Security

Dear Experts

One of the prospects want to know if clearpass can send manual coa to move a particular user to quarantine vlan.

Yes , assuming that the condition or state of the device either manually or dynamically and that the correct the policies/enforcement are in place based on the new condition/state

Sent from Mail for Windows 10

Please help to elaborate. A user is connected and authenticated on the
network using juniper switches. Now IT department suspects that xyz user
machine is infected and they need to put him in quarantine vlan.

Can they do it via sending manual coa for that user? If yes please let me
know where and how this will be done

One thing more, if i have a simple dot1x user authenticated on the network, i can see his entry in access tracker but when i click on change status, Radis CoA is greyed out.

What type of network access device are you using ?



Thank you

Victor Fabian

Pardon typos sent from Mobile

2930F switch in my lab, however customer will be using juniper ex series
switches

Make sure that you added the Juniper switch under Configuration > Network > Devices using the Vendor Name as Juniper with RADIUS CoA enabled

Sent from Mail for Windows 10

Ok i will try it and let you know, i will also check on 2930F. Currently checked on IAP and worked perfectly. 

 

Need to ask one thing, is there any possible workflow in which we can do a manual CoA from clearpass and and apply and enforcement policy (or profile) manually? Basically customer wants to move a user (who they think might be infected or someother reason) to a Quaratine Vlan, the only way i can think of is to issue manual CoA and apply and enforcement profile which assigns it a quarantine Vlan or change the user's Vlan on the fly? i am not sure how this can be achieved

Yes you can .

In this case if the customer determines that the device is infected and manually wants to initiate a manual CoA , then the customer will need to add the device mac address to ClearPass Static Host List(SHL) or Guest Device Repository(GDR) and use that in the enforcement policy to put the device in the quarantine VLAN.

Also make sure you are using the following commands to enable CoA on the Juniper switch

set access radius-server [CLEARPASS-SERVER-IP] dynamic-request-port 3799

set access radius-server [CLEARPASS-SERVER-IP] secret [RADIUS-SHARED-KEY]

set access radius-server [CLEARPASS-SERVER-IP] source-address [SWITCH-MANAGEMENT-IP]

When you said "and use that in the enforcement policy to put the device in the quarantine VLAN." where this enforcement policy will be called? or did you mean i should already have this policy in place, and just by adding it to SHL, after CoA terminate session, when it will try to reauthenticate, it wont.