Security

Scenario: (controller based)

User associated to WLAN, gets a pre-auth role, passes external captive portal (not clearpass), we push down a new role to allow internet access, etc.. (called split_user).

 

VAP is configured as split_tunnel.

 

Can we from our NAC solution push down a role based on the MAC address we see, push a a user role that will make this user full tunnel? Can this done by ACLs?
 Do I need clearpass for this?

 

I guess the same would be for IAPs...if possible

aaa derivation-rules user <name of device>
set role condition macaddr equals "<mac address>" set-value <role you want to enforce> description "<name of device>"
!

 

Is this you are looking for ?

Does the NAC solution support RADIUS CoA? You can push a user role in a RADIUS CoA message.

For controllers, we are using the XML-API of the controller.
For IAPs, the CoA portion didn't work when having multiple IAPs in a cluster and a workaround had to done.

So no we are not using CoA for this. The XML-API allows us to push down an "ack" and a particular role if needed.

The CoA should work on both the controller and IAP cluster. Can you provide more details about this? On IAP you need to configure at least the VC address and Radius proxy (along with CoA enabled in RADIUS server configuration) for CoA to work.