View Only
last person joined: 7 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all


This thread has been viewed 22 times
  • 1.  Ser

    Posted Jul 19, 2022 09:12 AM

    We are testing CPPM to be used in our wired network. I've been through the videos "Aruba ClearPass Workshop (2021)"by Herman Robers, there I learned how to create a service to authenticate wired computers that are joined to our domain, and allow them access if they are user or computer authenticated.

    Now for new computers that needs to be configured by our IT support staff, the computer will not be joined to domain, how to give them access to a specific VLAN (isolated) that has access to our AD (to join)? how to create a proper service for this?

    Also, if a computer's access is rejected by a service, will the computer try to access by a later service? or the first reject will stop processing of other services?

    I've tried going though CPPM docs, but the docs show how to configure different parts, like how to create an Enforcement Policy, but does not explain each part and what it does exactly and how to configure for different situations. Please point me to any documentation that explains CPPM in this sense.

    Please excuse my primitive questions.


  • 2.  RE: Ser

    Posted Jul 19, 2022 09:34 AM
    Make the default enforcement action one that assigns that build VLAN.

  • 3.  RE: Ser

    Posted Jul 26, 2022 11:36 AM
    Sounds logical, thanks.

    Will try and post my findings.

  • 4.  RE: Ser

    Posted Jul 21, 2022 11:06 AM
    Solution depends a bit on personal preference, current workflows and used switch equipment. You probably should find out in what state the computer gets (MAC authentication with profiling role, if you followed the guide; as the computer probably won't do 802.1X yet at that point); and in that role you could allow just enough access to AD/imaging/supporting servers to build/boot/initialized the PC and join to the domain. There is also on AOS-CX an option to configure a 'failed auth' role, which can be either the same profiling role with strict controlled access to AD or a role with access to that staging VLAN.

    The computer does not trigger a service, the switch will. With both 802.1X and MAC Auth configured, connecting the computer can trigger both, or one of them, but the key is to design your policies and switch config such that your clients can be joined by the IT Staff. If joining is done in a specific staging room, you could consider configuring a few ports statically to the staging VLAN specifically for that room/purpose.

    Like always with ClearPass, there are many ways to do things. It may be good to discuss with your Aruba Partner, local Aruba SE or Aruba Support which are the options with your setup/equipment, and what are the pros-cons of each option to get to the best in your situation.

    Herman Robers
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

  • 5.  RE: Ser

    Posted Jul 26, 2022 11:42 AM
    We have Cisco, and I'm sure we have an option there similar to 'failed auth' role in AOS-CX

    Thanks for your explanation.

  • 6.  RE: Ser

    Posted Jul 27, 2022 09:04 AM
    You do, its called Critical Auth VLAN using IBNS 2.0.  Or the fail-open commands in IBNS 1.0