Security

Hello,

We have the following scenario.

1) all non authenticated device we are providing vlan "parking" with CPPM (default role) with limited access applied on the VLAN FW. On this vlan we have rules to allow only traffic to permit the devices to be compliant to be authenticated after. For example download the Cert, etc.

2) Every 60 min defined by the "parking" role the sw is doing the reauth to check if the device is now "compliant"

3) if the device is compliant it will now provide the correct role / vlan.

The issue is when cppm provides the new vlan the device will mantain the IP from the old vlan. The solution seems to port bounce on the Enforcement profile.

The only issue is we are doing a reauth via profile every day on compliant devices and we don´t want to port bounce in this case.

Is there any solution to port bounce only if the vlan/role changes?

Only option I can only think of off-hand is to tag the endpoint with last known state and only bounce when the state changes, similar to a grace period for OnGuard.

Better option would be to utilize an ACL or firewall/role integration so that a port bounce isn't necessary as the IP address wouldn't change.

Hello,

We have the following scenario.

1) all non authenticated device we are providing vlan "parking" with CPPM (default role) with limited access applied on the VLAN FW. On this vlan we have rules to allow only traffic to permit the devices to be compliant to be authenticated after. For example download the Cert, etc.

2) Every 60 min defined by the "parking" role the sw is doing the reauth to check if the device is now "compliant"

3) if the device is compliant it will now provide the correct role / vlan.

The issue is when cppm provides the new vlan the device will mantain the IP from the old vlan. The solution seems to port bounce on the Enforcement profile.

The only issue is we are doing a reauth via profile every day on compliant devices and we don´t want to port bounce in this case.

Is there any solution to port bounce only if the vlan/role changes?

Hello

Thank you for your answer. Can you provide more details about the this tag?

Regarding the better option, we don´t want to start implementing ACL on the SW, we cannot use DUR and for that it will became a mess to deal with all the rules on the SW. Regarding the integration we will do that in future with Palo Alto but some devices we don´t have a way to provide the vlan without any information. On that case the CN of the cert. So if the device is not compliant we cannot distinguist the vlan. It could work for our CAM vlan , printers vlans using profilling, 

Only option I can only think of off-hand is to tag the endpoint with last known state and only bounce when the state changes, similar to a grace period for OnGuard.

Better option would be to utilize an ACL or firewall/role integration so that a port bounce isn't necessary as the IP address wouldn't change.

Hello,

We have the following scenario.

1) all non authenticated device we are providing vlan "parking" with CPPM (default role) with limited access applied on the VLAN FW. On this vlan we have rules to allow only traffic to permit the devices to be compliant to be authenticated after. For example download the Cert, etc.

2) Every 60 min defined by the "parking" role the sw is doing the reauth to check if the device is now "compliant"

3) if the device is compliant it will now provide the correct role / vlan.

The issue is when cppm provides the new vlan the device will mantain the IP from the old vlan. The solution seems to port bounce on the Enforcement profile.

The only issue is we are doing a reauth via profile every day on compliant devices and we don´t want to port bounce in this case.

Is there any solution to port bounce only if the vlan/role changes?

The best answer for this is to use OnGuard and profiling, that way you can utilize a posture check for the computers and implement profiling for everything else.

For a tag you'd add an attribute to the endpoint entry.

Hello

Thank you for your answer. Can you provide more details about the this tag?

Regarding the better option, we don´t want to start implementing ACL on the SW, we cannot use DUR and for that it will became a mess to deal with all the rules on the SW. Regarding the integration we will do that in future with Palo Alto but some devices we don´t have a way to provide the vlan without any information. On that case the CN of the cert. So if the device is not compliant we cannot distinguist the vlan. It could work for our CAM vlan , printers vlans using profilling, 

Only option I can only think of off-hand is to tag the endpoint with last known state and only bounce when the state changes, similar to a grace period for OnGuard.

Better option would be to utilize an ACL or firewall/role integration so that a port bounce isn't necessary as the IP address wouldn't change.

Hello,

We have the following scenario.

1) all non authenticated device we are providing vlan "parking" with CPPM (default role) with limited access applied on the VLAN FW. On this vlan we have rules to allow only traffic to permit the devices to be compliant to be authenticated after. For example download the Cert, etc.

2) Every 60 min defined by the "parking" role the sw is doing the reauth to check if the device is now "compliant"

3) if the device is compliant it will now provide the correct role / vlan.

