Security

Reply
Occasional Contributor II

Clearpass 802.1x Change VLAN after machine authentication

Hi,

 

I've setup in our lab environment this scenario:

 

CPPM 6.7.4.107401 in Windows Domain with Server 2016 Standard and using certificates to authenticate Machine/Users. All working perfectly with EAP-TLS Method.

 

Some clients is asking for a solution to this: Machine authenticate and gets the "Corp" VLAN when boots up. After that, the User put the credentials and based on Domain Usergroup it takes specific VLAN. How can I force the bounce or something else to user get the IP on new VLAN?

 

The Machine auth is used because the need to authenticate the User on Domain (if the user never logged at this machine).

Any thougths?


At.te,
Andre Fernandes
ACMP | ACCP | ACSA
Guru Elite

Re: Clearpass 802.1x Change VLAN after machine authentication

Changing VLANs is not recommended. Use a CoA role change.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Clearpass 802.1x Change VLAN after machine authentication

I agree with you. I always try to avoid, but, this is a specific case.

 

Where I put the CoA action? After machine authentication?

 

Below is the Service/Enforcement Policies. Each Enforcement Profile set the specific VLAN ID.

 

CPPM-Service.pngCPPM-Enforcement.pngCPPM-Enforcement_Profile_Corp.png


At.te,
Andre Fernandes
ACMP | ACCP | ACSA
Occasional Contributor II

Re: Clearpass 802.1x Change VLAN after machine authentication

Anyway, what is the best practice in this scenario?

 

Authenticate machines first, so users can be authorized by AD to log in and then authenticate users on Clearpass? The need is to assign vlan based on User Group.

 

The fall back is mac auth based on roles/endpoints and captive portal, thats ok.


At.te,
Andre Fernandes
ACMP | ACCP | ACSA
Highlighted

Re: Clearpass 802.1x Change VLAN after machine authentication

As Tim mentioned, not recommended to change VLANs as DHCP is unreliable and it is very possible the device's VLAN will change, but IP will not, leaving it unable to communicate in the new VLAN.

 

What you could try is machine auth through CPPM send back corp VLAN assignment, then User Auth through CPPM sends back a dACL if using Cisco or User-Role if using Aruba to limit network access to only required resources.

 

You *can* use the VLAN change, but I think it's very risky and may be inconsistent, resulting in endless troubleshooting of connectivity issues.



Michael Haring
If my answer is helpful, a Kudos is always appreciated!
Contributor I

Re: Clearpass 802.1x Change VLAN after machine authentication

If you do go down the machine and user authentication with different VLANs route, on Windows 7 devices you should enabled single sign-on in the advanced settings and ensure the option "This network uses separate virtual LANs for machine and user authentication" option.

This tells the device to complete a DHCP renewal after a successful user authentication.

I'm not sure if the option is the same with Windows 10.

 

That said I agree with the previous posts that you should really avoid this scenario.

 

Super Contributor I

Re: Clearpass 802.1x Change VLAN after machine authentication

Hi,

 

As previous posts mention it is not recommended.

 

I know from experience in special cases that with windows 7 & 10 it will work without a CoA. But you could have other devices doing 802.1x where it doesn't work. And I have seen microsoft change settings on 802.1x twice with the last updates in windows 10. So it is better to avoid it in production.

 

Hope it helps

 

Cheers, Frank
Aruba Partner Ambassador| AMFX#22| ACCX#613| ACMX#733| ACDX#744

If you like my posts, kudo's are welcome. If it solves your problem, please click 'Accept as Solution'
Occasional Contributor I

Re: Clearpass 802.1x Change VLAN after machine authentication

Hi Tim. If VLAN change is not recommended after user authentication, what is the recommended practice in getting the machine into the right VLAN? Presuming we want to segment users and machines by job function: Payroll vs HR vs IT, etc. If we ultimately want users separated by VLANs then we also need the machines separated by VLANs and we'll use dACLs with CoAs upon authentication. I'm unclear on how to best get Clearpass to assign machines to their own VLAN. The only way I can think of is to get machines into specific AD OUs and then have an enforcement policy (with VLAN enforcement) based upon that. Is that correct?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: