Security

hi,

we have aruba controller and cisco swithc 3560with 12.2(58) version

i have done all wireless configuration its working good,and i have created posture for wireless connection als its working good

i want to create wired authentication for our emoloyee on cisco switch,authentication via our dc

and i dont want to install agent in our employee ps, i want the cisco switch to redirect them to onguard port and check ,

i have created wired service and policy , in the policy i have created a profile with cisco dacl template that check if the user is [user auth] and [mac auth] he will get ip any any acl

and another profile that chek for posture if its healthy

if all this match he will get full access

second rule:its check if the tips[user auth] and [mac auth],

and if the posture not healthy

i dont know which profile should i assign for the second rule,

if the user authenticated but its not healthy i want cisco switch to rdirect him onguard without installing agent and check his pc,

could you please tell me what configuration should i do on cisco and clearpass profile,

note:i dont want to redirect him to another vlan,, i want to use Dacl attr

thank you

OK, just keep in mind that the posture token is cached for a certain amount of time and the user may have to be manually checked every time they reconnect. The user experience may be frustrating. Is this the behavior you want?

yes iwa nt each time the user connect to network toc heck if its pc is healthy or not via wired connection on cisco switch,

i have create a service , inside the service there is a policy, inside the policy there 2 rules

first rule:

tips role eq user auth

& tips role machine auth

& tips posture eq healthi

 assign cisco Dacl profile1 (radius cisco : cisco ip donwloadable acl : permit ip any any)

*** here i need to know how to configure second profile for this rule to redirect him to unguard without installing the agent on his pc

how can i do it?

 second rule:

tips role eq user auth

& tips role machine auth

& tips posture not eq healthy

assign cisco Dacl profile2 (radius cisco : cisco ip donwloadable acl : ?)

here i need to assign profile that redirect a user to ungaurd portal also

and i need to cach his crednt for the second connection

how can i do it on clearpass and cisco switch?

thank you

You can do the following :

Tthis has three user roles.

Employee

Staff

Student

Victor is correct. the easiest thing to do is send a acl with the redirect to the CP page. 

should i add this profile cisco wired onguard with posture profile to the both rules?

should i create web auth service also?

url-redirect= is it onguard url  page?

thank you

here the policy and the profiles,,

is that the right way?

should i create or add another configuration?

thank you

What type of Agent are you using Persistent or Diss ?

I think what you should do is send full access VLAN when it meets:

- Machine Auth

- User Auth

- Healthy Posture

And if the following criteria is:

- Machine Auth

- User

- Not Healthy

Then you send the Cisco AV Pair with the URL and ACL 

The ACL on your switch should look like this :

ip access-list extended <ACL NAME>
deny tcp any host <ClearPass IP Address>
permit tcp any any

Make sure that you enable ip http server on your switch

hi,

whenit meets

user auth

machin auth

healthy psoture

am sending Dacl (ip any any)

i dont want to use vlan

am using disov agent

i have those services

wirelss service

web based auth service--->health check service

wired cisco service

mac caching service

is that right ordering way?

my wireless working good with posture and everything,