Does anyone have some good information on how to implement a Policy List for a UNP?
I have setup the following Policy List:
policy condition Any source ip Any destination ip Any
policy action Accept
policy action Deny disposition deny
policy rule DenyAll condition Any action Deny no default-list
policy rule AllowAll condition Any action Accept no default-list
policy list QUARANTINE type unp rules DenyAll
qos apply
And defined the following UNP
Max Max Max
Role Name Vlan HIC Policy List Name Ingress-BW Egress-BW Default-Depth Redirect URL
--------------------------------+----+----+-------------------------------+----------+----------+---------------+------------
QUARANTINE 20 No QUARANTINE - - - -
The UNP is pushed down from ClearPass:
sw01-> show aaa-device all-users
Slot MAC User Addr IP Authentication User Network Policy List
Port Address Name Vlan Mode Address Type Result Profile Name Name
-----+-----------------+---------------+----+----+---------------+----+----+------------------+-------------------------------
1/4 b8:27:eb:48:fe:e1 B827EB48FEE1 20 Brdg 192.168.20.199 MAC Pass QUARANTINE QUARANTINE
Despite the DenyAll rule the device still gets an IP address. I have tried various other conditions and it doesn't look like any is applied. Some show commands, such as show active policy rule, seem to be geared to the Default Policy List only and not show anything in this case.
If anyone has successfully done this, it would be great to see some examples. Running 6.7.2 R07.
UNP and Policy list
Re: UNP and Policy list
Is other traffic (beside getting an ip) possible from this clientß
Please provide "show configurations snapshot aaa".
You can check matching policy lists with "show active policy list".
Despite the dhcp discover have an ip address (so your rule should match) it will be good to use a specific rule with udp destination port 67.
Also you can try to change your condition to only "destination ip any".
Please provide "show configurations snapshot aaa".
You can check matching policy lists with "show active policy list".
Despite the dhcp discover have an ip address (so your rule should match) it will be good to use a specific rule with udp destination port 67.
Also you can try to change your condition to only "destination ip any".
Re: UNP and Policy list
It seems that with the DenyAll rule as per the previous communication it still gets an IP address, but any communications, other than ARP, after that is blocked. Even if I add a DHCP rule in, as per the below, it still gets an IP address (assuming the use of 'precedence' in a rule is correct, as show commands don't seem to take the 'precendence' into account and list rules alphabetically).
sw01-> show configuration snapshot aaa
! AAA :
aaa radius-server "ClearPass01-Radius" host 192.168.10.14 ....
aaa radius-server "ClearPass02-Radius" host 192.168.10.24 ....
aaa tacacs+-server "ClearPass01-Tacacs+" host 192.168.10.14 ....
aaa tacacs+-server "ClearPass02-Tacacs+" host 192.168.10.24 ....
aaa authentication http "local"
aaa authentication snmp "local"
aaa authentication ssh "ClearPass01-Tacacs+" "ClearPass02-Tacacs+" "local"
aaa accounting session "ClearPass01-Tacacs+" "ClearPass02-Tacacs+"
aaa accounting command "ClearPass01-Tacacs+" "ClearPass02-Tacacs+"
aaa authentication 802.1x "ClearPass01-Radius" "ClearPass02-Radius"
aaa authentication mac "ClearPass01-Radius" "ClearPass02-Radius"
aaa accounting 802.1x "ClearPass01-Radius" "ClearPass02-Radius"
aaa accounting mac "ClearPass01-Radius" "ClearPass02-Radius"
user password-size min 9
user password-policy min-uppercase 1
user password-policy min-lowercase 1
user password-policy min-digit 1
user password-policy min-nonalpha 1
aaa redirect "GuestRegistration" url "https://captiveporal.ljdr.net/guest/ale ... gister.php"
aaa user-network-profile name "Guest" vlan 100 hic disable
aaa user-network-profile name "GuestLogon" vlan 100 redirect "GuestRegistration"
aaa user-network-profile name "IoT" vlan 90 hic disable
aaa user-network-profile name "LabAccessPoint" vlan 210 hic disable
aaa user-network-profile name "LabGuest" vlan 250 hic disable
aaa user-network-profile name "LabInstantAccessPoint" vlan 215 hic disable
aaa user-network-profile name "LabIoT" vlan 245 hic disable
