Security

Hi

I am configuring some kit for an install we have next week. We are setting up Clearpass and some Brocade switches to hopefully do the following:

When a wired user plugs into the network, they are in a default VLAN 10. This does mac authentication against the endpoint database. If it is successful, then they are allowed on the network.

If it fails, the switch puts the device in to VLAN 40, a 'quarantine' VLAN. The idea then is that they are given the self-reg page of CPPM Guest, which they authenticate using. From there, we need to place them into a different ‘Guest’ VLAN.

However, the web auth doesn’t send a mac address and also can’t seemingly have an enforcement policy that can return a radius response to move the VLAN to the Guest VLAN

Any ideas on how we get a webauth to send a radius accept to change the VLAN? Or any ideas how we can do the above in a different way?

Thanks

You can set a post_authentication Change of Authorization (RADIUS CoA) which will boot the user (essentially aaa user delete) and then they will come back into the role you assigned.

CoA isn't supported on Brocade.......:smileysad:

Actually just gave this a try anyway but CPPM said nothing was output anyway.

Did you ever get this working on Brocade?