Security

I am having trouble with CPPM and my Brocade switch. I am looking to have wired clients use MAC-Auth and after successfully completing that part and have been moved to the correct VLAN initiate a new DHCP request so they can grab an IP from the proper subnet. According to Brocade TAC the switches do not have an VSA to perform a port down/up forcing the client to start a new DHCP process. I was digging around in the RADIUS attributes and found "Framed-IP-Address" which according to http://freeradius.org/rfc/rfc2865.html#Framed-IP-Address states the following:

The Address field is four octets.  The value 0xFFFFFFFF indicates that the NAS Should allow the user to select an address (e.g. Negotiated).  The value 0xFFFFFFFE indicates that the NAS should select an address for the user (e.g. Assigned from a pool of addresses kept by the NAS).  Other valid values indicate that the NAS should use that value as the user's IP address.

 

If I am understanding that correctly then can I set the value of 0xFFFFFFFF and have the client automatically start the DHCP process over whenever CPPM send that out? If not can someone point me to a method that will allow hardwired clients on a switch that does not support RADIUS based port bouncing to be instructed to start the DHCP process?

 

Thanks in advance!

Can you please explain the use case for this or what logic are you trying to use ?

Why not just apply the VLAN right from the start instead switching the devices between VLANs ?

Hi, I really dont know the use case. I am working on this for a co-worker who is engaging the customer. All I know is we need to be able to have devices connect wired, be placed in a restricted VLAN and authenticate them and move them to another VLAN afterward which will use a different IP subnet. I can imagine having a college campus with ports in the dorms and only wanting previously ok'd clients connect to the internet and ban the not previously authenicated devices to be stuck on a blackhole network. This would be a wired BOYD concept i would conclude.

I will reach out to the customer to find out the exact reason for the method they are attempting.

It is important to know the use case to determine what's the best solution for deployment.

 

If you guys are trying to register a device first place them in deadend VLAN and once register place the device in a full access VLAN ?

 

I am a bit lost as to why you state "It is important to know the use case to determine what's the best solution for deployment.". In my job as a TAC engineer I routinely answer questions without knowing what the full situation is. In this case all I am wondering is if anyone know how to force a client attached to a Brocade switch to start the DHCP DORA process. If this is not a simple task then I will make sure to get as many details as possible but it does seem like someone that uses CPPM often might know the direction to point me to look for an answer. I have looked through the manual but didn't find anything that sounded like what I was tasked with finding out. I searched around the Internets and found the option I listed in my first post.

We have tested using the IETF "disconnect" attribute but that does not cause the switch to bounce the port so the client doesn't know to start the DORA process immediately. We try just sending different VLAN assignments both tagged and untagged but that to does not cause a port state change.

I just saw something in the a ClearPass manual about sending SNMP commands to the NAS. I was wondering if that was, as the guide shows, only a manual function or can you have CPPM send an SNMP command as part of a CoA?

 

Please let me know if anyone has any ideas of what to try to either tell the client to restart the DHCP DORA process or tell the switch to bounce the port.

 

Thank you

A mac-auth is a layer 2 authentication, so not sure exactly why this is needed.

 

In any case, you could have a really short lease time in the restricted vlan of say 20 seconds.

 Once they are in the new vlan, it will only be a short time before they try to do a dhcp renew again and then they will get the new ip address.

 

Unless you have a mechanism to force the ethernet carrier to go down, or an agent on the host to do so from that side, the only recourse is to use a short lease time as Michael mentioned.

 

rfc 6704 (previously 3203) are proposed standards that would ameliorate this problem, but adoption has been nonexistent AFAIK.

 

We use VLANs for security partitioning here as well, since they keep host firewall policies simple and we don't have to worry about DHCP exhaustion that way.   We use SNMP and Disconnects depending on the model of the switch.

 

However, I'm not sure what Brocades can and cannot do.  Depending on how flexible your customer is on this matter, another option is to hand out the permanent IP address from the start and instead use port acls installed by RADIUS to restrict the pre-registration machines.

 

Thank you for the information. I did find out that the Brocade switch does not support any method to bounce the port. I had thought about using SNMP as well as that would allow a port to be bounced but I dont know if you can send SNMP commands from the CPPM to the switch as part of CoA process or be triggered by the CoA process.

 

If anyone knows how to do that with the CPPM automatically that would be awesome.

 

Thank you guys for the assistance

.