ClearPass Egress-VLANID Enforcement Profile Generator for RFC4675

Intro

In RFC4675 the Egress-VLANID attribute is specified. With this attribute you can send back one or multiple VLANs to the network access devices. One of these VLANs can be untagged.
The RFC specifies a hex-format, which is somewhat easy to read. You only need to interpret the last 3 digits as a hex value for the VLAN ID.
In ClearPass these values need to specify as a decimal value, causing the values to become somewhat unrecognizable to the human eye.

With this tool you can convert the decimal values back to a human readable form and also generate a XML enforcement profiles to import it into ClearPass.

If you only want to convert one VLAN to the decimal representation, simply enter it and only copy the "value" field from the XML output.


Convert decimal value back to human readable

If you encounter the decimal value in the ClearPass Enforcement Profile you can convert it back.
Valid values are between 822083585 (VLAN ID 1 tagged) and 838864894 (VLAN ID 4094 untagged).

Format Mode Padding VLAN ID
Human
Hex


Create Enforcement Profile

You can add different VLANs and optionally set the port to Device/Infrastructure Mode for AOS-S or AOS-CX.
With the port set to device/infrastructure mode instead of user mode, only the first device on the ports gets authenticated and clients (mac addresses) seen afterwards, are free to communicate.
This is used in conjunction with Access Points or desktop switches, where the AP/Switch is used to authenticate further clients.

For AOS-S there are two attributes for the device mode. One attribute for MAC Auth, the other for Dot1x/Radius Auth.
You need to select the appropriated method for your use case, depending on whether the device is authenticated via MAC or via dot1x.

VLAN ID:

Add Port-Mode for:

Name for the enforcement profile (optional):


VLAN ID Mode Delete?
- untagged

Copy and save as XML and import into ClearPass:
Or download a XML file directly and import it: