Security

Reply
Occasional Contributor I

ClearPass 6.7 - Enforcing switchport disablement.

I am trying to implement MAC authentication on an Aruba OS switch which connects to a wireless AP.

I want the wireless AP to undergo MAC AUTH and if it fails, then the enforcment action I want to happen is to disable the switch port entirely.

This is so the wireless AP's clients also will not gain access to the network.

The standard [Deny Accessd Profile] will only block access for the wireless AP but not for its wireless clients. I want every wireless client to be blocked as well.

How can I achieve this?

Specifically, what enforcement profile do I need?

 

 

Guru Elite

Re: ClearPass 6.7 - Enforcing switchport disablement.

Aruba switches do not have a RADIUS enforced port admin state.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor I

Re: ClearPass 6.7 - Enforcing switchport disablement.

Thanks for your prompt reply.

What about enforcing a VLAN change?

How change you enforce a VLAN change for the entire switch port?

Highlighted
Guru Elite

Re: ClearPass 6.7 - Enforcing switchport disablement.

You generally have to bounce the port. Devices don't like the VLAN changed out from under them.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor I

Re: ClearPass 6.7 - Enforcing switchport disablement.

Won't bouncing the switchport cancel the dynamically modified VLAN ?

From the following information captured from the switch it appears the vlan enforcement only applies to the specific device, and not to the switch port itself. You can see the first device is in VLAN 409 and the second device in 700.

 

ARUBATESTSW01(eth-1)# sh port-acc cli

Port Access Client Status

Port Client Name MAC Address IP Address User Role Type VLAN
----- ------------- ----------------- --------------- ----------------- ----- -------------------------------------------------------
1 host/L6114... 705a0f-83503c 10.40.129.109 8021X 409, 209
1 203a0782af31 203a07-82af31 n/a MAC 701, 700

Contributor I

Re: ClearPass 6.7 - Enforcing switchport disablement.

You should be able to do an CLI enforcement profile and enabling ClearPass to login and disable the port in a SSH session. This CLI enforcement is not officially (as far as i know) on ArubaOS switches supported, but i have already successfully implemented it in conjunction with 2930F version 16.08.XXXX. 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: