Security

Reply
Occasional Contributor II

clearpass cisco wired onguard with dot1x

hello everyone,

 

am facing issue on deployin clearpass onguard cisco wired url-redirect,

customer doesnt want to push onguard .msi file from AD as gpo , they want to clearpass and cisco to redirect them to web loging page to install the onguard agent,

so far we did it ,

we have one clearpass connected to core switch and we complete all wireless services and working fine,

 

we have 2 cisco switch ,

one of them connected direct to core switch and its working perfect with url-redicrecting on web loging page to download the onguard.

 

second one is connected to disribution switch and its pingable to core and clearpass , but doesnt redirect to web login page,

 

we have created extend access list on l2 cisco switch which is connected to distribution as below;

 ip access list extend cppm

deny tcp any host 'clearpass ip"

permit tcp any any

we've created the services and enforcment profile,as below:

 

one of the rule in enforcment poliyc is chcking if the onguard is installed or no:

 

tips posture equal uknown --->>> onguard-redirect enforcment profile

 

onguard -redirect enforcment profile as below:

cisco avp-air  url-redirect-acl=cppm

cisco avp-air url-redirect=https://" clearpasip/web/onguard.php

 

l2 switch with no gw configured just vlan ids and trunk to distribution,

 do we need to assign gw of core to l2 switch ?

we can see the dot1x is done on access trucker but we cant redirect to url on 2nd switch

 

thanks

 

 

 

Guru Elite

Re: clearpass cisco wired onguard with dot1x

Take a look at the Solution Guide for Wired Policy Enforcement. While it doesn't directly cover OnGuard deployment, the scenario is very similar to a guest configuration.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: clearpass cisco wired onguard with dot1x

its working fine with 1st switch,

 

do i need to configure 2nd switch as l3 switch and assign gw of core to it

to work,

 

as its similar to guest scenerio, guest is l3 deployment , right?

 

MVP

Re: clearpass cisco wired onguard with dot1x

I would a layer-2 fabric to work whether or not there's an intermediate switch. I'd look at what makes one switch different from the other.

Is the VLAN tagging the same throughout?

Default and tagged VLANs the same and passing unaltered through the trunk?

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Occasional Contributor II

Re: clearpass cisco wired onguard with dot1x

Hi msabin,
When we test the first switch it was a mac caching service enabled ,

Now we disabled the mac caching service ,
Do we need to enable mac caching service?

All vlan and default vlan on trunk same, and no alerting on switches,

When i type show access list am just getting hit on second rule of my extend list which is

Permit tcp any any
No hit on deny tcp any host "cppm ip"

Re: clearpass cisco wired onguard with dot1x

Do you have enabled the following:

ip device tracking
!
ip dhcp snooping
!
ip http server
ip http secure-server
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II

Re: clearpass cisco wired onguard with dot1x

thanks victor,

 

i missed ip http server , it was no

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: