Security

Reply
Frequent Contributor I
Posts: 62
Registered: ‎12-02-2014

Help with Quarantine Enforcement Profile

I am attempting to write an Enforcement Profile that will quarantine a user to a "Dead" vlan on a Cisco switch.  I want to be able to manually change the user's switch port to a dead vlan with a CoA Status change from Access Tracker.

 

Here is my attempt at writing the profile.  When applying the CoA to the user, CPPM shows the CoA request was successful, but it doesn't change the vlan on the switch.  What am I missing?

 

Screen Shot 2015-02-12 at 9.23.41 AM.png

 

 

MVP
Posts: 4,266
Registered: ‎07-20-2011

Re: Help with Quarantine Enforcement Profile

Are you using Onguard ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 4,266
Registered: ‎07-20-2011

Re: Help with Quarantine Enforcement Profile

You need to send a regular VLAN enforcement profile 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor I
Posts: 62
Registered: ‎12-02-2014

Re: Help with Quarantine Enforcement Profile

Victor, I am not using OnGuard.

 

I tried making a VLAN Enforcement profile, but the problem is then that profile is not accessible via the Change Status from within Access Tracker.

 

See below.

 

Screen Shot 2015-02-12 at 10.45.17 AM.png

MVP
Posts: 4,266
Registered: ‎07-20-2011

Re: Help with Quarantine Enforcement Profile

I guess you don't want to apply a dynamic enforcement profile instead you want to do it manually ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor I
Posts: 62
Registered: ‎12-02-2014

Re: Help with Quarantine Enforcement Profile

Correct.  I want a way from within Access Tracker to be able to manually quarantine a user off the network, by using the Change Status button and select an appropriate CoA profile to put them in another VLAN.

 

Screen Shot 2015-02-12 at 11.00.21 AM.png

Moderator
Posts: 479
Registered: ‎11-09-2012

Re: Help with Quarantine Enforcement Profile

Did you enable CoA whe you added the NAD?


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Frequent Contributor I
Posts: 62
Registered: ‎12-02-2014

Re: Help with Quarantine Enforcement Profile

Yes, CoA is enabled on the switch.

 

aaa server radius dynamic-author
 client 1.1.1.1 server-key 7 <key>
 port 3799
 auth-type all

Moderator
Posts: 479
Registered: ‎11-09-2012

Re: Help with Quarantine Enforcement Profile

and you enabled it on the NAD definition within CPPM?

 

No firewall, blocking 3799 between CPPM and the switch?


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Frequent Contributor I
Posts: 62
Registered: ‎12-02-2014

Re: Help with Quarantine Enforcement Profile

Danny,

Yes is enabled in CPPM under the device profile.  No firewalls between the NAD and CPPM.

 

Do you know what the Enforcement Policy should look like to use it under the the Change Status button?

 

Screen Shot 2015-02-12 at 1.00.31 PM.png

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: