Security

Reply
Occasional Contributor II
Posts: 15
Registered: ‎06-21-2016

Clearpass: CLI enforcements if client disconnects

Hi all,

 

I'm new to Aruba Clearpass and this my first post in this great community. I have implemented some CLI policy enforcements with Clearpass (SSH to Comware switches) - they are working perfect. My question - is there any way to execute CLI actions if a device logs off? Perhaps using the Radius Accounting or some kind of other magic? Thank you for some advice

 

Best Regards

MVP
Posts: 226
Registered: ‎03-03-2011

Re: Clearpass: CLI enforcements if client disconnects

You could look in to the use of 802.1x machine authentication. Certainly for Windows devices, machine authentication (if enabled) takes place at logon and logoff. You can use this to assign a more restrictive role or VLAN to devices when only machine authentication is passed.

Basically the logic works as follows:

ClearPass authenticates a machine and assigns a restrictive role/VLAN.

ClearPass authenticates a user and this in combination with the already authenticated machine assigns a full access role/VLAN.

If machine authentication is seen after this it would indicate a client has rebooted or logged off. This could then assign the more restrictive role.

 

I would recommend labbing this up and seeing if this can provide what you want.

David
ACDX #98 | ACMP | ACCP
Occasional Contributor II
Posts: 15
Registered: ‎06-21-2016

Re: Clearpass: CLI enforcements if client disconnects

Thanks you, David - that's simple and clean solution - i really like it. In the current environment i have lots of devices which need mac auth. Any additional ideas for this case?

 

Best Regards

Guru Elite
Posts: 8,732
Registered: ‎09-08-2010

Re: Clearpass: CLI enforcements if client disconnects

There's no need for CLI enforcement. Comware supports RADIUS. You can leverage 802.1X with MAC fallback

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 15
Registered: ‎06-21-2016

Re: Clearpass: CLI enforcements if client disconnects

In this case, i'm using both. RADIUS for VLAN assignment and CLI enforcement for specific speed/duplex settings due bad cabling which causing issues with some end devices. One possible solution would be to set the speed/duplex settings back to default, if "devices all other" authenticated. I though that perhaps there is some smarter solution that i have missed.

 

Best Regards

Search Airheads
Showing results for 
Search instead for 
Did you mean: