Security

Reply
Yl
New Contributor

Clearpass - monitor mode with Cisco 3560 switch

I have configured Clearpass to do MAC auth in monitor mode and a 3560  switch following

https://community.arubanetworks.com/aruba/attachments/aruba/tkb@tkb/223/1/Cisco%20Switch%20Setup%20with%20CPPM-v1.2.pdf

 

A windows pc is allowed access (MAC authentication ACCEPT) only if the device is set to known (via Access Tracker), otherwise the pc (unknown) is  MAC authentication REJECT.

 

How to configure CP and the switch such that we can do MAC authentication in monitor mode (without having to set "authentication open" on the switch)? We don't want to change the switch everytime we need to change from monitor mode to enforce mode, we would like to change from monitor to enforce mode on Clearpass (without changing the switch), if possible.


Please help.

Thanks,

Yl

Re: Clearpass - monitor mode with Cisco 3560 switch

There are several options here. I would not use monitor mode...begin with enforce mode on ClearPass and then just have a statement in line 1 of your enforcement policy to "allow access". Then when you are ready, you can gradually move this line down the list until you capture all your use cases. Alternatively, you can group devices and write services with or without enforcement options and move your switches from a "test" group to a "production" group mapping to two different services.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: