03-30-2015 09:17 AM
We have recently purchased ClearPass and are looking to use it as a replacement for our PacketFence deployment on our wired network. Currently any user who plugs into our Brocade switches gets sent to a registration VLAN where they authenticate to a captive portal. After authentication, the user is switched to another VLAN where they get a new IP address and can access the network. What is the recommended path to do this using Clearpass? For a bonus, we would like to track the user's ID and send that information to our Palo Alto firewall so we can track any connection coming out of this network.
03-30-2015 09:23 AM
03-30-2015 10:37 AM
We're not using captive portal on wired but we are doing wired 802.1x with ClearPass. We use Cisco 3850 and 3750E switches and currently have a "profiler" vlan/subnet set up where devices go if they've never been profiled. Once profiled, CP bounces the port and it goes back through 802.1x auth with MAB (mac auth bypass) for devices such as IP phones, printers, etc. CP sends a RADIUS CoA message back to switch to set the interface to a particular vlan and bounce it, forcing re-auth. One thing you may want to consider instead of using different vlans/subnets is to use one (or at least consolidate) and send downloadable ACLs to the switch to apply per-port based on the security requirement. We ended up running into issues with vlan switching that we were able to resolve using the DACL method.
We also have Palo Alto firewalls that are set up and integrated with ClearPass--works well as far as I know, though I haven't spent a lot of time in the PANs lately.
Let me know if I can help at all.