Security

Hello,

Is there any way to speed up the webauthentication?  In the same mac authentication service I perform profiling and web authnetication.

So my first rule states that if a device is not profiled then as an action go to the quarantine vlan and get a DACL to allow DHCP packets to reach the clearpass in order to het profiled. 

The last rule states that if an endpoint is not known then send to cisco switch the redirection.url and the name of redirection ACL.

The problem is that in case we have a guest laptop first it is profiled and then redirected and this takes around 3 minutes. Is there any way to create an exception for the computers not to get profiled? I tried from the switch to reduce the times for example the dot1x timeout and dot1x max-req .

Do you have any idea how to improve the performance of Clearpass? Thank you in advance.

If I am understanding correctly, this is a switch timer issue.  You should also prefer MAB before 802.1X but you will need to make sure this doesn't cause a similar belay with your 802.1X Endpoints (it should with a properly configured supplicant).
Original Message:
Sent: Jul 05, 2022 05:36 PM
From: athanasios papakonstantinou
Subject: Speed up Clearpass Wired WebAuthentication

Hello,

Is there any way to speed up the webauthentication?  In the same mac authentication service I perform profiling and web authnetication.

So my first rule states that if a device is not profiled then as an action go to the quarantine vlan and get a DACL to allow DHCP packets to reach the clearpass in order to het profiled. 

The last rule states that if an endpoint is not known then send to cisco switch the redirection.url and the name of redirection ACL.

The problem is that in case we have a guest laptop first it is profiled and then redirected and this takes around 3 minutes. Is there any way to create an exception for the computers not to get profiled? I tried from the switch to reduce the times for example the dot1x timeout and dot1x max-req .

Do you have any idea how to improve the performance of Clearpass? Thank you in advance.

Hello again,

If I give priority  first to mab and then to dot1x at the switch port  this  will cause the profiling of all domain users computers,won't it?  Execpt if  Clearpass will understand that this is a dot1x request and will skip mac authentication service completely. If the latter happens the propably it will reduce time.

Could someone verify this..that the Clearpass will skip mac authentication service? Thanks.
Original Message:
Sent: Jul 05, 2022 08:49 PM
From: Unknown User
Subject: Speed up Clearpass Wired WebAuthentication

If I am understanding correctly, this is a switch timer issue.  You should also prefer MAB before 802.1X but you will need to make sure this doesn't cause a similar belay with your 802.1X Endpoints (it should with a properly configured supplicant).
Original Message:
Sent: Jul 05, 2022 05:36 PM
From: athanasios papakonstantinou
Subject: Speed up Clearpass Wired WebAuthentication

Hello,

Is there any way to speed up the webauthentication?  In the same mac authentication service I perform profiling and web authnetication.

So my first rule states that if a device is not profiled then as an action go to the quarantine vlan and get a DACL to allow DHCP packets to reach the clearpass in order to het profiled. 

The last rule states that if an endpoint is not known then send to cisco switch the redirection.url and the name of redirection ACL.

The problem is that in case we have a guest laptop first it is profiled and then redirected and this takes around 3 minutes. Is there any way to create an exception for the computers not to get profiled? I tried from the switch to reduce the times for example the dot1x timeout and dot1x max-req .

Do you have any idea how to improve the performance of Clearpass? Thank you in advance.

Yes, it could but the switch can also be configured to prefer 802.1X if both 802.1X and MAB occur.  This is why it is very important to test this and one of the reasons why wired Web Auth (also on a port normally doing 802.1X) is challenging in general.
Original Message:
Sent: Jul 06, 2022 02:33 AM
From: athanasios papakonstantinou
Subject: Speed up Clearpass Wired WebAuthentication

Hello again,

If I give priority  first to mab and then to dot1x at the switch port  this  will cause the profiling of all domain users computers,won't it?  Execpt if  Clearpass will understand that this is a dot1x request and will skip mac authentication service completely. If the latter happens the propably it will reduce time.

Could someone verify this..that the Clearpass will skip mac authentication service? Thanks.
Original Message:
Sent: Jul 05, 2022 08:49 PM
From: Unknown User
Subject: Speed up Clearpass Wired WebAuthentication

If I am understanding correctly, this is a switch timer issue.  You should also prefer MAB before 802.1X but you will need to make sure this doesn't cause a similar belay with your 802.1X Endpoints (it should with a properly configured supplicant).
Original Message:
Sent: Jul 05, 2022 05:36 PM
From: athanasios papakonstantinou
Subject: Speed up Clearpass Wired WebAuthentication

Hello,

Is there any way to speed up the webauthentication?  In the same mac authentication service I perform profiling and web authnetication.

So my first rule states that if a device is not profiled then as an action go to the quarantine vlan and get a DACL to allow DHCP packets to reach the clearpass in order to het profiled. 

The last rule states that if an endpoint is not known then send to cisco switch the redirection.url and the name of redirection ACL.

The problem is that in case we have a guest laptop first it is profiled and then redirected and this takes around 3 minutes. Is there any way to create an exception for the computers not to get profiled? I tried from the switch to reduce the times for example the dot1x timeout and dot1x max-req .

Do you have any idea how to improve the performance of Clearpass? Thank you in advance.