Security

Hi,

Would someone be able to help me out with a very simple example of how to use ClearPass to authenticate users via 802.1x EAP-TLS through wired access which would be able to assign the port to a VLAN?

I have read through the documentation but I am kind of lost as to where to start I just want the user to be authenticated by certificate and when that happens the port to be assigned to the right VLAN.  I had this working on Microsoft NPS but want to change to ClearPass and can't get the VLAN assignment figured out.

Thanks

Hi,

For vlan assignment, you just need to create an enforcement profile (VLAN Enforcement Template and you specify the needed vlan.. You can remove the session-timeout if not needed..

Below is a sample from my lab..

You then create an enforcement policy (that uses that enforcement profile). You can build the logic as needed here..

In the service, you reference this enforcement policy..

To simplify the configuration, you can use the wizard and then edit the service as needed.. Don't forget to change the allowed authentication methods to be EAP-TLS only in your service ...

Excellent this was exactly what I was looking for.

Say I have a different client VLAN on another site can I create groups under the profile assigment for say Office 1 and add the devices to this group.  Then create another policy with the other VLAN number and set it to the Office 2 group and assign them both to the same service?  

I also read it was better to use VLAN NAME rather than VLAN ID is this correct and should I change this as currently I just assign the VLAN NUMBER OR ID

Thanks

Hi,

You can do it in multiple ways as explained below depending on your preference..

1) You can use vlan name and return the name of the vlan instead of ID. As such, your policy will be simplified. You will always for example return vlan EMPLOYEE where on switch 1 vlan EMPLOYEE means vlan 51 while on switch 2 it means 52...etc. The same vlan name needs to be properly configured on your switches..

2) You can use Service rules to match a request to a particular service..In your service you restrict it based on NAD_IP_ADDRESS BELONGS_TO_GROUP.. You will need to create multiple service rules in this case matching the different groups. Each service rule will have its own enforcement policy..

3) You can use one service rule and use Enforcement Policies to only apply the relevant enforcement profile if the originating request belongs to a device in the group. In your policy, you will have multiple enforcement profiles associated with the same rule however the trick here is that the enforcement profile itself is restricted to a particular device group. ClearPass is intelligent enough to only apply the relevant enforcement profile matching the request..

The trick is when you create the profile, you associate it with a particular device group.

4) You can use Role mapping rules to map a request to a particular role and then apply the needed logic in your enforcement policy based on the role mapping..

5) You can use device attributes once you add the network device. And in your policy, you can assign the vlan using {%device:attribute-name}

  For example, for the below screenshot, I can use {%device:employee-vlan} which will automatically replace the employee-vlan with the associated vlan set in the device attributes..

I hope I didn't confuse you with all of the above options but I really love the flexibility of ClearPass!