aaa user-network-profile name "LabRemoteAccessPoint" vlan 215 hic disable
aaa user-network-profile name "LabWirelessUser" vlan 230 hic disable
aaa user-network-profile name "Printer" vlan 60 hic disable
aaa user-network-profile name "QUARANTINE" vlan 20 hic disable policy-list-name "QUARANTINE"
aaa user-network-profile name "Server" vlan 10 hic disable
aaa user-network-profile name "ServerHost" vlan 1 hic disable
aaa user-network-profile name "User" vlan 50 hic disable
aaa user-network-profile name "UserPriv" vlan 50 hic disable
aaa user-network-profile name "defaultWLANprofile" vlan 215 hic disable
aaa redirect-server "cppm" ip-address 192.168.100.34 url-list "GuestRegistration"
! PARTM :
! 802.1x :
802.1x 1/4 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 reauthentication
802.1x 1/4 trust-radius disable
802.1x 1/4 ap-mode disable
802.1x 1/4 supplicant bypass enable
802.1x 1/4 non-supplicant allow-eap fail
802.1x 1/4 non-supplicant session-timeout enable interval 43200 trust-radius enable
802.1x 1/4 force-l3-learning disable port-bounce enable
802.1x 1/4 captive-portal session-limit 12 retry-count 3
802.1x 1/4 supp-polling retry 2
802.1x 1/4 captive-portal inactivity-logout disable
802.1x 1/4 non-supplicant inactivity-logout disable
802.1x 1/4 supplicant policy authentication pass default-vlan fail user-network-profile "GuestLogon" block
802.1x 1/4 non-supplicant policy authentication pass default-vlan fail block
802.1x 1/4 captive-portal policy authentication pass default-vlan fail block
802.1x 1/8 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/8 trust-radius disable
802.1x 1/8 ap-mode disable
802.1x 1/8 supplicant bypass enable
802.1x 1/8 non-supplicant allow-eap fail
802.1x 1/8 non-supplicant session-timeout disable interval 43200 trust-radius disable
802.1x 1/8 force-l3-learning disable port-bounce enable
802.1x 1/8 captive-portal session-limit 12 retry-count 3
802.1x 1/8 supp-polling retry 2
802.1x 1/8 captive-portal inactivity-logout disable
802.1x 1/8 supplicant policy authentication pass default-vlan fail user-network-profile "GuestLogon" block
802.1x 1/8 non-supplicant policy authentication pass default-vlan fail block
802.1x 1/8 captive-portal policy authentication pass default-vlan fail block
sw01-> show configuration snapshot qos
! QOS :
policy service DHCP destination udp port 67
policy service DNS destination udp port 53
policy service HTTP destination tcp port 80
policy service HTTPS destination tcp port 443
policy service group "HTTP(S)" HTTP HTTPS
policy network group ClearPass 192.168.100.14 192.168.100.24 192.168.100.34
policy vlan group HomeVLANs 1 10 20 30 40
policy vlan group HomeVLANs 50 60 90
policy vlan group LabUserVLANs 220 230 240 245 250
policy vlan group LabUserVLANs 255
policy vlan group LabVLANs 200 210 215 220 225
policy vlan group LabVLANs 230 235 240 245 250
policy vlan group LabVLANs 255
policy condition Any source ip Any destination ip Any
policy condition ClearPassCaptivePortal destination network group ClearPass service group "HTTP(S)"
policy condition DHCP service DHCP
policy condition DNS service DNS
policy condition LabUserVLANs source vlan group LabUserVLANs
policy action Accept
policy action Deny disposition deny
policy rule AllowDHCP precedence 300 condition DHCP action Accept no default-list
policy rule DenyDHCP precedence 300 condition DHCP action Deny no default-list
policy rule AllowDNS precedence 200 condition DNS action Accept no default-list
policy rule BlockLabUserVLANs precedence 150 condition LabUserVLANs action Deny no default-list
policy rule AllowCaptivePortal precedence 100 condition ClearPassCaptivePortal action Accept no default-list
policy rule DenyAll condition Any action Deny no default-list
policy rule AllowAll condition Any action Accept no default-list
policy list LabRemoteAccessPoint type unp rules BlockLabUserVLANs
policy list QUARANTINE type unp rules DenyAll DenyDHCP
qos apply
sw01-> show active policy list
Group Name From Type Enabled Entries Matches
--------------------------------+-----+-------+--------+--------------------------------+----------
LabRemoteAccessPoint cli unp Yes BlockLabUserVLANs 0
QUARANTINE cli unp Yes DenyAll 884
DenyDHCP 8
sw01-> show configuration snapshot aaa
! AAA :
aaa radius-server "ClearPass01-Radius" host 192.168.10.14 ....
