Security

Reply
Occasional Contributor II

Handle Radius Response after user login failure

Dear Community,

 

 I just need to handle user authentications on a Cisco switch with ClearPass Policy Manager. Everything is working fine but I have an issue where I have no idea how to manage that. 

 

Basically it needs to put the user into a quarantine VLAN if the user authentication is failed. Now I created a service where the default enforcement profile is send a RADIUS Response with VLAN change settings to the switch. I created a rule in this Enforcement policy that if the TIPS:Role not equals [user authenticated], send the same Radius response as default. The settings of the response is tested several times so the configuration is good 100% I can use it perfectly if an auth success.

Now when we generate a wrong user auth (not existing user name or wrong password) I can see a Reject Logon Status in the Access Tracker as we expected and in the Output I can see the default enforcement profile activated and I can see the Radius Response that should to be sent to the switch. On the switch side we can see an access-reject because of the wrong username or password, but there is no Radius Response that the ClearPass should to be sent.

The question is, is it possible to applicate a VLAN change on the switch in this scenario or the wrong credentials are generate a reject and this is the end any other Radius Response ignored? (Of curse I set the enforcement profile action to ACCEPT, but the access-reject - because the wrong credentials - generates earlier I think.)

Any ideas?

Thanks a lot!

Guru Elite

Re: Handle Radius Response after user login failure

This would need to be handled by the switch, not ClearPass: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-3se/3850/sec-user-8021x-xe-3se-3850-book/sec-ieee-auth-fail-vlan.html

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Handle Radius Response after user login failure

Yep, that is what we did and worked but auth fail VLAN does not support ACLs on cisco, so I just try to find a solution how can I separate the traffic of the quarantine clients from eac other and a normal VLAN "placing" can handle ACLs instead of the auth failed VLAN. Now I'm start to be pretty sure that this scenarion will never happen :(

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: