04-24-2015 04:50 AM
We have a setup where users are connected to the cisco switch, they're put in a quarantine vlan and then after authentication and health check they're placed in another full access vlan and if not, they stay in the quarantine vlan.
The problem is, if he's found unhealthy and he will stay in the quarantine vlan, the customer wants to limit the access of the user, he needs to reach the Clearpass server for the web auth health check, but he's also allowed access to the servers vlan and can ping/ssh the switch itself.
I want him to just reach the clearpass server via https..
I noticed that when i change the access list in the enforcement profile which has the url redirect, nothing changed, i tried manipulating, changing permits to deny and vice versa, nothing made a different and he could still access the servers vlan and ssh the switch..
I tried returning a downloadable access list, after i looked at the switch I found 2 access lists that were learned dynamically, the one that I returned, and another access list called Auth-default-acl, which allows dhcp and denies everything else.
So the problem changed to that the user can not ping or ssh or do anything and can't even reach the Clearpass server for the health check, I tried editing that default access-list to permit any any, so that the actual downloaded access list can do its job, and that worked fine with no problem
But that solution doesn't survive reloads..so if there was a power outage or if the switch was reloaded, the auth-default-acl returns to its initial state of denying everything, even after writing configuration to statuup, so someone has to go there and re edit the access list again which is not a good solution of course..
So if anyone has an idea of what should happen to only limit the quarantine vlan access to just the CP, it would be great.
I'm using clearpass 6.5
If anyone have any queries dont hesitate to ask
Thanks in advance
04-27-2015 07:09 AM
My understanding is that the auth-default-acl should take affect after the downloaded ACL so the rules you add should be enforced prior to the DHCP allow and deny all.
If this is not happening then you could get around this by applying an ACL on the interface itself. If a port ACL exists then the auth-default-acl is not used. You could add a port ACL which is an "allow all" and then make enforcements based on your downloaded ACL.
ACDX #98 | ACMP | ACCP