Security

Reply
Highlighted
Occasional Contributor II

ClearPass VLAN assignment not staying until enforcement profile session-timout - Cisco Switch

I have a separate VLAN for corporate printers.  We want the printer, when plugged into the port, to automatically be moved to the correct VLAN.  We have it working, but after 3 minutes, it goes back to the default GUEST vlan instead of the PRINTER vlan.  The Printer VLAN in this instance is called PRINTER and the GUEST vlan in this case is called GUEST.  Here is a snippet of the config:

 

This is happening on the following type of Cisco switch:

Switch Ports Model              SW Version        SW Image              Mode   
------ ----- -----              ----------        ----------            ----   
*    1 52    WS-C3650-48PQ      16.9.3            CAT3K_CAA-UNIVERSALK9 INSTALL

 

! IBNS 2.0
aaa new-model
aaa session-id common
!ip device tracking
!
radius server ClearPass1
 address ipv4 ClearPass-Server1-IP auth-port 1812 acct-port 1813
 key SuperSecretPassword1
! 
radius server ClearPass2
 address ipv4 ClearPass-Server2-IP auth-port 1812 acct-port 1813
 key SuperSecretPassword1
!
tacacs server ClearPass1
 address ipv4 ClearPass-Server1-IP
 key SuperSecretPassword2
! 
tacacs server ClearPass2
 address ipv4 ClearPass-Server2-IP
 key SuperSecretPassword2
!
aaa group server tacacs+ ClearPass-TACACS
 server name ClearPass1
 server name ClearPass2
!
aaa group server radius ClearPass-RADIUS
 server name ClearPass1
 server name ClearPass2
! 
aaa authentication dot1x default group ClearPass-RADIUS
aaa authorization network default group ClearPass-RADIUS
aaa accounting dot1x default start-stop group ClearPass-RADIUS
dot1x system-auth-control
radius-server vsa send accounting
radius-server vsa send authentication
radius-server attribute 11 default direction in
!
aaa server radius dynamic-author
 port 3799
 auth-type all
 client ClearPass-Server1-IP server-key SuperSecretPassword1
 client ClearPass-Server2-IP server-key SuperSecretPassword1
!

!
aaa authentication enable default group ClearPass-TACACS enable none
aaa authentication login default group ClearPass-TACACS local enable
aaa authorization exec default group ClearPass-TACACS if-authenticated 
aaa authorization config-commands
aaa authorization exec default group ClearPass-TACACS local
aaa authorization commands 0 default group ClearPass-TACACS none
aaa authorization commands 1 default group ClearPass-TACACS if-authenticated
aaa authorization commands 15 default group ClearPass-TACACS if-authenticated
!
!  ********** you must relog go continue ***********
!
aaa authorization commands 15 default group ClearPass-TACACS local
aaa accounting commands 15 default start-stop group ClearPass-TACACS
aaa accounting connection default start-stop group ClearPass-TACACS
!
line console 0
 login authentication default
!
line vty 0 15
 login authentication default
!
ip access-list extended CLEARPASS-REDIRECT
 deny ip any host ClearPass-DMZ-Floating-IP
 deny ip any host ClearPass-DMZ-Server1-IP
 deny ip any host ClearPass-DMZ-Server2-IP
 permit tcp any any eq www
 permit tcp any any eq 443
!
ip access-list extended IPV4-PRE-AUTH-ACL
 remark Allow DHCP
 permit udp any eq bootpc any eq bootps
 remark Allow DNS
 permit udp any any eq domain
 remark permit access to ClearPass Floating IP.
 permit tcp any host ClearPass-DMZ-Public-Floating-IP eq www
 permit tcp any host ClearPass-DMZ-Public-Floating-IP eq 443
 permit tcp any host ClearPass-DMZ-Public-Floating-IP eq 6658
 permit tcp any host ClearPass-DMZ-Floating-IP eq www
 permit tcp any host ClearPass-DMZ-Floating-IP eq 443
 permit tcp any host ClearPass-DMZ-Floating-IP eq 6658
 remark permit access to ClearPass1
 permit tcp any host ClearPass-DMZ-Public-Server1-IP eq www
 permit tcp any host ClearPass-DMZ-Public-Server1-IP eq 443
 permit tcp any host ClearPass-DMZ-Public-Server1-IP eq 6658
 permit tcp any host ClearPass-DMZ-Server1-IP eq www
 permit tcp any host ClearPass-DMZ-Server1-IP eq 443
 permit tcp any host ClearPass-DMZ-Server1-IP eq 6658
 remark permit access to ClearPass2
 permit tcp any host ClearPass-DMZ-Public-Server2-IP eq www
 permit tcp any host ClearPass-DMZ-Public-Server2-IP eq 443
 permit tcp any host ClearPass-DMZ-Public-Server2-IP eq 6658
 permit tcp any host ClearPass-DMZ-Server2-IP eq www
 permit tcp any host ClearPass-DMZ-Server2-IP eq 443
 permit tcp any host ClearPass-DMZ-Server2-IP eq 6658
 remark Deny all else
 deny ip any any
!
ip access-list extended ALLOWALL
 permit ip any any
!
authentication convert-to new-style
yes
!
class-map type control subscriber match-all DOT1X_FAILED
 match method dot1x
 match result-type method dot1x authoritative
 class-map type control subscriber match-all DOT1X_NO_RESP
  match method dot1x
  match result-type method dot1x agent-not-found
 service-template IA-TIMER
  inactivity-timer 60 probe
 class-map type control subscriber match-all MAB_FAILED
  match method mab
  match result-type method mab authoritative
!
policy-map type control subscriber ClearPass-Policy
 event session-started match-all
  10 class always do-until-failure
   10 authenticate using dot1x priority 10
   20 authenticate using mab priority 20
 event authentication-failure match-first
  30 class DOT1X_NO_RESP do-until-failure
   10 terminate dot1x
   20 authentication-restart 60
  40 class MAB_FAILED do-until-failure
   10 terminate mab
   20 authentication-restart 60
  50 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
  60 class always do-until-failure
   10 terminate dot1x
   20 terminate mab
   30 authentication-restart 60
 event agent-found match-all
  10 class always do-until-failure
  10 terminate mab
  20 authenticate using dot1x priority 10
 event authentication-success match-all
  10 class always do-until-failure
  10 activate service-template IA-TIMER
 event inactivity-timeout match-all
  10 class always do-until-failure
  10 unauthorize
!

