Security

Reply
Contributor II

clearpass cisco posture

hi,

 

we have aruba controller and cisco swithc 3560with 12.2(58) version

i have done all wireless configuration its working good,and i have created posture for wireless connection als its working good

 

i want to create wired authentication for our emoloyee on cisco switch,authentication via our dc

 

and i dont want to install agent in our employee ps, i want the cisco switch to redirect them to onguard port and check ,

 

i have created wired service and policy , in the policy i have created a profile with cisco dacl template that check if the user is [user auth] and [mac auth] he will get ip any any acl

and another profile that chek for posture if its healthy

if all this match he will get full access

 

second rule:its check if the tips[user auth] and [mac auth],

and if the posture not healthy

 

i dont know which profile should i assign for the second rule,

if the user authenticated but its not healthy i want cisco switch to rdirect him onguard without installing agent and check his pc,

 

 

could you please tell me what configuration should i do on cisco and clearpass profile,

 

note:i dont want to redirect him to another vlan,, i want to use Dacl attr

 

thank you

 

 

 

Guru Elite

Re: clearpass cisco posture

OK, just keep in mind that the posture token is cached for a certain amount of time and the user may have to be manually checked every time they reconnect. The user experience may be frustrating. Is this the behavior you want?


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor II

Re: clearpass cisco posture

yes iwa nt each time the user connect to network toc heck if its pc is healthy or not via wired connection on cisco switch,

 

i have create a service , inside the service there is a policy, inside the policy there 2 rules

first rule:

tips role eq user auth

& tips role machine auth

& tips posture eq healthi

 assign cisco Dacl profile1 (radius cisco : cisco ip donwloadable acl : permit ip any any)

*** here i need to know how to configure second profile for this rule to redirect him to unguard without installing the agent on his pc

 

how can i do it?

 

 second rule:

tips role eq user auth

& tips role machine auth

& tips posture not eq healthy

assign cisco Dacl profile2 (radius cisco : cisco ip donwloadable acl : ?)

here i need to assign profile that redirect a user to ungaurd portal also

and i need to cach his crednt for the second connection

 

how can i do it on clearpass and cisco switch?

 

thank you

Re: clearpass cisco posture

You can do the following :

 

2014-09-05 22_46_21-ClearPass Policy Manager - Aruba Networks.png

Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA

Re: clearpass cisco posture

Tthis has three user roles.

 

Employee

Staff

Student

 

 

 

 

 

Screen Shot 2014-09-05 at 9.47.49 PM.png

 

Screen Shot 2014-09-05 at 9.51.44 PM.png

Victor is correct. the easiest thing to do is send a acl with the redirect to the CP page. 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor II

Re: clearpass cisco posture

should i add this profile cisco wired onguard with posture profile to the both rules?

should i create web auth service also?

 

url-redirect= is it onguard url  page?

 

thank you

 

 

 

Contributor II

Re: clearpass cisco posture

here the policy and the profiles,,

 

is that the right way?

 

should i create or add another configuration?

 

thank you

Re: clearpass cisco posture

What type of Agent are you using Persistent or Diss ?

 

I think what you should do is send full access VLAN when it meets:

- Machine Auth

- User Auth

- Healthy Posture

 

2014-09-06 08_55_29-ClearPass Policy Manager - Aruba Networks.png

 

And if the following criteria is:

- Machine Auth

- User

- Not Healthy

 

Then you send the Cisco AV Pair with the URL and ACL 

The ACL on your switch should look like this :

ip access-list extended <ACL NAME>
deny tcp any host <ClearPass IP Address>
permit tcp any any

 

Make sure that you enable ip http server on your switch

Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II

Re: clearpass cisco posture

hi,

 

whenit meets

user auth

machin auth

healthy psoture

am sending Dacl (ip any any)

i dont want to use vlan

 

am using disov agent

 

i have those services

wirelss service

web based auth service--->health check service

wired cisco service

mac caching service

 

is that right ordering way?

 

my wireless working good with posture and everything,

Re: clearpass cisco posture

That looks good
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: