Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

on wired 802.1x how to make users keep working if clearpass fail?

This thread has been viewed 5 times

  • 1.  on wired 802.1x how to make users keep working if clearpass fail?

    Posted Aug 22, 2015 01:27 PM

    I'm integrating clearpass with cisco NAD switcches 2960,3650,samll bussiness now the ting is that customer want the users to keep working normally in case of clearpass total failuer ,so what is the best thing to do to achive that ?



  • 2.  RE: on wired 802.1x how to make users keep working if clearpass fail?

    EMPLOYEE
    Posted Aug 22, 2015 01:29 PM
    802.1X cannot fail open. You would have to configure the switch to have an open fail through VLAN which is not very secure.


    Thanks,
    Tim


  • 3.  RE: on wired 802.1x how to make users keep working if clearpass fail?
    Best Answer

    EMPLOYEE
    Posted Aug 22, 2015 01:44 PM
    !
    interface GigabitEthernet1/0/18
    switchport access vlan 100
    switchport mode access
    switchport voice vlan 110
    authentication event fail action next-method
    authentication event server dead action authorize vlan 100
    authentication event server alive action reinitialize
    authentication host-mode multi-host
    authentication order dot1x mab
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    authentication violation restrict
    mab
    dot1x pae authenticator
    dot1x timeout server-timeout 30
    dot1x timeout tx-period 3
    dot1x max-req 3
    dot1x max-reauth-req 3
    spanning-tree portfast
    !


  • 4.  RE: on wired 802.1x how to make users keep working if clearpass fail?

    Posted Aug 22, 2015 07:51 PM

    So tarnold this will make useres able to work normally in case of Clearpass total failuer on VLAN 100 right?



  • 5.  RE: on wired 802.1x how to make users keep working if clearpass fail?

    EMPLOYEE
    Posted Aug 22, 2015 08:52 PM

    Yes. The line dead server is the vlan the port would default to. Just like Tim stated its not a very secure action but it is an option.



  • 6.  RE: on wired 802.1x how to make users keep working if clearpass fail?

    Posted Aug 22, 2015 09:27 PM

    so you mean that user who still didn't enter his 802.1x credinital have access to the network  ???



  • 7.  RE: on wired 802.1x how to make users keep working if clearpass fail?

    EMPLOYEE
    Posted Aug 23, 2015 01:51 AM
    Just like the line states.

    authentication event server dead action authorize vlan 100

    If the radius server is dead or the switch looses communication within its timeout period it will just role over to vlan 100.


  • 8.  RE: on wired 802.1x how to make users keep working if clearpass fail?

    Posted Aug 24, 2015 11:48 AM

    Dear Tarnold when I used this configuration the 802.1x pop didn't came and the ethernet adapter on the client keep saying attempting to authenticate and doesn't show any pop up to enter credentals



  • 9.  RE: on wired 802.1x how to make users keep working if clearpass fail?

    Posted Aug 26, 2015 05:53 AM

    when I added this line it worked after 30 Sec :

     

    #authentication event no-response action authorize vlan 100

     

    but this is working well for pinging inside network but for windwos domain lit is not working liek (opening FTP) or remote desktop connection all not working so how to solve this?



  • 10.  RE: on wired 802.1x how to make users keep working if clearpass fail?

    EMPLOYEE
    Posted Aug 26, 2015 02:26 PM
    That is all dependent on your switch and your VLAN settings. You will need to contact the switch vendor.