Security

Reply
Frequent Contributor II

One Click Manual CoA

Dear Experts

One of the prospects want to know if clearpass can send manual coa to move a particular user to quarantine vlan.
MVP Guru

Re: One Click Manual CoA

Yes , assuming that the condition or state of the device either manually or dynamically and that the correct the policies/enforcement are in place based on the new condition/state

Sent from Mail for Windows 10
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor II

Re: One Click Manual CoA

Please help to elaborate. A user is connected and authenticated on the
network using juniper switches. Now IT department suspects that xyz user
machine is infected and they need to put him in quarantine vlan.

Can they do it via sending manual coa for that user? If yes please let me
know where and how this will be done
Frequent Contributor II

Re: One Click Manual CoA

One thing more, if i have a simple dot1x user authenticated on the network, i can see his entry in access tracker but when i click on change status, Radis CoA is greyed out.
MVP Guru

Re: One Click Manual CoA

What type of network access device are you using ?



Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor II

Re: One Click Manual CoA

2930F switch in my lab, however customer will be using juniper ex series
switches
MVP Guru

Re: One Click Manual CoA

Make sure that you added the Juniper switch under Configuration > Network > Devices using the Vendor Name as Juniper with RADIUS CoA enabled

Sent from Mail for Windows 10
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor II

Re: One Click Manual CoA

Ok i will try it and let you know, i will also check on 2930F. Currently checked on IAP and worked perfectly. 

 

Need to ask one thing, is there any possible workflow in which we can do a manual CoA from clearpass and and apply and enforcement policy (or profile) manually? Basically customer wants to move a user (who they think might be infected or someother reason) to a Quaratine Vlan, the only way i can think of is to issue manual CoA and apply and enforcement profile which assigns it a quarantine Vlan or change the user's Vlan on the fly? i am not sure how this can be achieved

Highlighted
MVP Guru

Re: One Click Manual CoA

Yes you can .

In this case if the customer determines that the device is infected and manually wants to initiate a manual CoA , then the customer will need to add the device mac address to ClearPass Static Host List(SHL) or Guest Device Repository(GDR) and use that in the enforcement policy to put the device in the quarantine VLAN.

Also make sure you are using the following commands to enable CoA on the Juniper switch

set access radius-server [CLEARPASS-SERVER-IP] dynamic-request-port 3799

set access radius-server [CLEARPASS-SERVER-IP] secret [RADIUS-SHARED-KEY]

set access radius-server [CLEARPASS-SERVER-IP] source-address [SWITCH-MANAGEMENT-IP]
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor II

Re: One Click Manual CoA

When you said "and use that in the enforcement policy to put the device in the quarantine VLAN." where this enforcement policy will be called? or did you mean i should already have this policy in place, and just by adding it to SHL, after CoA terminate session, when it will try to reauthenticate, it wont.

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: