Security

 View Only
last person joined: 3 days ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

manual CoA port bounce

This thread has been viewed 18 times
  • 1.  manual CoA port bounce

    Posted Aug 24, 2022 09:34 PM
    I'm able to send CoA port bounce from the "Change Status" button in access tracker when viewing a succesfully authenticated client, but is there a way I can manually send one for a rejected client?


  • 2.  RE: manual CoA port bounce

    EMPLOYEE
    Posted Aug 25, 2022 04:04 AM
    No, you will not be able to send a CoA for a rejected client, because the CoA is tied to a session, and for a reject there is no session.

    For this specific reason, I try to always return an accept, but with a quarantine user-role or VLAN. Another reason to always return an Accept, is that if a client is rejected, it will try to re-authenticate (and may flood your access-tracker), where authenticated clients will just sit on the network.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: manual CoA port bounce

    Posted Sep 15, 2022 10:41 PM
    Hi Herman,

    What will you tell customer that always wants to prioritize reject/deny over quarantined for their unwanted devices , aside from maybe DHCP lease issue (if we keep all devices in the network the dhcp server will run out of lease IP).

    I just want a second opinion about this thing, as I agree with you that reject will flood the access tracker.


  • 4.  RE: manual CoA port bounce

    Posted Sep 16, 2022 01:45 AM
    How about a justification around profiling?  If you completely the block the client, all ClearPass will know is the MAC address (maybe Device Sensor information from a Cisco switch via RADIUS Accounting).  You have to actually let the client do something in order for ClearPass to get the profiling data.


  • 5.  RE: manual CoA port bounce

    EMPLOYEE
    Posted Sep 16, 2022 10:35 AM
    If you send an accept but put clients in a role/VLAN that goes nowhere you would even have the option to run profiling in that role/VLAN. If you name the role or VLAN: reject, your customer may even accept this. Returning a RADIUS Reject is something that you should avoid in most cases. I would position a REJECT in Access Tracker as a system/policy failure of the RADIUS system. ACCEPT is a sign that an access decision has been made, and it's fine to return a reject role to get the same result for the client, but stay in control.

    With quarantine, I more meant a role/VLAN where devices have very limited access. And you can have multiple of those, like one for clients you know and must be contained, and another for unknown clients that you don't want to provide access.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------