Security

Hi guys,

 

In a colorless ports implementation with Cisco switches, if ClearPass failed, what is the behaviour of the ports? Will they be assigned a default dACL? Or is it like 802.1X and MAC auth fails when a guest user connects to the switch port?

 

Regards,

Julián

It depends on the requirements and what type of authentication is enabled on each port.

You could enforce a URL redirect (catch all) when the users fails 802.1X or if the device doesn’t meet any of the Mac authentication conditions (assuming you are using MAB)

Another option is that user/device could be dropped in a guest or remediation VLAN

But at the end of the day it depends on the security requirements for the project



Thank you

Victor Fabian

Pardon typos sent from Mobile

You could enforce a URL redirect (catch all) when the users fails 802.1X or if the device doesn’t meet any of the Mac authentication conditions (assuming you are using MAB)

Another option is that user/device could be dropped in a guest or remediation VLAN

---

Hi Victor,

 

Maybe I didn't explain well. When I said "if ClearPass failed" I meant "if ClearPass went down". Then, does this also apply when ClearPass goes down? I believe not since for example a URL redirect or a remediation VLAN should be returned from ClearPass, not possible if ClearPass is down.

 

Regards,

Julián

See here the Cisco switch feature “Inaccessible Authentication Bypass”:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_40_se/configuration/guide/scg/sw8021x.pdf#page13



Thank you

Victor Fabian

Pardon typos sent from Mobile

Thanks Victor, that's exactly what I was looking for :)

 

Regards,

Julián