Security

Reply
Contributor II
Posts: 67
Registered: ‎06-29-2014

clearpass cisco posture

hi,

 

we have aruba controller and cisco swithc 3560with 12.2(58) version

i have done all wireless configuration its working good,and i have created posture for wireless connection als its working good

 

i want to create wired authentication for our emoloyee on cisco switch,authentication via our dc

 

and i dont want to install agent in our employee ps, i want the cisco switch to redirect them to onguard port and check ,

 

i have created wired service and policy , in the policy i have created a profile with cisco dacl template that check if the user is [user auth] and [mac auth] he will get ip any any acl

and another profile that chek for posture if its healthy

if all this match he will get full access

 

second rule:its check if the tips[user auth] and [mac auth],

and if the posture not healthy

 

i dont know which profile should i assign for the second rule,

if the user authenticated but its not healthy i want cisco switch to rdirect him onguard without installing agent and check his pc,

 

 

could you please tell me what configuration should i do on cisco and clearpass profile,

 

note:i dont want to redirect him to another vlan,, i want to use Dacl attr

 

thank you

 

 

 

Guru Elite
Posts: 8,048
Registered: ‎09-08-2010

Re: clearpass cisco posture

[ Edited ]

OK, just keep in mind that the posture token is cached for a certain amount of time and the user may have to be manually checked every time they reconnect. The user experience may be frustrating. Is this the behavior you want?


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor II
Posts: 67
Registered: ‎06-29-2014

Re: clearpass cisco posture

yes iwa nt each time the user connect to network toc heck if its pc is healthy or not via wired connection on cisco switch,

 

i have create a service , inside the service there is a policy, inside the policy there 2 rules

first rule:

tips role eq user auth

& tips role machine auth

& tips posture eq healthi

 assign cisco Dacl profile1 (radius cisco : cisco ip donwloadable acl : permit ip any any)

*** here i need to know how to configure second profile for this rule to redirect him to unguard without installing the agent on his pc

 

how can i do it?

 

 second rule:

tips role eq user auth

& tips role machine auth

& tips posture not eq healthy

assign cisco Dacl profile2 (radius cisco : cisco ip donwloadable acl : ?)

here i need to assign profile that redirect a user to ungaurd portal also

and i need to cach his crednt for the second connection

 

how can i do it on clearpass and cisco switch?

 

thank you

MVP
Posts: 4,120
Registered: ‎07-20-2011

Re: clearpass cisco posture

You can do the following :

 

2014-09-05 22_46_21-ClearPass Policy Manager - Aruba Networks.png

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Aruba
Posts: 1,536
Registered: ‎06-12-2012

Re: clearpass cisco posture

Tthis has three user roles.

 

Employee

Staff

Student

 

 

 

 

 

Screen Shot 2014-09-05 at 9.47.49 PM.png

 

Screen Shot 2014-09-05 at 9.51.44 PM.png

Victor is correct. the easiest thing to do is send a acl with the redirect to the CP page. 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor II
Posts: 67
Registered: ‎06-29-2014

Re: clearpass cisco posture

should i add this profile cisco wired onguard with posture profile to the both rules?

should i create web auth service also?

 

url-redirect= is it onguard url  page?

 

thank you

 

 

 

Contributor II
Posts: 67
Registered: ‎06-29-2014

Re: clearpass cisco posture

here the policy and the profiles,,

 

is that the right way?

 

should i create or add another configuration?

 

thank you

MVP
Posts: 4,120
Registered: ‎07-20-2011

Re: clearpass cisco posture

What type of Agent are you using Persistent or Diss ?

 

I think what you should do is send full access VLAN when it meets:

- Machine Auth

- User Auth

- Healthy Posture

 

2014-09-06 08_55_29-ClearPass Policy Manager - Aruba Networks.png

 

And if the following criteria is:

- Machine Auth

- User

- Not Healthy

 

Then you send the Cisco AV Pair with the URL and ACL 

The ACL on your switch should look like this :

ip access-list extended <ACL NAME>
deny tcp any host <ClearPass IP Address>
permit tcp any any

 

Make sure that you enable ip http server on your switch

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II
Posts: 67
Registered: ‎06-29-2014

Re: clearpass cisco posture

hi,

 

whenit meets

user auth

machin auth

healthy psoture

am sending Dacl (ip any any)

i dont want to use vlan

 

am using disov agent

 

i have those services

wirelss service

web based auth service--->health check service

wired cisco service

mac caching service

 

is that right ordering way?

 

my wireless working good with posture and everything,

MVP
Posts: 4,120
Registered: ‎07-20-2011

Re: clearpass cisco posture

That looks good
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: