Security

 View Only
last person joined: 20 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass Wired Solutions - pc behind an IP phone

This thread has been viewed 24 times
  • 1.  Clearpass Wired Solutions - pc behind an IP phone

    Posted Jun 02, 2023 05:38 AM

    Hi,

    I am using 802.1x and Mac cache services with webAuthentication for wired network. When a client connect to lan, splash page comes an client chooses is he a guest or is he in domain. At this step client already has an ip address and after authentication client gets a new role and new vlan. To get new ip address, i used port bounce. 

    Problem is, after switch get bounce port role, it down/up the port but ip phone's port is still up. Even the client gets the new role on the switch, client doesn't release ip address and doesn't get the new ip address belong to new vlan. How can i solve this? Is there a way force the computers to get new ip addresses after authentication?



  • 2.  RE: Clearpass Wired Solutions - pc behind an IP phone

    MVP
    Posted Jun 04, 2023 10:09 AM

    For our clients behind ip phones, we use 802.1X authentication ( currently PEAP-MSCHAPv2, moving to EAP-TLS) The client authenticated before they get an ip address.

    It appears to me, that webAuthentication may be the wrong choice here.

    If you use 802.1X authentication for the domain machines, the wired switch can detect whether the client is sending EAP packets. If not, the switch could present the webAuthentication page.  Just a quick idea off the top of my head.



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 3.  RE: Clearpass Wired Solutions - pc behind an IP phone

    Posted Jun 04, 2023 02:38 PM

    Why are you changing VLANs at all?  Why not use a Local User Role, Downloadable User Role, or dACL (if Cisco)?  Then you can change to CoA terminate or re-auth so you don't have to bounce the port.  If the PC was running a supplicant you could also do 802.1X which then the PC would be aware of the VLAN change, a much better approach IMHO than wired web redirect.




  • 4.  RE: Clearpass Wired Solutions - pc behind an IP phone

    Posted Jun 05, 2023 03:00 AM

    The best thing to do in this case: use a dedicated "profiling subnet" with very short DHCP-lease times. I am not aware of any other method to force computers to get new IP address fast otherwise.