The issue is when cppm provides the new vlan the device will mantain the IP from the old vlan. The solution seems to port bounce on the Enforcement profile.

The only issue is we are doing a reauth via profile every day on compliant devices and we don´t want to port bounce in this case.

Is there any solution to port bounce only if the vlan/role changes?

unfortunately we donºt have OnGuard license :( 

For tagging you mean everytime I authenticate a device cppm will update the atribute with the role, And on the roles I compare if the role is the same. Good point :)
But now the question? How can I update the tag after the authentication? 

The best answer for this is to use OnGuard and profiling, that way you can utilize a posture check for the computers and implement profiling for everything else.

For a tag you'd add an attribute to the endpoint entry.

Hello

Thank you for your answer. Can you provide more details about the this tag?

Regarding the better option, we don´t want to start implementing ACL on the SW, we cannot use DUR and for that it will became a mess to deal with all the rules on the SW. Regarding the integration we will do that in future with Palo Alto but some devices we don´t have a way to provide the vlan without any information. On that case the CN of the cert. So if the device is not compliant we cannot distinguist the vlan. It could work for our CAM vlan , printers vlans using profilling, 

Only option I can only think of off-hand is to tag the endpoint with last known state and only bounce when the state changes, similar to a grace period for OnGuard.

Better option would be to utilize an ACL or firewall/role integration so that a port bounce isn't necessary as the IP address wouldn't change.

Hello,

We have the following scenario.

1) all non authenticated device we are providing vlan "parking" with CPPM (default role) with limited access applied on the VLAN FW. On this vlan we have rules to allow only traffic to permit the devices to be compliant to be authenticated after. For example download the Cert, etc.

2) Every 60 min defined by the "parking" role the sw is doing the reauth to check if the device is now "compliant"

3) if the device is compliant it will now provide the correct role / vlan.

The issue is when cppm provides the new vlan the device will mantain the IP from the old vlan. The solution seems to port bounce on the Enforcement profile.

The only issue is we are doing a reauth via profile every day on compliant devices and we don´t want to port bounce in this case.

Is there any solution to port bounce only if the vlan/role changes?

unfortunately we donºt have OnGuard license :( 

For tagging you mean everytime I authenticate a device cppm will update the atribute with the role, And on the roles I compare if the role is the same. Good point :)
But now the question? How can I update the tag after the authentication? 

Original Message:
Sent: Aug 16, 2024 12:50 PM
From: chulcher
Subject: Port bounce only when Role changes

The best answer for this is to use OnGuard and profiling, that way you can utilize a posture check for the computers and implement profiling for everything else.

For a tag you'd add an attribute to the endpoint entry.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Aug 16, 2024 12:43 PM
From: Tony Gonçalves
Subject: Port bounce only when Role changes

Hello

Thank you for your answer. Can you provide more details about the this tag?

Regarding the better option, we don´t want to start implementing ACL on the SW, we cannot use DUR and for that it will became a mess to deal with all the rules on the SW. Regarding the integration we will do that in future with Palo Alto but some devices we don´t have a way to provide the vlan without any information. On that case the CN of the cert. So if the device is not compliant we cannot distinguist the vlan. It could work for our CAM vlan , printers vlans using profilling, 

Original Message:
Sent: Aug 16, 2024 12:30 PM
From: chulcher
Subject: Port bounce only when Role changes

Only option I can only think of off-hand is to tag the endpoint with last known state and only bounce when the state changes, similar to a grace period for OnGuard.

Better option would be to utilize an ACL or firewall/role integration so that a port bounce isn't necessary as the IP address wouldn't change.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Aug 16, 2024 11:55 AM
From: Tony Gonçalves
Subject: Port bounce only when Role changes

Hello,

We have the following scenario.

1) all non authenticated device we are providing vlan "parking" with CPPM (default role) with limited access applied on the VLAN FW. On this vlan we have rules to allow only traffic to permit the devices to be compliant to be authenticated after. For example download the Cert, etc.

2) Every 60 min defined by the "parking" role the sw is doing the reauth to check if the device is now "compliant"

3) if the device is compliant it will now provide the correct role / vlan.

The issue is when cppm provides the new vlan the device will mantain the IP from the old vlan. The solution seems to port bounce on the Enforcement profile.

The only issue is we are doing a reauth via profile every day on compliant devices and we don´t want to port bounce in this case.

Is there any solution to port bounce only if the vlan/role changes?