Dear Community,
I just need to handle user authentications on a Cisco switch with ClearPass Policy Manager. Everything is working fine but I have an issue where I have no idea how to manage that.
Basically it needs to put the user into a quarantine VLAN if the user authentication is failed. Now I created a service where the default enforcement profile is send a RADIUS Response with VLAN change settings to the switch. I created a rule in this Enforcement policy that if the TIPS:Role not equals [user authenticated], send the same Radius response as default. The settings of the response is tested several times so the configuration is good 100% I can use it perfectly if an auth success.
Now when we generate a wrong user auth (not existing user name or wrong password) I can see a Reject Logon Status in the Access Tracker as we expected and in the Output I can see the default enforcement profile activated and I can see the Radius Response that should to be sent to the switch. On the switch side we can see an access-reject because of the wrong username or password, but there is no Radius Response that the ClearPass should to be sent.
The question is, is it possible to applicate a VLAN change on the switch in this scenario or the wrong credentials are generate a reject and this is the end any other Radius Response ignored? (Of curse I set the enforcement profile action to ACCEPT, but the access-reject - because the wrong credentials - generates earlier I think.)
Any ideas?
Thanks a lot!