Security

Reply
Frequent Contributor II

Re: Clearpass & OnGuard (wired cisco)

Thanks,

That sounds simple. Yea I guessed getting application installed on corporate devices but what do you do with personal devices? We are looking at doing DACL enforcement where we can then SVI enforce on our older switches. Our management wants web-auth for everything. We want our users to be directed to each step. Any of your clients doing web-auth on cisco switch via clearpass/guest?

Thanks for the previous reply. This is a complex product especially in multi-vendor environments. :-)
Highlighted
Aruba Employee

Re: Clearpass & OnGuard (wired cisco)

Using webauth on switches unfortunitly has not been very sucsessful. This is because most switches require you to make a choice on your auth methiod based on port. So you can either have MAB or 802.1x or MAB with 802.1x or Webauth. 

Not Webauth + Something else. So because of this people tend to stay away as port function in the network is more dynamic. 

After all who wants to open a support ticket with the network team because the printer moved from 1 cube to another. 

 

Personal devices are normally limited to just wireless. This way you can use onboarding and multiple captive portals to get them from place to place. Hardwried becomes a challenge because captive portals at the ethernet level hasnt really taken off; 

I know that our switches have been doing it for a while, but that is because we rely on a 'role' based authenication model where others do port based.

So we can have a captive portal per role and COA your role at will. 

With cisco you can COA the DACL, but because the captive portal stuff is port based, you cant COA the configuration of the port. 

 

You might be able to do some sort of telnet enforcement; Where you change the running config based on a telnet enforcement profile; But i have never tested nor attempted this, so i dont know if its possible. Even then, seems like a lot of problems that can happen with timeouts. 

 

This might be one of those situations where its best to limit to wireless only. 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: