09-09-2014 03:28 PM
Hopefully I'm just going about this in a wrong way and someone can readjust my understanding.
I have CPPM running, set up with a service and all that entails, and running on a Brocade L2 switch.
I have confirmed that 802.1x works beautifully as intended. Now I'm trying to simulate what would happen if a guest came to our network and plugged in. By default, a Windows laptop isn't going to have 802.1x enabled and configured. So I removed a laptop from the domain, disabled 802.1x, created a local account and plugged it in.
On the Brocade switch I have the dot1x configuration set to restrict the vlan on failure to a guest VLAN. Additionally, I have the ports set to dotx port-control auto - by default, Brocade forces ports to be authorized. In this case, auto means not authorized until it completes the intial exchange with the auth server.
I assumed that because it's not on the domain and not an AD account, when the laptop was plugged in, it'd simple fail the 802.1x auth because it's also not set up for it. And then at that point, the switch would "quarantine" it in the failure VLAN which just grants internet access.
The second issue is, I don't see -anything- in the monitoring on the CPPM server. I assume that's because my service is set up for 802.1x. So I read some threads on here and noted someone talking about creating a Mac-auth service with allow all Macs, if it doesn't recognize a mac, send it to the guest VLAN. I set that service up but still no joy - not seeing any traffic through the monitoring service, and it's just dropping traffic on the switch instead of putting it in the failure VLAN.
I'm having a hard time determining if this is a Brocade or CPPM issue at this point. Ultimately, the way I'd like things to work when I'm done is:
1. Use 802.1x - match enforcement policy, get profile pushed. Done.
2. Can't use 802.1x? Are you one of these vendor MAC addresses? Get matched, profile pushed. Done.
3. Don't use 802.1x AND don't match a vendor MAC address we use? Get pushed the default guest profile, internet only. Done.
Any help/suggestions would be appreciated!
Solved! Go to Solution.
09-09-2014 06:01 PM
According to Brocade and Aruba, they should. I have the following configured on the switch:
timeout re-authperiod 10
mac-session-aging no-aging permitted-mac-only
If you think it's a Brocade issue, I'll ask them again and verify. Perhaps it's the model I'm using? Or perhaps it requires additional configuration? I guess we'll see. If anyone has more thoughts or ideas, please let me know. I'll report back once I've talked to Brocade.
09-16-2014 05:03 PM
09-19-2014 11:28 AM
OK, figured it out. After opening up a ticket, I was sent a Foundry security configuration guide - why it's still called Foundry versus Brocade, I don't know. But I was unable to find similar material on their website via searches.
Anyway, they wanted a VSA for a specific attribute passed by the RADIUS server. This required me enabling an old Foundry dictionary on ClearPass and configuring the following in one of the enforcement profiles:
Radius:Foundry Foundry-MAC-Authent-needs-802.1x = 0
Once that was added and passed back to the switch on an accepted mac auth, everything worked beautifully.