Security

Hi All,

Topology:

Guest users --------->cisco Switch 2950 ---------> CISCO ASA firewall----------->ARUBA CPPM 6.2 version.

Requirement :

a. Guest user will connect his laptop to DOT-1x enabled port on switch.( As per end customer information he will get IP from guest VLAN ID X because  in switch he is configure guest vlan as X )

b. After getting Pre-VLAN IP the end user open up a browser and gets captive portal page. ( Client will take care of redirection part ).

c. In captive portal page guest enters his AD credential. After Successful authentication the user has to move to New VLAN Y.

Here guest user is nothing but an employee with personal laptop.

So the client is advicing me to do SNMP bounce on port.

How to perform this configuration.

what are the configuration that i need to do in CPPM, what are the ports need to be open on firewall.

Note : 2950 switch does not support MAB.

Will the following configuration works.

1. Selecting health check enabled captive portal page.....attached

2. Creating service as web-auth with authentication as corporate AD and posture as simple as just check for antivirus.

and enforcement profile as ....attached

where VLAN_ Enforcement_for _nac_netops is post vlan.

Will this configuration work.

will the client hit same web-auth service second time so that depeding on health information we can move guest into Post_vlan.

thanks in advance.

Regards,

Nithin

Got an update that cisco switch 2950 will not support Radius COA.

Biggest issue is that VLAN switching with L3 authentication types (Captive Portal) requires device to re-DHCP after VLAN switch which most Operating Systems are incapable of handling. 

Better option would be to use dynamic-ACL for post Captive Portal access controls, or use newer switch.

In most cases we've also had success using 802.1x to find "corporate" devices, and then set the aaa policy to simply contain failed 802.1x attempts to the guest VLAN.    Since 802.1x is stateful, the client will not get a DHCP offer until:

A.  802.1x completes successfully, or

B.  The aaa policy switches or contains the VLAN after 802.1x failure.

One other note is that we did add an option the 6.2 release at least for captive portal users is. I will add more to this later but I wanted to throw it out to the group.

Again it comes down to if the switch supports COA.

2950 switch does not support COA.

how to use SNMP enforcement .what are all pre-requisite for using SNMP as a enforcement in CPPM and what are the settings have to be do in Switch.

Workflow should be:

802.1X is stateful, so client will not DHCP (if 802.1X enabled) until after 802.1X completes.

Enable 802.1X, put auth-fail-vlan to quarantine, set auth order to 802.1x, web

If client supports and completes 802.1X, send back the RFC3576 VLAN switch attributes to change VLAN.   (since client is 802.1X authenticated, VLAN switching will work).

If client does not support 802.1X they will stay in Guest L3 VLAN and use your standard workflow for guests.

If client fails 802.1X, the client configuration as well as your switch auth-fail-vlan will determine what happens (Win 7 + has checkbox that allows fallback to unauthenticated network acccess, otherwise if configured for 802.1X and it fails there is no connectivity).