Hi All,
I hope you are well?
I am doing a Cisco Wired Installation for a customer. I have got 90% of the work done and so far everything is working as expected.
I have two services setup, which is a wired 802.1x and a wired MAC auth service.
Most of the time the MAC auth service is being triggered as most of the devices are not 802.1x capable. The only devices hitting the .1x service is Windows PC’s.
The switches I am working with are:
Cisco 2960
Cisco 3750
Cisco 3750x
Cisco 3850x
We are doing the majority of the testing on Cisco 2960.
I have already checked the wired switch guides from Aruba for Cisco and have not been able to resolve the two below issues. Please provide some advice on the below:
I would like to know what the best procedure is to get a non-domain new computer onto the network. Basically this is a new computer that is hitting 802.1x service, but gets rejected because it is not a domain laptop and it has not been connected on the network before. There is nothing setup for the computer on the AD itself. The requirements is to boot up these new computers, join them to the domain and get them setup, but the Clearpass service rejects them.
Can you let me know what is the best way to assign a limited access role to these devices? It seems like the devices need to be profiled before they can connect, but radius auth happens first and they get rejected. We would like to do this via a limited access DACL as there are 100s of switches and it would be easier for Clearpass to send a DACL to each switch.
Can you please let me know how to set this up and can you send me an example of sending a DACL to a Cisco Switch in Clearpass?
In my enforcement profile I am sending back “VLAN enforcement” this contains “Tunnel-Private-Group-Id” which has the VLAN ID.
The problem I am having is that there is four data VLANs for domains computers. I can only send back one with the VLAN enforcement VLAN ID, which we cannot use as it will fill that up pretty quickly.
We have grouped the four VLANs on the switches in a VLAN group, the issue that I am having is that when I send the group back in VLAN enforcement profile using the condition:
Radius:IETF Egress-VLAN-VLAN = DATAVLANS
The device gets accepted but does not get an IP address. Is it possible to send a VLAN group back to a Cisco Switch? How would a Cisco switch fill up the VLANs in a VLAN group? Would this work like a wireless controller using # or even algorithm like a VLAN pool. Is it possible someone can advise me with a sample switch configuration that shows how to send back a group of VLANs back to a Cisco switch and then the switch decides which VLAN to put the device in?
I have also tried to use:
Radius:IETF Class = DATAVLANS
This is a name for one of the VLANs but it does not work either.
Please advise me on the best way to resolve these issues?
Kind Regards,