Using 802.1x with UNP

[jaygro]

OK, so there's a lock down so I thought I'd try to prepare remotely anyway - but it kind of told me that my suspicions were right.

Code: Select all

test-6850E -> unp port 1/19
ERROR: UNP cannot be enabled on mobile Port 1/19

So it seems like my options on this platform boil down to

1. MAC-based UNP
2. 802.1x, but only one user per switch port
3. "Dumb internet" vlan and restrict access to internal network using always on VPN

[yasirsattar06]

Hi,

I am working on a setup where i have 6560 switches and clearpass Radius server.

Requirement is ... If any external user connects to switch, which is non-domain joined & not authenticated. User should get Limited role where we have configured limited access using QOS Allowed OR Blocked network groups. But users are getting full access vlan IP from default profile which is configured in unp-port template. UNP configuration snapshot is attached.

Currently we configured 2 roles in QOS i.e. Full and Limited.
When we connect any external user (which is non-domain joined & not authenticated) to switch, clearpass is pushing Limited role, Limited role is configured in clearpass as a filter-id. User should get Limited role where we have configured limited access using QOS Allowed OR Blocked network groups. When clearpass changes the role of user to Limited, switch is not changing the role. In limited role, we have restricted some IP addresses. When switch does not change the role in switches, In result, all external users are getting full access to the network.

In clearpass access tracker, this user is getting rejected because that user is not domain-joined and not authenticated by authenticated source. Clearpass is also pushing "Limited" filter-id which is configured in policy list of qos.


Here is the QOS configuration attached for your kind review...

Please check and help in fixing the issue. QOS config is shown below and UNP config snapshot is attached.

-----------------------------------------------------
! QOS:
policy service DHCP destination udp-port 67-68
policy service DNS destination udp-port 53
policy service HTTP destination tcp-port 80
policy service HTTPS destination tcp-port 443
policy service group Basic DHCP DNS HTTP HTTPS
policy network group Allowed 12.0.0.5 192.168.100.120 192.168.100.121 192.168.100.122 192.168.112.4
policy network group Allowed 192.168.112.6 192.168.112.57 192.168.112.58 192.168.112.59
policy network group Blocked 192.168.112.9 192.168.112.10 192.168.112.11 192.168.112.12 192.168.112.13
policy network group Blocked 192.168.112.15 192.168.112.16 192.168.112.17 192.168.112.21 192.168.112.30
policy network group Blocked 192.168.112.36 192.168.112.39 192.168.112.42
policy condition Full source ip Any destination ip Any
policy condition Limited destination network group Allowed service group Basic
policy condition Limited_Deny destination network group Blocked
policy action Full
policy action Limited
policy action Limited_Deny disposition deny
policy rule Full precedence 500 condition Full action Full
policy rule Limited precedence 400 condition Limited action Limited
policy rule Limited_Deny precedence 200 condition Limited_Deny action Limited_Deny
policy list Full type unp
policy list Full rules Full
policy list Limited type unp
policy list Limited rules Limited Limited_Deny
qos apply
--------------------------------------------------------------

UNP Config.jpg

[jaygro]

Hi,

Hello, you posted in a thread about a different problem on a different platform. Please try making a new thread in the appropriate place.