Security

Reply
New Contributor

Re: CPPM - Port being blocked by AAA but no ClearPass logs

logged on means that the device you connect start sending traffic otherwise the port get stuck in "blocked by AAA". If the port is blocked by AAA state, the log off period will never start because the device is not logged on (went past the AAA) in the first place.

 

It might work on certain devices, in my experience and especially on old dumb printers, that does not work, you need to enable the controlled direction in so the printer is polled by something on the network and when they try to respond, they then pass the AAA (provided ClearPass is configured properly at that point). 

 

If you have all latest printer models with no other devices in the middle (we, for example, have badge scanners for secure printing), then you should even to authenticate them via 802.1x. But with all printers that is the only way we found that consistently works.

Super Contributor II

Re: CPPM - Port being blocked by AAA but no ClearPass logs

logoff period 0 is the same as MAC pinning, atleast in the latest releases.

 

IP client tracker is working and is doing his job. However, some (legacy) devices doesn't respond to the ARP requests of the switch.

 

When a device connect and is not sending traffic at all NAC can be difficult. This is not something that can be fixed on switches (also not other vendors) because it's a client problem. Best way to deal with this is using DHCP on the client. I have also seen some devices that are not send traffic at all unless they receive some data. Some times a workaround is to set the untagged VLAN at to port to the port where the device belongs to and set the control direction to inbound. This will flood broadcast/multicast data to the port even if the port is blocked by AAA.


Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
Occasional Contributor I

Re: CPPM - Port being blocked by AAA but no ClearPass logs

I have set the logoff-period to something large, and also set the controlled-direction to inbound only.

This seems to have resolved most if not all my problems.

 

Thank you all for your help, without this forum I would still be stuck pulling my hair out.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: