New Contributor

Clearpass - monitor mode with Cisco 3560 switch

I have configured Clearpass to do MAC auth in monitor mode and a 3560  switch following


A windows pc is allowed access (MAC authentication ACCEPT) only if the device is set to known (via Access Tracker), otherwise the pc (unknown) is  MAC authentication REJECT.


How to configure CP and the switch such that we can do MAC authentication in monitor mode (without having to set "authentication open" on the switch)? We don't want to change the switch everytime we need to change from monitor mode to enforce mode, we would like to change from monitor to enforce mode on Clearpass (without changing the switch), if possible.

Please help.



Re: Clearpass - monitor mode with Cisco 3560 switch

There are several options here. I would not use monitor mode...begin with enforce mode on ClearPass and then just have a statement in line 1 of your enforcement policy to "allow access". Then when you are ready, you can gradually move this line down the list until you capture all your use cases. Alternatively, you can group devices and write services with or without enforcement options and move your switches from a "test" group to a "production" group mapping to two different services.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
If you found my post helpful, please give kudos

Re: Clearpass - monitor mode with Cisco 3560 switch

We are doing this same process, we cannot use monitor mode because we have to return multiple VLAN names in the RADIUS responses, not just a RADIUS accept. 


We created two MAC auth services and two seperate Network Device Groups. The first service is our "Open" Policy, meaning the Role Mapping is exactly the same, but the enforcement has no Deny conditions. The second service is our "Strict" Policy, meaning we do start enforcing NAC more aggressively through the Enforcement policy. All I do is take a device out of the "Open" policy group and add it to the "Strict" policy group when I want to cut it over. 


The only thing I can say is make sure if your doing 802.1X authentication too, that you make sure the end-user devices are setup properly. We ran into a bunch that did not validate the RADIUS server certificate properly, so even though my policy didn't reject them, the device failed authentication. To get around this, we started using the "auth-fail VLAN" condition on the switch ports to still allow it to bounce into production VLAN. When did the Strict enforcement, we would just change that from production to quarantine using the interface range command.

Michael Haring
If my answer is helpful, a Kudos is always appreciated!
Search Airheads
Showing results for 
Search instead for 
Did you mean: