Security

Reply
Trusted Contributor I

ClearPass juniper dynamic VLAN

i'm trying to get dynamic VLANs working between Juniper EX switches and ClearPass, everything seems to work except for the VLAN assigment.

 

I get this on the Juniper log:

Apr 12 11:24:11.229779 Received invalid tunnel type 16777229 from authentication server

 

while on the ClearPass i certainly have type 13 (VLAN) configured for tunnel type (64).

 

 

Trusted Contributor I

Re: ClearPass juniper dynamic VLAN

after doing a packet capture it seems the issue lies with the juniper, the correct info is send by the ClearPass.

 

Tunnel-Type(64)                         VLAN(13)

Tunnel-Medium-Type(65)         IEEE-802(6)

Tunnel-Private-Group-Id(81)    the vlan name (or id, i tried both)

 

and two things the ClearPass adds:

 

Session-Timeout       10800
Termination-Action     RADIUS-Request (1)

 

does anyone have dynamic VLANs working with the ClearPass? especially with different vendor switches? cisco, juniper, ....?

 

Trusted Contributor I

Re: ClearPass juniper dynamic VLAN

tried to trouble shoot this with juniper support, but nothing wrong seemed to be found.

 

tried with Microsoft IAS instead of ClearPass and then it works ...

 

checked the packetcaptures and it seems they are identical except that IAS sends the data with Radius tag 0x00 and ClearPass does it with tag 0x01.

 

[IAS]

AVP: l=6  t=Tunnel-Type(64) Tag=0x00: VLAN(13)

AVP: l=6  t=Tunnel-Medium-Type(65) Tag=0x00: IEEE-802(6)

AVP: l=4  t=Tunnel-Private-Group-Id(81): 21

 

[ClearPass]

AVP: l=6  t=Tunnel-Type(64) Tag=0x01: VLAN(13)

AVP: l=6  t=Tunnel-Medium-Type(65) Tag=0x01: IEEE-802(6)

AVP: l=5  t=Tunnel-Private-Group-Id(81) Tag=0x01: 20

 

anyone know if i can get the ClearPass to use tag 0x00?

Occasional Contributor I

Re: ClearPass juniper dynamic VLAN

By default ClearPass sets the value of tag to 0x1 as indicated by the packet capture. The steps to send tag 0x0

from ClearPass are:

 

1) Navigate to Administration » Dictionaries » RADIUS screen.

 

2) Search for Avenda RADIUS dictionary and click on the entry. In the RADIUS Attributes

popup, click on Enable to enable the dictionary.

 

3) Edit the enforcement profile and add the attribute

 

      Radius:Avenda       Avenda-Tag-Id               0

 

 

 

Trusted Contributor I

Re: ClearPass juniper dynamic VLAN

thank you very much (and also Aruba support), this does indeed do the trick and the Juniper EX switch accepts this.

 

a very flexible product ClearPass.

Contributor I

Re: ClearPass juniper dynamic VLAN

Hi,

I have the same issue with Juniper EX switch dynamic VLAN assignment with ClearPass.

As the posture status is unhealthy it should assign Quarantine VLAN. The switch side the port is dynamically changing the VLAN membership but on the endpoint side, the IP address from quarantine VLAN is assigning after doing IPCONFIG release and renew. is there any additional settings are needed to change from healthy VLAN to Quarantine VLAN dynamically.

 

Thanks,

Yugandhar

Aruba Employee

Re: ClearPass juniper dynamic VLAN

It sounds like the endpoint failed to obtain IP address (did not recognize the vlan change) from the quarantine vlan.

You can try "agent bounce" instead of Radius disconnect(CoA) in the WebAuth service, when an active client need to be moved from health vlan to quarantine vlan (or just use "agent bounce" enforcement only when the client helth token is Quaranitne).

 

Agent bounce will force the client to obtain(renew) the IP from Quarantine VLAN.


Thank you,
Saravanan Rajagopal

**Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the post.

Re: ClearPass juniper dynamic VLAN

Are you using the persistent onguard agent on the device ?if you are enable the onguard option to do an agent bounce so this way the NIC will re-DHCP

If not you will need to execute a Change or authorization (CoA)

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor I

Re: ClearPass juniper dynamic VLAN

I tried adding avenda-tag-id and it is working. Juniper switch dynamically assign the VLANs based on the conditions. but the problem is the IP address is assigning to the endpoint but not the gateway address. 

This is happening when we enable the posture conditions in the dot1x service.

Also, It is taking very long time to sign out from the machine and we are using Windows10. I am using the persistent OnGuard agent.

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: