This is what i have done so far.
we are using 802.1x to AD authentication on cisco 3750 switches.
On Clearpass
Configuration -> service (new service) - 802.1x wired
defaults in the service
authentication to AD server
we are not doing any roles
Enforcement - new policy - I have created 2 conditions.
1. tips: rols equals {user authentication}
and tips:posture equals healthy(0)
Then assign employee vlan
2. Tips:role Equals
{user authentication}
and tips:posture NOT_Equals healthy(0)
Then cisco-wired onguard redirect and temporary vlan
For the cisco-wired onguard redirect profile i have set a url redirect to clearpass onguard
---Testing---
Connected a windows 7 machine to the port - it does the authentication and fails rightaway.
however on the access tracker clearpass, i can see that login-status is ACCEPT
and summary says its using the right service that i have created and it falls under condition-2
on the output its sending the vlan attributes for temporary vlan and cisco-avpair url redirect.
As its not authenticating i cant get to the url. However in the profiles when i remove the radius attribute for url redirect and keep just the vlan machine authenticates with my credentials and gives me the vlan i need but with out posture assessment.
One thing i have noticed is in access tracket - summary - I see below
System Posture Status: | UNKNOWN (100) |
I must be missing something. Any help will be much appreciated.