Hi Allhope you are okI need to configure and by that integrate Cisco new switches 9000 series 802.1x with ClearpassIs this a good begin to check this?
any more thoughts on this?Regards
HiI work with a customer who is running ClearPass as Radius server for the Cisco switches they have.They have had IP phones and computers connected to the phones. In this setup Cisco does not recommend to use Downloadable ACLs . But without the need for multiple clients on the same switch port it shouldn't be an issue.I'm not working with the switches for this customer only ClearPass, but it's nothing special you need to do to get it working from the ClearPass side.Switch configuration is also straight forward.Depending on you intentions you may need to enable the Cisco Radius VSA in ClearPass.The linked documentation may be a good starting point, or the Wired enforcement guide:https://asp.arubanetworks.com/downloads/documents/RmlsZTpmMDY3Y2UwYS1lNmZiLTExZWEtYjFjMi0zYmZjN2Y0MzMxNDI%3D
ClearPass also supports Cisco Device Sensor for Wired profiling.
One thing I did to make the policy a bit more flexible on our Cisco switch deployments is to use the vlan name instead of vlan number in the Vlan-Private-Group-ID attribute. We are pretty brownfield as far as some of our campus vlan numbers, but we do consistently have a "users" and "voice" vlan everywhere, even if they're not the same number. It's case sensitive, and obviously per-switch so every used switch VLAN database entry for the name needs to be consistent.
It's really not best practice to use VLAN change though, especially for headless/IOT devices authorized via MAB. dACLs should really be leveraged instead of VLAN changes.
I would recommend to check "How to configure IBNS 2.0" because it can get tricky.If you have access to https://ase.arubanetworks.com/ it is very helpful as well.We had a huge integration with C9000 and 1000 series and it is very tricky to get things going on multi-type of equipment environment, especially if you have unmanaged switches sitting behind or VoIP Phones and PC behind them.As a good step is also to check Cisco C9000/C1000 IBNS 2.0 integration with Cisco ISE. Usually same configs work with Clearpass integration as well.
Hello,I have a bunche of 9200L and 3560CX with IBNS2 configured. And we use the multi-auth option to be able to handle phone, PC, and unmanaged switch. The only draw back is that the switch need to avoid sending BDU on the port, and it will allow use to managed only 1 data VLAN, and the voice vlan. And no ACL, so the documentation is a good start, but avoid the ACL, the rule should be allowed to connect, or not, KISS method!
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.