Security

Reply
Frequent Contributor II
Posts: 479
Registered: ‎03-15-2014

on wired 802.1x how to make users keep working if clearpass fail?

I'm integrating clearpass with cisco NAD switcches 2960,3650,samll bussiness now the ting is that customer want the users to keep working normally in case of clearpass total failuer ,so what is the best thing to do to achive that ?

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: on wired 802.1x how to make users keep working if clearpass fail?

802.1X cannot fail open. You would have to configure the switch to have an open fail through VLAN which is not very secure.


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba
Posts: 1,545
Registered: ‎06-12-2012

Re: on wired 802.1x how to make users keep working if clearpass fail?

!
interface GigabitEthernet1/0/18
switchport access vlan 100
switchport mode access
switchport voice vlan 110
authentication event fail action next-method
authentication event server dead action authorize vlan 100
authentication event server alive action reinitialize
authentication host-mode multi-host
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 3
dot1x max-req 3
dot1x max-reauth-req 3
spanning-tree portfast
!
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Frequent Contributor II
Posts: 479
Registered: ‎03-15-2014

Re: on wired 802.1x how to make users keep working if clearpass fail?

So tarnold this will make useres able to work normally in case of Clearpass total failuer on VLAN 100 right?

Aruba
Posts: 1,545
Registered: ‎06-12-2012

Re: on wired 802.1x how to make users keep working if clearpass fail?

[ Edited ]

Yes. The line dead server is the vlan the port would default to. Just like Tim stated its not a very secure action but it is an option.

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Frequent Contributor II
Posts: 479
Registered: ‎03-15-2014

Re: on wired 802.1x how to make users keep working if clearpass fail?

so you mean that user who still didn't enter his 802.1x credinital have access to the network  ???

Aruba
Posts: 1,545
Registered: ‎06-12-2012

Re: on wired 802.1x how to make users keep working if clearpass fail?

Just like the line states.

authentication event server dead action authorize vlan 100

If the radius server is dead or the switch looses communication within its timeout period it will just role over to vlan 100.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Frequent Contributor II
Posts: 479
Registered: ‎03-15-2014

Re: on wired 802.1x how to make users keep working if clearpass fail?

Dear Tarnold when I used this configuration the 802.1x pop didn't came and the ethernet adapter on the client keep saying attempting to authenticate and doesn't show any pop up to enter credentals

Frequent Contributor II
Posts: 479
Registered: ‎03-15-2014

Re: on wired 802.1x how to make users keep working if clearpass fail?

when I added this line it worked after 30 Sec :

 

#authentication event no-response action authorize vlan 100

 

but this is working well for pinging inside network but for windwos domain lit is not working liek (opening FTP) or remote desktop connection all not working so how to solve this?

Aruba
Posts: 1,545
Registered: ‎06-12-2012

Re: on wired 802.1x how to make users keep working if clearpass fail?

That is all dependent on your switch and your VLAN settings. You will need to contact the switch vendor.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: