Security

Hi All,

 

I hope you are well?

 

I am doing a Cisco Wired Installation for a customer. I have got 90% of the work done and so far everything is working as expected.

I have two services setup, which is a wired 802.1x and a wired MAC auth service.

Most of the time the MAC auth service is being triggered as most of the devices are not 802.1x capable. The only devices hitting the .1x service is Windows PC’s.  

The switches I am working with are:

Cisco 2960

Cisco 3750

Cisco 3750x

Cisco 3850x

We are doing the majority of the testing on Cisco 2960. 

 

I have already checked the wired switch guides from Aruba for Cisco and have not been able to resolve the two below issues. Please provide some advice on the below:

 

I would like to know what the best procedure is to get a non-domain new computer onto the network. Basically this is a new computer that is hitting 802.1x service, but gets rejected because it is not a domain laptop and it has not been connected on the network before. There is nothing setup for the computer on the AD itself. The requirements is to boot up these new computers, join them to the domain and get them setup, but the Clearpass service rejects them.

Can you let me know what is the best way to assign a limited access role to these devices? It seems like the devices need to be profiled before they can connect, but radius auth happens first and they get rejected. We would like to do this via a limited access DACL as there are 100s of switches and it would be easier for Clearpass to send a DACL to each switch.

Can you please let me know how to set this up and can you send me an example of sending a DACL to a Cisco Switch in Clearpass?

 

In my enforcement profile I am sending back “VLAN enforcement” this contains “Tunnel-Private-Group-Id” which has the VLAN ID.

The problem I am having is that there is four data VLANs for domains computers.  I can only send back one with the VLAN enforcement VLAN ID, which we cannot use as it will fill that up pretty quickly.

We have grouped the four VLANs on the switches in a VLAN group, the issue that I am having is that when I send the group back in VLAN enforcement profile using the condition:

Radius:IETF  Egress-VLAN-VLAN = DATAVLANS

The device gets accepted but does not get an IP address. Is it possible to send a VLAN group back to a Cisco Switch? How would a Cisco switch fill up the VLANs in a VLAN group? Would this work like a wireless controller using # or even algorithm like a VLAN pool. Is it possible someone can advise me with a sample switch configuration that shows how to send back a group of VLANs back to a Cisco switch and then the switch decides which VLAN to put the device in?

I have also tried to use:

Radius:IETF  Class = DATAVLANS

This is a name for one of the VLANs but it does not work either.

 

Please advise me on the best way to resolve these issues?

 

Kind Regards,

 

 

 

 

 

 

Hi

 

For the first issue on how to get new machines on the network to join the domain I have solved this by doing the following (in short):

1. Created two roles in ClearPass, "New computer" and "Add new computer admin" or similar names

2. In ClearPass guest create a new operator profile "Add new computer admin" (I normally use same operator profile name as the role name) with permission to only add new devices with the role "New computer"

3. Create/modify Guest operator login service to allow technichians to log into ClearPass Guest with the new role

4. Create Guest Operator translation rule for the "Add new computer admin" operator profile

5. In the MAC authentication service, use [Allow All MAC Auth] authentication method. Add [Insight Repository] as Authorization source

By doing this the role assigned in ClearPass Guest to the MAC address will be mapped to the client during the authorization phase and can be utilized in the Enforcement Policy

6. Create an Enforcement Policy rule Tips:Role  EQUALS  New Computer, and assign the needed Enforcement Profiles to be able to add the computer to the domain.

 

In addition to this I have also added a custom attribute to all domain joined machines in the Endpoints repository DomainComputer=Yes

 

If a host tries to do MAC authentication after they have been joined to the domain this can be because they try to do reimaging with PXE boot. In this case the DomainComputer=Yes attribute can be used to allow the computer on the PXE VLAN.

 

I have no specific advice how to control the VLAN the clients should be sent to, maybe this can be a good source of information:
http://community.arubanetworks.com/t5/Wireless-Access/ClearPass-best-practice-assigning-VLANs-with-multiple-sites/m-p/227480#M46578

 

Regards

Jonas

Hm, you should not be using [Allow All MAC Auth] in an 802.1X service...

Thanks for the correction! In the MAC authentication service

Thank you for your suggestion of adding the MAC address of a non-domain machine to the guest module to get temporary access. I would need to test this to see how it works. This would need to be done on another customer.

I managed to send back a DACL to this device to give it limited access for it to join the domain.

 

I have used the location option as per the suggestion on the other link, there are too many switches to define a data and voice VLAN on. We got all the switches added and then grouped each one by VLAN location.

Do you know if in the future switches will be able to group VLANS in a VLAN pool as Aruba controllers does ?

Can you please provide me with a sample enforcement policy that pushes a VLAN name back to a Cisco Switch?
I have an example, but wasn't 100% sure on it:
RADIUS:IETF Class = STAFF
RADIUS:IETF Tunnel-Type = VLAN (13)
RADIUS:IETF Tunnel-Medium-Type = IEEE-802 (6)
RADIUS:IETF Tunnel-Medium-Type = 100
Can you confirm the above would work in sending back a VLAN name back to the switch as I had issues with this ?

Just use the standard VLAN enforcement profile and instead of putting in a number, put in a name.

Thanks will try this on my next Clearpass Install with Cisco Wireless. 

Oh, this is for wireless? The thread is about wired. For Cisco controllers, you need to return the interface name or interface group name using the Airespace-Interface-Name VSA.

Thanks I'm going to be doing Cisco wireless soon with CPPM so glad I know action to return for both wired and wireless implementations.