08-07-2013 08:31 AM
I am configuring some kit for an install we have next week. We are setting up Clearpass and some Brocade switches to hopefully do the following:
When a wired user plugs into the network, they are in a default VLAN 10. This does mac authentication against the endpoint database. If it is successful, then they are allowed on the network.
If it fails, the switch puts the device in to VLAN 40, a 'quarantine' VLAN. The idea then is that they are given the self-reg page of CPPM Guest, which they authenticate using. From there, we need to place them into a different ‘Guest’ VLAN.
However, the web auth doesn’t send a mac address and also can’t seemingly have an enforcement policy that can return a radius response to move the VLAN to the Guest VLAN
Any ideas on how we get a webauth to send a radius accept to change the VLAN? Or any ideas how we can do the above in a different way?
08-07-2013 08:35 AM - edited 08-07-2013 08:35 AM
You can set a post_authentication Change of Authorization (RADIUS CoA) which will boot the user (essentially aaa user delete) and then they will come back into the role you assigned.
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP