Security

last person joined: 15 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Open mode to closed mode

This thread has been viewed 1 times

  • 1.  Open mode to closed mode

    Posted Mar 05, 2019 03:52 PM
    In Cisco and hpe switches , we have dot1x and mab configured on each port and with dot1x as higher order and priority.

    As we are doing the DHCP profiling for initial few weeks , we are not deny anything at radius level and even if both dot1x and mab fails we are allowing the port to connect to network .

    There is a command " authentication open" . We don't want to have this command on every switch port as we already are allowing everything via radius .(no enforcement and allow access profile)

    Is this command mandatory for running switch port in open mode from radius point of view ?

    Now when we move from open to closed mode we will do the vlan enforcement and we don't want to touch any port to do anything .we want to control everything via radius .

    I am bit confused about the authentication open command .

    The goal is not to touch any port during closed mode once we do vlan enforcement



  • 2.  RE: Open mode to closed mode

    Posted Mar 05, 2019 04:34 PM
    The authentication open command allows you to get access even if the device is rejected by the RADIUS server



    Thank you

    Victor Fabian

    Pardon typos sent from Mobile


  • 3.  RE: Open mode to closed mode

    Posted Mar 05, 2019 05:14 PM
    Thanks for your reply.

    My query is more related to "authentication open" command on Cisco switch for example.

    I don't want to use at all this command - whether I deploy NAC solution in open mode or closed mode .
    I want radius to allow full access or no deny in open mode instead of putting the authentication open command on each switch or port .

    So that when I put enforcement rules on radius in closed mode I don't have to manually go to each port and remove " authentication open command "

    So in nutshell I want Radius to control everything and no work to be done on port level except the one time dot1x/mab configuration.

    Is it doable ?


  • 4.  RE: Open mode to closed mode

    Posted Mar 06, 2019 04:55 AM

    Hello community  

     

    anybody please help here 



  • 5.  RE: Open mode to closed mode

    Posted Mar 06, 2019 06:57 AM
    You need to remove the command from each interface, ClearPass can’t send a radius an attributes to override the open command.

    all you need to do is use the interface range command



    Thank you

    Victor Fabian

    Pardon typos sent from Mobile


  • 6.  RE: Open mode to closed mode

    Posted Mar 06, 2019 07:34 AM
    Hi Fabian. Thanks for the reply .

    Let me put my query in another way .

    Suppose on all my ports I don't have the authentication open command . So it will check dot1x first and then mab . But on my cppm I have configured the service to allow all access . So even my switch has no authentication open , my radius is open .
    Does this setup work ?


  • 7.  RE: Open mode to closed mode

    Posted Mar 06, 2019 09:37 AM
    Yes , All you have to do is return the ClearPass default [accept] enforcement profile back to your switch

    Assuming that you are planning to keep the VLAN assignment at the interface level




    Thank you

    Victor Fabian

    Pardon typos sent from Mobile


  • 8.  RE: Open mode to closed mode

    Posted Mar 06, 2019 10:15 AM

    Thanks Victor . yes my vlan is on the port . and i am not returning any vlan from Radius . 

     

    But later when i enforce policy i will return the vlan from Radius



  • 9.  RE: Open mode to closed mode
    Best Answer

    Posted Mar 06, 2019 11:45 AM
    That should be fine



    Thank you

    Victor Fabian

    Pardon typos sent from Mobile


  • 10.  RE: Open mode to closed mode

    Posted Mar 06, 2019 12:29 PM

    thanks a lot Victor