Security

last person joined: 10 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Issue with Dynamic VLAN Assignment ClearPass and Juniper EX switches

This thread has been viewed 2 times

  • 1.  Issue with Dynamic VLAN Assignment ClearPass and Juniper EX switches

    Posted Jun 28, 2019 02:58 AM

    Hi,

    We have configured dot1x authentication on Juniper EX switches and ClearPass as a RADIUS server.

    Here the problem is by default the switch port is in one VLAN and the domain machine will authenticate in that VLAN only and once the user is logged into the machine, based on the user department the port will be moved to respective department VLAN.

     

    However, in Access tracker showing the respective VLAN role is assigned the show VLAN command showing the port is moved to respective VLAN. But the user is not getting IP address from the VLAN pool from DHCP server and once we do release and renew then only user is getting an IP address. Even we have added Avenda-tag-id: 0 in the enforcement profile. 

    Can anyone help us on this issue.

     

    Thanks,

    Yugandhar.



  • 2.  RE: Issue with Dynamic VLAN Assignment ClearPass and Juniper EX switches

    EMPLOYEE
    Posted Jun 28, 2019 03:09 AM
    It’s not a switch or cppm issue you are running into. It’s the behavior of the device that causes the problem.

    This is a common issue. Most devices will retain their IP address unless you either bounce the switch port or set a very short dhcp lease on the initial vlan or use an agent that will bounce the client.

    This is where acl/Dacl can also help. Instead of switching vlans you could apply different acl based on type of access.