08-15-2016 09:38 AM
I'm new to Aruba Clearpass and this my first post in this great community. I have implemented some CLI policy enforcements with Clearpass (SSH to Comware switches) - they are working perfect. My question - is there any way to execute CLI actions if a device logs off? Perhaps using the Radius Accounting or some kind of other magic? Thank you for some advice
08-16-2016 01:57 AM
You could look in to the use of 802.1x machine authentication. Certainly for Windows devices, machine authentication (if enabled) takes place at logon and logoff. You can use this to assign a more restrictive role or VLAN to devices when only machine authentication is passed.
Basically the logic works as follows:
ClearPass authenticates a machine and assigns a restrictive role/VLAN.
ClearPass authenticates a user and this in combination with the already authenticated machine assigns a full access role/VLAN.
If machine authentication is seen after this it would indicate a client has rebooted or logged off. This could then assign the more restrictive role.
I would recommend labbing this up and seeing if this can provide what you want.
ACDX #98 | ACMP | ACCP
08-16-2016 04:53 AM
Thanks you, David - that's simple and clean solution - i really like it. In the current environment i have lots of devices which need mac auth. Any additional ideas for this case?
08-16-2016 04:55 AM
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
08-16-2016 08:02 AM
In this case, i'm using both. RADIUS for VLAN assignment and CLI enforcement for specific speed/duplex settings due bad cabling which causing issues with some end devices. One possible solution would be to set the speed/duplex settings back to default, if "devices all other" authenticated. I though that perhaps there is some smarter solution that i have missed.