Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Help with Quarantine Enforcement Profile

This thread has been viewed 6 times

  • 1.  Help with Quarantine Enforcement Profile

    Posted Feb 12, 2015 09:27 AM

    I am attempting to write an Enforcement Profile that will quarantine a user to a "Dead" vlan on a Cisco switch.  I want to be able to manually change the user's switch port to a dead vlan with a CoA Status change from Access Tracker.

     

    Here is my attempt at writing the profile.  When applying the CoA to the user, CPPM shows the CoA request was successful, but it doesn't change the vlan on the switch.  What am I missing?

     

    Screen Shot 2015-02-12 at 9.23.41 AM.png

     

     



  • 2.  RE: Help with Quarantine Enforcement Profile

    Posted Feb 12, 2015 10:14 AM

    Are you using Onguard ?



  • 3.  RE: Help with Quarantine Enforcement Profile

    Posted Feb 12, 2015 10:15 AM

    You need to send a regular VLAN enforcement profile 



  • 4.  RE: Help with Quarantine Enforcement Profile

    Posted Feb 12, 2015 10:48 AM

    Victor, I am not using OnGuard.

     

    I tried making a VLAN Enforcement profile, but the problem is then that profile is not accessible via the Change Status from within Access Tracker.

     

    See below.

     

    Screen Shot 2015-02-12 at 10.45.17 AM.png



  • 5.  RE: Help with Quarantine Enforcement Profile

    Posted Feb 12, 2015 10:56 AM

    I guess you don't want to apply a dynamic enforcement profile instead you want to do it manually ?



  • 6.  RE: Help with Quarantine Enforcement Profile

    Posted Feb 12, 2015 11:01 AM

    Correct.  I want a way from within Access Tracker to be able to manually quarantine a user off the network, by using the Change Status button and select an appropriate CoA profile to put them in another VLAN.

     

    Screen Shot 2015-02-12 at 11.00.21 AM.png



  • 7.  RE: Help with Quarantine Enforcement Profile

    Posted Feb 12, 2015 11:29 AM
      |   view attached

    Did you enable CoA whe you added the NAD?



  • 8.  RE: Help with Quarantine Enforcement Profile

    Posted Feb 12, 2015 11:35 AM

    Yes, CoA is enabled on the switch.

     

    aaa server radius dynamic-author
     client 1.1.1.1 server-key 7 <key>
     port 3799
     auth-type all



  • 9.  RE: Help with Quarantine Enforcement Profile

    Posted Feb 12, 2015 11:45 AM

    and you enabled it on the NAD definition within CPPM?

     

    No firewall, blocking 3799 between CPPM and the switch?



  • 10.  RE: Help with Quarantine Enforcement Profile

    Posted Feb 12, 2015 01:03 PM

    Danny,

    Yes is enabled in CPPM under the device profile.  No firewalls between the NAD and CPPM.

     

    Do you know what the Enforcement Policy should look like to use it under the the Change Status button?

     

    Screen Shot 2015-02-12 at 1.00.31 PM.png

     



  • 11.  RE: Help with Quarantine Enforcement Profile

    Posted Feb 12, 2015 01:14 PM

    What version of ClearPass are you using ?

     

    I am currently using the latest 6.4 version and it works.



  • 12.  RE: Help with Quarantine Enforcement Profile

    Posted Feb 12, 2015 01:18 PM

    Can you share you profile so I can replicate it?  I am using 6.5.  I also have 6.4, but it was not working on either version.  I likely don't have a good profile built.



  • 13.  RE: Help with Quarantine Enforcement Profile

    Posted Feb 12, 2015 01:26 PM

    I used the same enforcement profile:

    2015-02-12 13_24_39-ClearPass Policy Manager - Aruba Networks.png

    2015-02-12 13_25_08-ClearPass Policy Manager - Aruba Networks.png



  • 14.  RE: Help with Quarantine Enforcement Profile

    Posted Feb 12, 2015 02:43 PM

    Victor,

     

    I created the same profile, but it doesn't show up in the Change Status list.  Does the order of the RADIUS attributes matter, because mine are in a different order.  I notcie that some of the Profiles in the list have brackets [ .. ].  Is there any significance to the brackets or are they just to make things stand out?

     

     

    coa-profile.jpg



  • 15.  RE: Help with Quarantine Enforcement Profile

    Posted Feb 12, 2015 03:32 PM

    The ones in between brackets are ClearPass default profiles



  • 16.  RE: Help with Quarantine Enforcement Profile
    Best Answer

    Posted Feb 13, 2015 07:40 AM

    Thank you Victor.  I found a Cisco document that states the switch does not support VLAN change in a CoA request.  Apparently, this works on other switch vendors, but not Cisco.  Thanks for your help.  Done beating head on this one...