aaa radius-server "ClearPass02-Radius" host 192.168.10.24 ....
aaa tacacs+-server "ClearPass01-Tacacs+" host 192.168.10.14 ....
aaa tacacs+-server "ClearPass02-Tacacs+" host 192.168.10.24 ....
aaa authentication http "local"
aaa authentication snmp "local"
aaa authentication ssh "ClearPass01-Tacacs+" "ClearPass02-Tacacs+" "local"
aaa accounting session "ClearPass01-Tacacs+" "ClearPass02-Tacacs+"
aaa accounting command "ClearPass01-Tacacs+" "ClearPass02-Tacacs+"
aaa authentication 802.1x "ClearPass01-Radius" "ClearPass02-Radius"
aaa authentication mac "ClearPass01-Radius" "ClearPass02-Radius"
aaa accounting 802.1x "ClearPass01-Radius" "ClearPass02-Radius"
aaa accounting mac "ClearPass01-Radius" "ClearPass02-Radius"
user password-size min 9
user password-policy min-uppercase 1
user password-policy min-lowercase 1
user password-policy min-digit 1
user password-policy min-nonalpha 1
aaa redirect "GuestRegistration" url "https://captiveporal.ljdr.net/guest/ale ... gister.php"
aaa user-network-profile name "Guest" vlan 100 hic disable
aaa user-network-profile name "GuestLogon" vlan 100 redirect "GuestRegistration"
aaa user-network-profile name "IoT" vlan 90 hic disable
aaa user-network-profile name "LabAccessPoint" vlan 210 hic disable
aaa user-network-profile name "LabGuest" vlan 250 hic disable
aaa user-network-profile name "LabInstantAccessPoint" vlan 215 hic disable
aaa user-network-profile name "LabIoT" vlan 245 hic disable
aaa user-network-profile name "LabRemoteAccessPoint" vlan 215 hic disable
aaa user-network-profile name "LabWirelessUser" vlan 230 hic disable
aaa user-network-profile name "Printer" vlan 60 hic disable
aaa user-network-profile name "QUARANTINE" vlan 20 hic disable policy-list-name "QUARANTINE"
aaa user-network-profile name "Server" vlan 10 hic disable
aaa user-network-profile name "ServerHost" vlan 1 hic disable
aaa user-network-profile name "User" vlan 50 hic disable
aaa user-network-profile name "UserPriv" vlan 50 hic disable
aaa user-network-profile name "defaultWLANprofile" vlan 215 hic disable
aaa redirect-server "cppm" ip-address 192.168.100.34 url-list "GuestRegistration"
! PARTM :
! 802.1x :
802.1x 1/4 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 reauthentication
802.1x 1/4 trust-radius disable
802.1x 1/4 ap-mode disable
802.1x 1/4 supplicant bypass enable
802.1x 1/4 non-supplicant allow-eap fail
802.1x 1/4 non-supplicant session-timeout enable interval 43200 trust-radius enable
802.1x 1/4 force-l3-learning disable port-bounce enable
802.1x 1/4 captive-portal session-limit 12 retry-count 3
802.1x 1/4 supp-polling retry 2
802.1x 1/4 captive-portal inactivity-logout disable
802.1x 1/4 non-supplicant inactivity-logout disable
802.1x 1/4 supplicant policy authentication pass default-vlan fail user-network-profile "GuestLogon" block
802.1x 1/4 non-supplicant policy authentication pass default-vlan fail block
802.1x 1/4 captive-portal policy authentication pass default-vlan fail block
802.1x 1/8 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/8 trust-radius disable
802.1x 1/8 ap-mode disable
802.1x 1/8 supplicant bypass enable
802.1x 1/8 non-supplicant allow-eap fail
