Security

last person joined: 5 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass Enforcement Profiles that default to native vlan on switch port

Jump to Best Answer
  • 1.  ClearPass Enforcement Profiles that default to native vlan on switch port

    Posted Jul 13, 2016 03:57 PM

    I'm implementing a ClearPass solution for segmenting out different domain traffic on comingled equipment. I'm currently using dynamic vlan assignment to accomplish this.

     

    Currently there are many switches set up with different VLANs to accomodate small broadcast domains. I'm trying to create a policy that adds specific users to a new VLAN that has more access. If the user does not meet the rules they should default to the native VLAN on the switch port and NOT the vlan specified in the default enforcement profile. If I let everyone use the default enforcement profile I will have thousands of users on one VLAN.

     

    Is there any creative way to get this to work?



  • 2.  RE: ClearPass Enforcement Profiles that default to native vlan on switch port

    Posted Jul 13, 2016 03:59 PM
    When you return a VLAN via RADIUS, the NAD *generally* always uses that.



    What you can do is define VLAN ID's in the NAD definition in ClearPass as
    custom attributes and then use that variable in your enforcement profile.


  • 3.  RE: ClearPass Enforcement Profiles that default to native vlan on switch port
    Best Answer

    Posted Jul 28, 2016 04:28 PM

    So I found a way to do this by creating a service that had a rule which triggered the [Allow Access Profile]. If I did not also specify a VLAN to return, it kept the native vlan of the port.

     

    I ended up scrapping this for my solution entirely as the "allowed user vlan", or the vlan that had ACLs which allowed users to access business systems, ended up with thousands of users. Too many users, bad performance.

     

    I ended up with going a Downloadable ACL route. The native port vlans were left as-is but a DACL was applied based on what role a user was mapped in the service configuration. I had the roles grabbing a user's domain authentication source. This method allowed me to secure access to and from the proper resources without needing to rearchitect our entire vlan structure.

     

     



  • 4.  RE: ClearPass Enforcement Profiles that default to native vlan on switch port

    Posted Jul 28, 2016 04:43 PM

    One more note. When creating the DACL in clearpass, do not use ANY extra spaces at the end, tabs, !, or other comments to try and notate the dacl. It will not take it and your devices will fail dot1x authentication.