ip dhcp snooping

template ClearPass-Template
 desc ClearPass Enabled
 spanning-tree portfast
 switchport access vlan GUEST
 switchport mode access
 switchport voice vlan VOIP
 authentication timer reauthenticate server
 mab
 dot1x mac-auth-bypass
 dot1x pae authenticator
 dot1x timeout tx-period 10
 dot1x timeout supp-timeout 15
 dot1x max-reauth-req 1
 access-session closed
 access-session port-control auto
 service-policy type control subscriber ClearPass-Policy
!
!
interface range XXXX/XXXX/XXXX-XXXXX
 source template ClearPass-Template
 ip access-group IPV4-PRE-AUTH-ACL in
!

And here are the relivant snapshots of the clearpass setup:

Enforcement Policies for MAC AuthEnforcement Policies for MAC AuthServiceServiceVLAN for PrinterVLAN for PrinterRole Map for MAC AuthRole Map for MAC Auth


Accepted Solutions
Highlighted
Occasional Contributor II

Re: ClearPass VLAN assignment not staying until enforcement profile session-timout - Cisco Switch

Hello everyone!  I hope I can help someone else with the solution I found.   It was the configuration above.  specifically this portion: 

 event authentication-success match-all
  10 class always do-until-failure
  10 activate service-template IA-TIMER

If you look closely, it is a big mess.  This is what I changed the policy-map type control subscriber ClearPass-Policy to:

no policy-map type control subscriber ClearPass-Policy
policy-map type control subscriber ClearPass-Policy2
 event session-started match-all
  10 class always do-until-failure
    10 authenticate using dot1x priority 10
    20 authenticate using mab priority 20
 event authentication-failure match-first
  10 class DOT1X_NO_RESP do-until-failure
    10 terminate dot1x
    20 authenticate using mab priority 20
  20 class MAB_FAILED do-until-failure
    10 terminate mab
    20 authentication-restart 60
  30 class always do-until-failure
    10 terminate dot1x
    20 terminate mab
    30 authentication-restart 15
  40 class always do-until-failure
 event agent-found match-all
  10 class always do-until-failure
    10 terminate mab
    20 authenticate using dot1x priority 10
!

 That fixed our issues.  I hope that helps someone else who uses the ASE for their stuff.

View solution in original post


All Replies
Highlighted
Occasional Contributor II

Re: ClearPass VLAN assignment not staying until enforcement profile session-timout - Cisco Switch

Hello everyone!  I hope I can help someone else with the solution I found.   It was the configuration above.  specifically this portion: 

 event authentication-success match-all
  10 class always do-until-failure
  10 activate service-template IA-TIMER

If you look closely, it is a big mess.  This is what I changed the policy-map type control subscriber ClearPass-Policy to:

no policy-map type control subscriber ClearPass-Policy
policy-map type control subscriber ClearPass-Policy2
 event session-started match-all
  10 class always do-until-failure
    10 authenticate using dot1x priority 10
    20 authenticate using mab priority 20
 event authentication-failure match-first
  10 class DOT1X_NO_RESP do-until-failure
    10 terminate dot1x
    20 authenticate using mab priority 20
  20 class MAB_FAILED do-until-failure
    10 terminate mab
    20 authentication-restart 60
  30 class always do-until-failure
    10 terminate dot1x
    20 terminate mab
    30 authentication-restart 15
  40 class always do-until-failure
 event agent-found match-all
  10 class always do-until-failure
    10 terminate mab
    20 authenticate using dot1x priority 10
!

 That fixed our issues.  I hope that helps someone else who uses the ASE for their stuff.

View solution in original post

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: