Contributor I

Clearpass: CLI enforcements if client disconnects

Hi all,


I'm new to Aruba Clearpass and this my first post in this great community. I have implemented some CLI policy enforcements with Clearpass (SSH to Comware switches) - they are working perfect. My question - is there any way to execute CLI actions if a device logs off? Perhaps using the Radius Accounting or some kind of other magic? Thank you for some advice


Best Regards

Regular Contributor II

Re: Clearpass: CLI enforcements if client disconnects

You could look in to the use of 802.1x machine authentication. Certainly for Windows devices, machine authentication (if enabled) takes place at logon and logoff. You can use this to assign a more restrictive role or VLAN to devices when only machine authentication is passed.

Basically the logic works as follows:

ClearPass authenticates a machine and assigns a restrictive role/VLAN.

ClearPass authenticates a user and this in combination with the already authenticated machine assigns a full access role/VLAN.

If machine authentication is seen after this it would indicate a client has rebooted or logged off. This could then assign the more restrictive role.


I would recommend labbing this up and seeing if this can provide what you want.

Contributor I

Re: Clearpass: CLI enforcements if client disconnects

Thanks you, David - that's simple and clean solution - i really like it. In the current environment i have lots of devices which need mac auth. Any additional ideas for this case?


Best Regards

Guru Elite

Re: Clearpass: CLI enforcements if client disconnects

There's no need for CLI enforcement. Comware supports RADIUS. You can leverage 802.1X with MAC fallback

| Tim Cappalli | Aruba Security | @timcappalli | |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor I

Re: Clearpass: CLI enforcements if client disconnects

In this case, i'm using both. RADIUS for VLAN assignment and CLI enforcement for specific speed/duplex settings due bad cabling which causing issues with some end devices. One possible solution would be to set the speed/duplex settings back to default, if "devices all other" authenticated. I though that perhaps there is some smarter solution that i have missed.


Best Regards

Search Airheads
Showing results for 
Search instead for 
Did you mean: