Wired Mac Authentication Time Based using Clearpass
-
- Member
- Posts: 6
- Joined: 20 Sep 2023 21:48
Wired Mac Authentication Time Based using Clearpass
Hello Team,
I have created one wired mac authentication time/day based setup, i am also attaching the documents.
it is working fine without any issue.
but my concern is after ending the time, still user can access the cable and can access all the internal sites. by policy it should not work after ending the time.
but one more thing if I am unplugging the cable and plugging again the policy is working fine but this process is not happening automatically mean to say any kind of bounce the port when it reaches grater the time.
can you please help me what i need to change in my clearpass policy or switch end.
I have created one wired mac authentication time/day based setup, i am also attaching the documents.
it is working fine without any issue.
but my concern is after ending the time, still user can access the cable and can access all the internal sites. by policy it should not work after ending the time.
but one more thing if I am unplugging the cable and plugging again the policy is working fine but this process is not happening automatically mean to say any kind of bounce the port when it reaches grater the time.
can you please help me what i need to change in my clearpass policy or switch end.
You do not have the required permissions to view the files attached to this post.
Re: Wired Mac Authentication Time Based using Clearpass
The policy has to be written in the switch (via policy-list bind to the unp-profile).
Please post "show unp user" and "show unp user detail" for one user during the allowed time and after the time.
Also post the output from "show configuration snapshot aaa da-unp qos".
BR Silvio
Please post "show unp user" and "show unp user detail" for one user during the allowed time and after the time.
Also post the output from "show configuration snapshot aaa da-unp qos".
BR Silvio
-
- Member
- Posts: 6
- Joined: 20 Sep 2023 21:48
Re: Wired Mac Authentication Time Based using Clearpass
can you please help me to complete my task. how to write policy list and what i need to write.
please find the documents with all the commands output.
please find the documents with all the commands output.
You do not have the required permissions to view the files attached to this post.
Last edited by jainmanish94 on 25 Jan 2024 02:38, edited 1 time in total.
-
- Member
- Posts: 6
- Joined: 20 Sep 2023 21:48
Re: Wired Mac Authentication Time Based using Clearpass
one more thing
!QOS:
there is nothing below
!QOS:
there is nothing below
Re: Wired Mac Authentication Time Based using Clearpass
Make sure that your switch uses the actual release - than CoA and DM should work automaticly with the port-bounce.
At your switch you can check the receive of the CoA/DM with " show aaa server statistics".
In the network configuration guide you find a config for CPPM - please check it too.
CPPM should send during the allowed time the filter-id "UNP-Data" . I think this is fine at you now.
At your unp ports (or better with unp template associated to the unp ports) you should configure "default profile UNP-Quarantine".
If you change the unp profile - and with UNP-Data all is allowed and with Quarantine nothing is allowed, than you don't need any additional policies in the switch.
There is a other way to configure the allowed time direct within the switch. Than you need policies and policy-lists.
With CPPM you should check that CoA or DM works. With this the bouncing of the ports should work (is similar like unplug the port).
At your switch you can check the receive of the CoA/DM with " show aaa server statistics".
In the network configuration guide you find a config for CPPM - please check it too.
CPPM should send during the allowed time the filter-id "UNP-Data" . I think this is fine at you now.
At your unp ports (or better with unp template associated to the unp ports) you should configure "default profile UNP-Quarantine".
If you change the unp profile - and with UNP-Data all is allowed and with Quarantine nothing is allowed, than you don't need any additional policies in the switch.
There is a other way to configure the allowed time direct within the switch. Than you need policies and policy-lists.
With CPPM you should check that CoA or DM works. With this the bouncing of the ports should work (is similar like unplug the port).
-
- Member
- Posts: 6
- Joined: 20 Sep 2023 21:48
Re: Wired Mac Authentication Time Based using Clearpass
Sir not understanding anything how to achieve this
Re: Wired Mac Authentication Time Based using Clearpass
The CPPM send Change of Authorization (COA) if there are some changes at the CPPM. F.e. after a specific time the filter-id (= unp-profile) is changed.
And it sends Disconnect Messages (DM) if the client isn't authorized anymore. With the redirect port-bounce an unp-port (with a mac-auth. client) is doing a short port-down/up, so that the switch tries a reauthentication for this client. For more information look into the network config guide from the switches (search f.e. for "coa").
And it sends Disconnect Messages (DM) if the client isn't authorized anymore. With the redirect port-bounce an unp-port (with a mac-auth. client) is doing a short port-down/up, so that the switch tries a reauthentication for this client. For more information look into the network config guide from the switches (search f.e. for "coa").
-
- Member
- Posts: 6
- Joined: 20 Sep 2023 21:48
Re: Wired Mac Authentication Time Based using Clearpass
From my setup and command output where I am wrong and what i need to correct? Any idea.
Because only one thing left that is automatically bounce the port which is not happening.
Because only one thing left that is automatically bounce the port which is not happening.
Re: Wired Mac Authentication Time Based using Clearpass
Do you see coa or dm at "show aaa server statistics"?
actual image at the switch?
actual image at the switch?
-
- Member
- Posts: 6
- Joined: 20 Sep 2023 21:48
Re: Wired Mac Authentication Time Based using Clearpass
please see COA and DM result after connecting the cable.
image is 8.7.98.R03 GA
image is 8.7.98.R03 GA
You do not have the required permissions to view the files attached to this post.