Security

Reply
Occasional Contributor II
Posts: 21
Registered: ‎03-16-2015

Cisco wired Mac auth + .1x with class of service

I am trying to implement a scenario for my studying where a port on a cisco switch is configured for dot1x and mac authentication for ip phone.

I want both the PC and the phone to be profiled and identified, and the PC to perform onguard.

I understand I would use a dot1x with profiling enabled and matching all OS such that if the device is unknown, a COA disconnect is sent to the switch (assuming I'm doing dhcp helper on the switch) and after the device connects again it will be known, and then when he browses he will be directed to the onguard  webpage and download the agent and install and gets his health token and if he's healthy he will do dot1x again, and he will be found healthy and accesses the intended Vlan.

If both dot1x and mac auth were not matched, a mac auth policy will be matched, where all mac addresses are excepted and then profiled, if its an ip phone, it will be given a vlan for voice, and a class of service of 5. if not it will join the normal pc vlan.

 

I'm confused about where would COA and profiling take place in the sequence of authentication. 

It would be great if someone helped me understand this..

Thanks in advance

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: Cisco wired Mac auth + .1x with class of service

If the device is unknown, the CoA will happen after a successful profile and
then again after the posture check.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 21
Registered: ‎03-16-2015

Re: Cisco wired Mac auth + .1x with class of service

How would I profile the devices if they haven't yet received their ip addresses, as they will get their vlans from the CPPM, and then they will get their dhcp offer and update their profiles using the CPPM.

 

is this the correct sequence

1- PC does dot1x, CPPM, finds it unknown, then give it its vlan, then COA,

2- PC gets its ip address, updates cppm. 

then the process happens again with onguard

 

Is my understanding right?

and will the user have to enter his credentials manually after each coa termination?

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: Cisco wired Mac auth + .1x with class of service

You would need to dump the user into a temporary subnet with DHCP

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: