Wired Mac Authentication Time Based using Clearpass

[jainmanish94]

Hello Team,

I have created one wired mac authentication time/day based setup, i am also attaching the documents.

it is working fine without any issue.

but my concern is after ending the time, still user can access the cable and can access all the internal sites. by policy it should not work after ending the time.

but one more thing if I am unplugging the cable and plugging again the policy is working fine but this process is not happening automatically mean to say any kind of bounce the port when it reaches grater the time.

can you please help me what i need to change in my clearpass policy or switch end.

[silvio]

The policy has to be written in the switch (via policy-list bind to the unp-profile).
Please post "show unp user" and "show unp user detail" for one user during the allowed time and after the time.
Also post the output from "show configuration snapshot aaa da-unp qos".
BR Silvio

[jainmanish94]

can you please help me to complete my task. how to write policy list and what i need to write.

please find the documents with all the commands output.

[jainmanish94]

one more thing

!QOS:

there is nothing below

[silvio]

Make sure that your switch uses the actual release - than CoA and DM should work automaticly with the port-bounce.
At your switch you can check the receive of the CoA/DM with " show aaa server statistics".
In the network configuration guide you find a config for CPPM - please check it too.
CPPM should send during the allowed time the filter-id "UNP-Data" . I think this is fine at you now.
At your unp ports (or better with unp template associated to the unp ports) you should configure "default profile UNP-Quarantine".
If you change the unp profile - and with UNP-Data all is allowed and with Quarantine nothing is allowed, than you don't need any additional policies in the switch.
There is a other way to configure the allowed time direct within the switch. Than you need policies and policy-lists.
With CPPM you should check that CoA or DM works. With this the bouncing of the ports should work (is similar like unplug the port).

[jainmanish94]

Sir not understanding anything how to achieve this

[silvio]

The CPPM send Change of Authorization (COA) if there are some changes at the CPPM. F.e. after a specific time the filter-id (= unp-profile) is changed.
And it sends Disconnect Messages (DM) if the client isn't authorized anymore. With the redirect port-bounce an unp-port (with a mac-auth. client) is doing a short port-down/up, so that the switch tries a reauthentication for this client. For more information look into the network config guide from the switches (search f.e. for "coa").

[jainmanish94]

From my setup and command output where I am wrong and what i need to correct? Any idea.

Because only one thing left that is automatically bounce the port which is not happening.

[silvio]

Do you see coa or dm at "show aaa server statistics"?
actual image at the switch?

[jainmanish94]

please see COA and DM result after connecting the cable.

image is 8.7.98.R03 GA