Security

last person joined: 16 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

clearpass cisco wired onguard with dot1x

This thread has been viewed 5 times

  • 1.  clearpass cisco wired onguard with dot1x

    Posted Oct 13, 2017 11:19 AM

    hello everyone,

     

    am facing issue on deployin clearpass onguard cisco wired url-redirect,

    customer doesnt want to push onguard .msi file from AD as gpo , they want to clearpass and cisco to redirect them to web loging page to install the onguard agent,

    so far we did it ,

    we have one clearpass connected to core switch and we complete all wireless services and working fine,

     

    we have 2 cisco switch ,

    one of them connected direct to core switch and its working perfect with url-redicrecting on web loging page to download the onguard.

     

    second one is connected to disribution switch and its pingable to core and clearpass , but doesnt redirect to web login page,

     

    we have created extend access list on l2 cisco switch which is connected to distribution as below;

     ip access list extend cppm

    deny tcp any host 'clearpass ip"

    permit tcp any any

    we've created the services and enforcment profile,as below:

     

    one of the rule in enforcment poliyc is chcking if the onguard is installed or no:

     

    tips posture equal uknown --->>> onguard-redirect enforcment profile

     

    onguard -redirect enforcment profile as below:

    cisco avp-air  url-redirect-acl=cppm

    cisco avp-air url-redirect=https://" clearpasip/web/onguard.php

     

    l2 switch with no gw configured just vlan ids and trunk to distribution,

     do we need to assign gw of core to l2 switch ?

    we can see the dot1x is done on access trucker but we cant redirect to url on 2nd switch

     

    thanks

     

     

     



  • 2.  RE: clearpass cisco wired onguard with dot1x

    EMPLOYEE
    Posted Oct 13, 2017 11:26 AM
    Take a look at the Solution Guide for Wired Policy Enforcement. While it doesn't directly cover OnGuard deployment, the scenario is very similar to a guest configuration.


  • 3.  RE: clearpass cisco wired onguard with dot1x

    Posted Oct 13, 2017 11:31 AM

    its working fine with 1st switch,

     

    do i need to configure 2nd switch as l3 switch and assign gw of core to it

    to work,

     

    as its similar to guest scenerio, guest is l3 deployment , right?

     



  • 4.  RE: clearpass cisco wired onguard with dot1x

    Posted Oct 13, 2017 07:33 PM

    I would a layer-2 fabric to work whether or not there's an intermediate switch. I'd look at what makes one switch different from the other.

    Is the VLAN tagging the same throughout?

    Default and tagged VLANs the same and passing unaltered through the trunk?



  • 5.  RE: clearpass cisco wired onguard with dot1x

    Posted Oct 13, 2017 08:48 PM
    Hi msabin,
    When we test the first switch it was a mac caching service enabled ,

    Now we disabled the mac caching service ,
    Do we need to enable mac caching service?

    All vlan and default vlan on trunk same, and no alerting on switches,

    When i type show access list am just getting hit on second rule of my extend list which is

    Permit tcp any any
    No hit on deny tcp any host "cppm ip"


  • 6.  RE: clearpass cisco wired onguard with dot1x
    Best Answer

    Posted Oct 14, 2017 04:48 PM
    Do you have enabled the following:

    ip device tracking
    !
    ip dhcp snooping
    !
    ip http server
    ip http secure-server


  • 7.  RE: clearpass cisco wired onguard with dot1x

    Posted Oct 16, 2017 03:02 AM

    thanks victor,

     

    i missed ip http server , it was no