Security

Hi,

I'm working on a Clearpass integration with Cisco Catalyst switches. The customer is asking for a device registration portal. For this I will follow the Wired Policy Enforcement technote. No questions there.

The registration portal will use AzureAD for authentication so I will have to allow https to AzureAD in the redirect "role". I cannot find an example on how to include FQDN in a Clearpass Cisco Downloadable ACL. According info from Cisco forums, adding a line like "permit tcp any host login.microsoftonline.com eq 443" in the Cisco dACLwil not work and the use of object-group network is specified. I can't find any examples on how to add these to the dACL if even possible?

Any examples will be appreciated.

rgds,
Erik.


------------------------------
Erik Eckhardt
ACMX #1245, ACDX #968, ACCP, ACSP
------------------------------

Hi,

What Catalyst switches model ? do you have look if the ACL work on local ? do you have configure the DNS domain on the switch ?

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281
------------------------------

Original Message:
Sent: Mar 22, 2021 10:39 AM
From: Erik Eckhardt
Subject: Clearpass Cisco Downloadable ACL with FQDN

Hi,

I'm working on a Clearpass integration with Cisco Catalyst switches. The customer is asking for a device registration portal. For this I will follow the Wired Policy Enforcement technote. No questions there.

The registration portal will use AzureAD for authentication so I will have to allow https to AzureAD in the redirect "role". I cannot find an example on how to include FQDN in a Clearpass Cisco Downloadable ACL. According info from Cisco forums, adding a line like "permit tcp any host login.microsoftonline.com eq 443" in the Cisco dACLwil not work and the use of object-group network is specified. I can't find any examples on how to add these to the dACL if even possible?

Any examples will be appreciated.

rgds,
Erik.


------------------------------
Erik Eckhardt
ACMX #1245, ACDX #968, ACCP, ACSP
------------------------------

Hi Alagoutte,

thanks for your response.

no access to the switches for another 2 weeks. Model 3850 running on software version 16.9.5  I'm preparing the Clearpass config for a PoC with information gathered from various Cisco en Aruba forums which states that if you add the FQDN in an ACL it will be converted to IP immediately and stay like that which will not work for cloud FQDN's. In stead you have to work with a passsthru domain list which is similar as what you do on a Aruba controller with a netdestination.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/sec-data-acl-xe-3s-book/sec-cfg-fqdn-acl.html#task_41BA46EA666A420AA10AB229D0408E5D

It looks like this  cannot be included in a downloadable ACL (I think) The wired policy enforcement solution guide specifies a enforment profile calling a local acl blokking access to clearpass and sending a redirect url and  sending a downloadable acl which allows 80/443 access to clearpass but blocks all (similar to an Aruba User Role for triggering CP)

I guess the local acl with the deny to Clearpass is neccessary for triggering the redirect but wont calling another local ACL overrule this one? 


thanks,
Erik

edit: catalyst model added

------------------------------
Erik Eckhardt
ACMX #1245, ACDX #968, ACCP, ACSP
------------------------------

Original Message:
Sent: Mar 22, 2021 12:12 PM
From: Alexis La Goutte
Subject: Clearpass Cisco Downloadable ACL with FQDN

Hi,

What Catalyst switches model ? do you have look if the ACL work on local ? do you have configure the DNS domain on the switch ?

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281

Original Message:
Sent: Mar 22, 2021 10:39 AM
From: Erik Eckhardt
Subject: Clearpass Cisco Downloadable ACL with FQDN

Hi,

I'm working on a Clearpass integration with Cisco Catalyst switches. The customer is asking for a device registration portal. For this I will follow the Wired Policy Enforcement technote. No questions there.

The registration portal will use AzureAD for authentication so I will have to allow https to AzureAD in the redirect "role". I cannot find an example on how to include FQDN in a Clearpass Cisco Downloadable ACL. According info from Cisco forums, adding a line like "permit tcp any host login.microsoftonline.com eq 443" in the Cisco dACLwil not work and the use of object-group network is specified. I can't find any examples on how to add these to the dACL if even possible?

Any examples will be appreciated.

rgds,
Erik.


------------------------------
Erik Eckhardt
ACMX #1245, ACDX #968, ACCP, ACSP
------------------------------