADIUS server where downloading of netdestination and netservice support are provided.
ClearPass supports netservice and netdestination in advanced mode only. Standard mode is not supported.