Security

Reply
Occasional Contributor II

Clearpass 802.1x Change VLAN after machine authentication

Hi,

 

I've setup in our lab environment this scenario:

 

CPPM 6.7.4.107401 in Windows Domain with Server 2016 Standard and using certificates to authenticate Machine/Users. All working perfectly with EAP-TLS Method.

 

Some clients is asking for a solution to this: Machine authenticate and gets the "Corp" VLAN when boots up. After that, the User put the credentials and based on Domain Usergroup it takes specific VLAN. How can I force the bounce or something else to user get the IP on new VLAN?

 

The Machine auth is used because the need to authenticate the User on Domain (if the user never logged at this machine).

Any thougths?


At.te,
Andre Fernandes
ACMP | ACCP | ACSA
Guru Elite

Re: Clearpass 802.1x Change VLAN after machine authentication

Changing VLANs is not recommended. Use a CoA role change.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Clearpass 802.1x Change VLAN after machine authentication

I agree with you. I always try to avoid, but, this is a specific case.

 

Where I put the CoA action? After machine authentication?

 

Below is the Service/Enforcement Policies. Each Enforcement Profile set the specific VLAN ID.

 

CPPM-Service.pngCPPM-Enforcement.pngCPPM-Enforcement_Profile_Corp.png


At.te,
Andre Fernandes
ACMP | ACCP | ACSA
Occasional Contributor II

Re: Clearpass 802.1x Change VLAN after machine authentication

Anyway, what is the best practice in this scenario?

 

Authenticate machines first, so users can be authorized by AD to log in and then authenticate users on Clearpass? The need is to assign vlan based on User Group.

 

The fall back is mac auth based on roles/endpoints and captive portal, thats ok.


At.te,
Andre Fernandes
ACMP | ACCP | ACSA
Highlighted

Re: Clearpass 802.1x Change VLAN after machine authentication

As Tim mentioned, not recommended to change VLANs as DHCP is unreliable and it is very possible the device's VLAN will change, but IP will not, leaving it unable to communicate in the new VLAN.

 

What you could try is machine auth through CPPM send back corp VLAN assignment, then User Auth through CPPM sends back a dACL if using Cisco or User-Role if using Aruba to limit network access to only required resources.

 

You *can* use the VLAN change, but I think it's very risky and may be inconsistent, resulting in endless troubleshooting of connectivity issues.


Michael Haring
Architecture and Implementation Consultant
Optiv Security Inc.
Occasional Contributor II

Re: Clearpass 802.1x Change VLAN after machine authentication

If you do go down the machine and user authentication with different VLANs route, on Windows 7 devices you should enabled single sign-on in the advanced settings and ensure the option "This network uses separate virtual LANs for machine and user authentication" option.

This tells the device to complete a DHCP renewal after a successful user authentication.

I'm not sure if the option is the same with Windows 10.

 

That said I agree with the previous posts that you should really avoid this scenario.

 

Regular Contributor I

Re: Clearpass 802.1x Change VLAN after machine authentication

Hi,

 

As previous posts mention it is not recommended.

 

I know from experience in special cases that with windows 7 & 10 it will work without a CoA. But you could have other devices doing 802.1x where it doesn't work. And I have seen microsoft change settings on 802.1x twice with the last updates in windows 10. So it is better to avoid it in production.

 

Hope it helps

 

Cheers, Frank
Aruba Partner Ambassador| AMFX#22| ACCX#613| ACMX#733| ACDX#744

If you like my posts, kudo's are welcome. If it solves your problem, please click 'Accept as Solution'
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: