Security

Hi,

I have two flavors of switches - hpe and Cisco.

All ports have below config
Access vlan 10 ,
Voice vlan is 20
The four vlans 10, 20,30 and 40 are configured on switch.

Now during enforcement - CPPM is returning vlan 30 for user standard PC and vlan 40 for IP phones.

So my question is do we have to manually put the user port in vlan 30 and IP phone in vlan 40 ?

Or Radius attribute / enfoced vlan takes prefer ence without doing any change on anyport ?

I need this on both Cisco and hpe switch

Please follow the ClearPass Solution Guide for Wired Policy Enforcement.

Hi Tim

I have gone through it . But this is still not clear . Whatever cppm returns back as enforcement vlan, port will take it does not matter whether port is preconfigured in that vlan or not . But this is not confirmed from wired guide. And moreover for Cisco switch it is not specifically mentioned

To the best of my knowledge, Radius assigned VLANs will always take precedence over the port VLAN. If you want to do radius authentication while still keeping the port configuration, you should be able to do a simple "allow access" radius profile

Hello Chris . Yes radius always take preference . My query is for example radius returns vlan 20 but is it essential that port must be preconfigured in vlan 20 ? It could be configured in any vlan beforehand right ?

No. The VLAN only needs to be defined on the switch.

Thanks Tim .really appreciate. I guess this is applicable for Cisco ( newer version I would say) and hpe both ?

Pretty standard across the industry.

There is a whole Cisco section of the doc...