802.1x 1/8 non-supplicant session-timeout disable interval 43200 trust-radius disable
802.1x 1/8 force-l3-learning disable port-bounce enable
802.1x 1/8 captive-portal session-limit 12 retry-count 3
802.1x 1/8 supp-polling retry 2
802.1x 1/8 captive-portal inactivity-logout disable
802.1x 1/8 supplicant policy authentication pass default-vlan fail user-network-profile "GuestLogon" block
802.1x 1/8 non-supplicant policy authentication pass default-vlan fail block
802.1x 1/8 captive-portal policy authentication pass default-vlan fail block
sw01-> show configuration snapshot qos
! QOS :
policy service DHCP destination udp port 67
policy service DNS destination udp port 53
policy service HTTP destination tcp port 80
policy service HTTPS destination tcp port 443
policy service group "HTTP(S)" HTTP HTTPS
policy network group ClearPass 192.168.100.14 192.168.100.24 192.168.100.34
policy vlan group HomeVLANs 1 10 20 30 40
policy vlan group HomeVLANs 50 60 90
policy vlan group LabUserVLANs 220 230 240 245 250
policy vlan group LabUserVLANs 255
policy vlan group LabVLANs 200 210 215 220 225
policy vlan group LabVLANs 230 235 240 245 250
policy vlan group LabVLANs 255
policy condition Any source ip Any destination ip Any
policy condition ClearPassCaptivePortal destination network group ClearPass service group "HTTP(S)"
policy condition DHCP service DHCP
policy condition DNS service DNS
policy condition LabUserVLANs source vlan group LabUserVLANs
policy action Accept
policy action Deny disposition deny
policy rule AllowDHCP precedence 300 condition DHCP action Accept no default-list
policy rule DenyDHCP precedence 300 condition DHCP action Deny no default-list
policy rule AllowDNS precedence 200 condition DNS action Accept no default-list
policy rule BlockLabUserVLANs precedence 150 condition LabUserVLANs action Deny no default-list
policy rule AllowCaptivePortal precedence 100 condition ClearPassCaptivePortal action Accept no default-list
policy rule DenyAll condition Any action Deny no default-list
policy rule AllowAll condition Any action Accept no default-list
policy list LabRemoteAccessPoint type unp rules BlockLabUserVLANs
policy list QUARANTINE type unp rules DenyAll DenyDHCP
qos apply
sw01-> show active policy list
Group Name From Type Enabled Entries Matches
--------------------------------+-----+-------+--------+--------------------------------+----------
LabRemoteAccessPoint cli unp Yes BlockLabUserVLANs 0
QUARANTINE cli unp Yes DenyAll 884
DenyDHCP 8
Re: UNP and Policy list
with your correct config (no default-list) only the traffic from the clients associated with the unp QUARANTINE (checked with show aaa-device all-users) should use the rules DenyAll and DenyDHCP (independing of the precedence). So you can use very easy and very common conditions "like destination ip any" or "source vlan 20" to cover all traffic.
So there has to be a way forbit dhcp too. Also you can add keyword "log" to your rule. so you can check with "show qos log" the matched packets.
best regards
Silvio
So there has to be a way forbit dhcp too. Also you can add keyword "log" to your rule. so you can check with "show qos log" the matched packets.
best regards
Silvio
