I am working on a setup where i have 6560 switches and clearpass Radius server.
Requirement is ... If any external user connects to switch, which is non-domain joined & not authenticated. User should get Limited role where we have configured limited access using QOS Allowed OR Blocked network groups. But users are getting full access vlan IP from default profile which is configured in unp-port template. UNP configuration snapshot is attached.
Currently we configured 2 roles in QOS i.e. Full and Limited.
When we connect any external user (which is non-domain joined & not authenticated) to switch, clearpass is pushing Limited role, Limited role is configured in clearpass as a filter-id. User should get Limited role where we have configured limited access using QOS Allowed OR Blocked network groups. When clearpass changes the role of user to Limited, switch is not changing the role. In limited role, we have restricted some IP addresses. When switch does not change the role in switches, In result, all external users are getting full access to the network.
In clearpass access tracker, this user is getting rejected because that user is not domain-joined and not authenticated by authenticated source. Clearpass is also pushing "Limited" filter-id which is configured in policy list of qos.
Here is the QOS configuration attached for your kind review...
Please check and help in fixing the issue. QOS and UNP config are shown below.
-----------------------------------------------------
unp profile "voip-temp"
unp profile "users-temp"
unp profile "users-temp1"
unp profile "Quarantine VLAN"
unp profile "voip-temp" map vlan 12
unp profile "users-temp" map vlan 212
unp profile "users-temp1" map vlan 112
unp profile "Quarantine VLAN" map vlan 56
unp port-template Port-CP redirect-port-bounce direction both default-profile "users-temp" classification trust-tag ap-mode admin-state enable
unp port-template Port-CP 802.1x-authentication
unp port-template Port-CP 802.1x-authentication tx-period 60 supp-timeout 10
unp port-template Port-CP mac-authentication
unp port-template Port-Mobile redirect-port-bounce direction both default-profile "users-temp1" classification trust-tag ap-mode admin-state enable
unp port-template Port-Mobile 802.1x-authentication
unp port-template Port-Mobile 802.1x-authentication tx-period 60 supp-timeout 10
unp port-template Port-Mobile mac-authentication
unp port-template Port-Mobile force-l3-learning port-bounce
unp port 1/1/4 port-type bridge
unp port 1/1/4 port-template Port-CP
unp classification mac-range 10
ae:00:00:00 10ae:ff:ff:ff profile2 "voip-temp"-----------------------------------------------------
! QOS:
policy service DHCP destination udp-port 67-68
policy service DNS destination udp-port 53
policy service HTTP destination tcp-port 80
policy service HTTPS destination tcp-port 443
policy service group Basic DHCP DNS HTTP HTTPS
policy network group Allowed 12.0.0.5 192.168.100.120 192.168.100.121 192.168.100.122 192.168.112.4
policy network group Allowed 192.168.112.6 192.168.112.57 192.168.112.58 192.168.112.59
policy network group Blocked 192.168.112.9 192.168.112.10 192.168.112.11 192.168.112.12 192.168.112.13
policy network group Blocked 192.168.112.15 192.168.112.16 192.168.112.17 192.168.112.21 192.168.112.30
policy network group Blocked 192.168.112.36 192.168.112.39 192.168.112.42
policy condition Full source ip Any destination ip Any
policy condition Limited destination network group Allowed service group Basic
policy condition Limited_Deny destination network group Blocked
policy action Full
policy action Limited
policy action Limited_Deny disposition deny
policy rule Full precedence 500 condition Full action Full
policy rule Limited precedence 400 condition Limited action Limited
policy rule Limited_Deny precedence 200 condition Limited_Deny action Limited_Deny
policy list Full type unp
policy list Full rules Full
policy list Limited type unp
policy list Limited rules Limited Limited_Deny
qos apply
--------------------------------------------------------------
