Security

I'm implementing a ClearPass solution for segmenting out different domain traffic on comingled equipment. I'm currently using dynamic vlan assignment to accomplish this.

 

Currently there are many switches set up with different VLANs to accomodate small broadcast domains. I'm trying to create a policy that adds specific users to a new VLAN that has more access. If the user does not meet the rules they should default to the native VLAN on the switch port and NOT the vlan specified in the default enforcement profile. If I let everyone use the default enforcement profile I will have thousands of users on one VLAN.

 

Is there any creative way to get this to work?

When you return a VLAN via RADIUS, the NAD *generally* always uses that.



What you can do is define VLAN ID's in the NAD definition in ClearPass as
custom attributes and then use that variable in your enforcement profile.

So I found a way to do this by creating a service that had a rule which triggered the [Allow Access Profile]. If I did not also specify a VLAN to return, it kept the native vlan of the port.

 

I ended up scrapping this for my solution entirely as the "allowed user vlan", or the vlan that had ACLs which allowed users to access business systems, ended up with thousands of users. Too many users, bad performance.

 

I ended up with going a Downloadable ACL route. The native port vlans were left as-is but a DACL was applied based on what role a user was mapped in the service configuration. I had the roles grabbing a user's domain authentication source. This method allowed me to secure access to and from the proper resources without needing to rearchitect our entire vlan structure.

 

 

One more note. When creating the DACL in clearpass, do not use ANY extra spaces at the end, tabs, !, or other comments to try and notate the dacl. It will not take it and your devices will fail dot1x authentication.