12-05-2013 06:41 PM
From same broadcast domain identify ad domain machine n allocate dhcp IP of subnet 1 and on other hand identify non ad domain machine (with known Mac address) n allocate dhcp IP of sunset 2. This requirement for wired systems and we have switches which are 802.1x. Can I achieve this with base clear pass policy manager without using on guard?
12-05-2013 06:43 PM - edited 12-05-2013 06:48 PM
Yes, you can do that with the base Policy Manager license.
CPPM has a built-in Machine Authentication role that allows you to make policy decisions about AD-joined machines and then return back a specific VLAN (or if you are using Aruba switches, you can return back a user role).
You can then check the remaining devices against an external database, network registration system, or utilize the built-in endpoint repository as your authoritative device database.
OnGuard allows you to get more granular with your policy decisions by using posture checks like antimalware software and updates. You can also check for software like torrent applications and leave the device in a specific state until the software is removed.
12-05-2013 07:00 PM
Further can we allocate a vlan based on the switch meant from a location?
Ad systems 10.1.x.x
Non ad systems 10.2.x.x
Ad systems 10.3.x.x
Non ad systems 10.4.x.x
This should be possible through cppm?
12-05-2013 07:03 PM
- put the switches into groups in ClearPass and then make your policies
based on the group
- use something like the NAS-ID as a location tag.
Pretty much anything in the RADIUS request can be referenced in your policy