Security

i'm trying to get dynamic VLANs working between Juniper EX switches and ClearPass, everything seems to work except for the VLAN assigment.

 

I get this on the Juniper log:

Apr 12 11:24:11.229779 Received invalid tunnel type 16777229 from authentication server

 

while on the ClearPass i certainly have type 13 (VLAN) configured for tunnel type (64).

 

 

after doing a packet capture it seems the issue lies with the juniper, the correct info is send by the ClearPass.

 

Tunnel-Type(64)                         VLAN(13)

Tunnel-Medium-Type(65)         IEEE-802(6)

Tunnel-Private-Group-Id(81)    the vlan name (or id, i tried both)

 

and two things the ClearPass adds:

 

Session-Timeout       10800
Termination-Action     RADIUS-Request (1)

 

does anyone have dynamic VLANs working with the ClearPass? especially with different vendor switches? cisco, juniper, ....?

 

tried to trouble shoot this with juniper support, but nothing wrong seemed to be found.

 

tried with Microsoft IAS instead of ClearPass and then it works ...

 

checked the packetcaptures and it seems they are identical except that IAS sends the data with Radius tag 0x00 and ClearPass does it with tag 0x01.

 

[IAS]

AVP: l=6  t=Tunnel-Type(64) Tag=0x00: VLAN(13)

AVP: l=6  t=Tunnel-Medium-Type(65) Tag=0x00: IEEE-802(6)

AVP: l=4  t=Tunnel-Private-Group-Id(81): 21

 

[ClearPass]

AVP: l=6  t=Tunnel-Type(64) Tag=0x01: VLAN(13)

AVP: l=6  t=Tunnel-Medium-Type(65) Tag=0x01: IEEE-802(6)

AVP: l=5  t=Tunnel-Private-Group-Id(81) Tag=0x01: 20

 

anyone know if i can get the ClearPass to use tag 0x00?

By default ClearPass sets the value of tag to 0x1 as indicated by the packet capture. The steps to send tag 0x0

from ClearPass are:

 

1) Navigate to Administration » Dictionaries » RADIUS screen.

 

2) Search for Avenda RADIUS dictionary and click on the entry. In the RADIUS Attributes

popup, click on Enable to enable the dictionary.

 

3) Edit the enforcement profile and add the attribute

 

      Radius:Avenda       Avenda-Tag-Id               0

 

 

 

thank you very much (and also Aruba support), this does indeed do the trick and the Juniper EX switch accepts this.

 

a very flexible product ClearPass.

Hi,

I have the same issue with Juniper EX switch dynamic VLAN assignment with ClearPass.

As the posture status is unhealthy it should assign Quarantine VLAN. The switch side the port is dynamically changing the VLAN membership but on the endpoint side, the IP address from quarantine VLAN is assigning after doing IPCONFIG release and renew. is there any additional settings are needed to change from healthy VLAN to Quarantine VLAN dynamically.

 

Thanks,

Yugandhar

It sounds like the endpoint failed to obtain IP address (did not recognize the vlan change) from the quarantine vlan.

You can try "agent bounce" instead of Radius disconnect(CoA) in the WebAuth service, when an active client need to be moved from health vlan to quarantine vlan (or just use "agent bounce" enforcement only when the client helth token is Quaranitne).

 

Agent bounce will force the client to obtain(renew) the IP from Quarantine VLAN.

Are you using the persistent onguard agent on the device ?if you are enable the onguard option to do an agent bounce so this way the NIC will re-DHCP

If not you will need to execute a Change or authorization (CoA)

Pardon typos sent from Mobile

I tried adding avenda-tag-id and it is working. Juniper switch dynamically assign the VLANs based on the conditions. but the problem is the IP address is assigning to the endpoint but not the gateway address. 

This is happening when we enable the posture conditions in the dot1x service.

Also, It is taking very long time to sign out from the machine and we are using Windows10. I am using the persistent OnGuard agent.

 

I am warming up this one, since i have the same problem with juniper EX switches and CPPM 6.10.1.18.1134 and JunOS 18.4R3-S2 

The dynamic vlans works as designed but the port bounce does not work at all. 

Any suggestions?

------------------------------
Jay R
------------------------------

Original Message:
Sent: Mar 27, 2018 06:09 AM
From: Yugandhar Mocherla
Subject: ClearPass juniper dynamic VLAN

I tried adding avenda-tag-id and it is working. Juniper switch dynamically assign the VLANs based on the conditions. but the problem is the IP address is assigning to the endpoint but not the gateway address. 

This is happening when we enable the posture conditions in the dot1x service.

Also, It is taking very long time to sign out from the machine and we are using Windows10. I am using the persistent OnGuard agent.

 

Hi Jay,

Create Enforcement Profile type CoA with Action Disconnect.
then create:

Type: Radius:IETF 
Name: Calling-Station-ID
= %{Radius:IETF:Calling-Station-Id}


and also create:
Radius:Juniper

Name: Juniper-AVP-Pair
= subscriber:command=Port-Bounce

This is how it works on our Juniper infrastructure :)

------------------------------
Shpat | MVP 2021 | ACEP | ACMP | ACCP | ACDP |
------------------------------

Original Message:
Sent: Oct 01, 2021 09:39 AM
From: Jay R
Subject: ClearPass juniper dynamic VLAN

I am warming up this one, since i have the same problem with juniper EX switches and CPPM 6.10.1.18.1134 and JunOS 18.4R3-S2 

The dynamic vlans works as designed but the port bounce does not work at all. 

Any suggestions?

------------------------------
Jay R

Original Message:
Sent: Mar 27, 2018 06:09 AM
From: Yugandhar Mocherla
Subject: ClearPass juniper dynamic VLAN

I tried adding avenda-tag-id and it is working. Juniper switch dynamically assign the VLANs based on the conditions. but the problem is the IP address is assigning to the endpoint but not the gateway address. 

This is happening when we enable the posture conditions in the dot1x service.

Also, It is taking very long time to sign out from the machine and we are using Windows10. I am using the persistent OnGuard agent.