Security

Hi,
I'm "activating" Clearpass on all switches in our network. We have a few Cisco switches left where there are AP's connected to. These AP's need a native vlan for management and 2 tagged vlans for corporate wifi and guest wifi.
I made a few interfaces on cisco switches - where AP's are connected to - active for clearpass. I configured the below in the enforcement profile of Clearpass, but to me it seems like those tagged vlans are not applied (clients on both SSID's get a 169.x.x.x address).

Can anyone help me in which settings I'm doing wrong or which settings I'm missing here? 



I applied the below settings on the interfaces of the cisco switch.

 switchport access vlan 44
 switchport mode access
 switchport nonegotiate
 authentication host-mode multi-domain
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 dot1x max-reauth-req 3
 auto qos voip cisco-phone​

Does anyone have useful cisco commands to check this? (Like Aruba: show port-access authentica)

Thanks!

I don't have a direct answer to your question.  Have you already seen the Cisco chapter of the ClearPass wired authentication guide here?  https://support.hpe.com/hpesc/public/docDisplay?docId=a00091135en_us

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Hi,
thanks for your reply. I checked out this document and did some more googling too, but still didn't find the required settings.

FYI: the below enforcement policy works for Aruba switches (i.e. 2930F's and 2540's). I'm just trying to do the same for AP's on cisco switches (2960's)


Could it be possible that I need to upload some cisco dictionary to enable these settings?
Does anyone have a URL where I can download Clearpass dictionaries for Cisco switches?

Thanks in advance!
Original Message:
Sent: Apr 01, 2022 03:02 PM
From: Colin Joseph
Subject: Authenticate AP incl tagged vlans on Cisco switches with Clearpass

I don't have a direct answer to your question.  Have you already seen the Cisco chapter of the ClearPass wired authentication guide here?  https://support.hpe.com/hpesc/public/docDisplay?docId=a00091135en_us

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Cisco dictionary is already available in ClearPass "Administration » Dictionaries » RADIUS" which is used if you are using Cisco VSA, which you might want to consider. But you are just using IETF RADIUS attrib, so no need for the cisco dictionary.

you need to check if Cisco switch supports IETF EGESS-VLAN-ID
generally for cisco multi-domain auth, Cisco VSA AV-pair is used.

this is the example for a voice port

radius:cisco   /  cisco:avpair  /   device-traffic-class=voice

and this is for what you are trying to achieve with the APs.
radius:cisco   /  cisco:avpair  /   device-traffic-class=switch

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: Apr 07, 2022 02:02 AM
From: Bram D'hoore
Subject: Authenticate AP incl tagged vlans on Cisco switches with Clearpass

Hi,
thanks for your reply. I checked out this document and did some more googling too, but still didn't find the required settings.

FYI: the below enforcement policy works for Aruba switches (i.e. 2930F's and 2540's). I'm just trying to do the same for AP's on cisco switches (2960's)


Could it be possible that I need to upload some cisco dictionary to enable these settings?
Does anyone have a URL where I can download Clearpass dictionaries for Cisco switches?

Thanks in advance!

Original Message:
Sent: Apr 01, 2022 03:02 PM
From: Colin Joseph
Subject: Authenticate AP incl tagged vlans on Cisco switches with Clearpass

I don't have a direct answer to your question.  Have you already seen the Cisco chapter of the ClearPass wired authentication guide here?  https://support.hpe.com/hpesc/public/docDisplay?docId=a00091135en_us

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Thanks for your reply, that looks promising!

I checked the dictionaries and there is indeed a "Cisco" dictionary (vendor ID 9) which is enabled.

I now tried this in a new test-policy, but the "device-traffic-class" is not there. See screenshot below. That's why I was thinking that some cisco library was incomplete or not there.


If dictionary is not it, do you know what a possible reason for this could be?
Original Message:
Sent: Apr 07, 2022 03:04 AM
From: Ariya Parsamanesh
Subject: Authenticate AP incl tagged vlans on Cisco switches with Clearpass

Cisco dictionary is already available in ClearPass "Administration » Dictionaries » RADIUS" which is used if you are using Cisco VSA, which you might want to consider. But you are just using IETF RADIUS attrib, so no need for the cisco dictionary.

you need to check if Cisco switch supports IETF EGESS-VLAN-ID
generally for cisco multi-domain auth, Cisco VSA AV-pair is used.

this is the example for a voice port

radius:cisco   /  cisco:avpair  /   device-traffic-class=voice

and this is for what you are trying to achieve with the APs.
radius:cisco   /  cisco:avpair  /   device-traffic-class=switch

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------


Original Message:
Sent: Apr 07, 2022 02:02 AM
From: Bram D'hoore
Subject: Authenticate AP incl tagged vlans on Cisco switches with Clearpass

Hi,
thanks for your reply. I checked out this document and did some more googling too, but still didn't find the required settings.

FYI: the below enforcement policy works for Aruba switches (i.e. 2930F's and 2540's). I'm just trying to do the same for AP's on cisco switches (2960's)


Could it be possible that I need to upload some cisco dictionary to enable these settings?
Does anyone have a URL where I can download Clearpass dictionaries for Cisco switches?

Thanks in advance!

Original Message:
Sent: Apr 01, 2022 03:02 PM
From: Colin Joseph
Subject: Authenticate AP incl tagged vlans on Cisco switches with Clearpass

I don't have a direct answer to your question.  Have you already seen the Cisco chapter of the ClearPass wired authentication guide here?  https://support.hpe.com/hpesc/public/docDisplay?docId=a00091135en_us

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

you need to type the whole thing in


------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: Apr 07, 2022 04:38 AM
From: Bram D'hoore
Subject: Authenticate AP incl tagged vlans on Cisco switches with Clearpass

Thanks for your reply, that looks promising!

I checked the dictionaries and there is indeed a "Cisco" dictionary (vendor ID 9) which is enabled.

I now tried this in a new test-policy, but the "device-traffic-class" is not there. See screenshot below. That's why I was thinking that some cisco library was incomplete or not there.


If dictionary is not it, do you know what a possible reason for this could be?

Original Message:
Sent: Apr 07, 2022 03:04 AM
From: Ariya Parsamanesh
Subject: Authenticate AP incl tagged vlans on Cisco switches with Clearpass

Cisco dictionary is already available in ClearPass "Administration » Dictionaries » RADIUS" which is used if you are using Cisco VSA, which you might want to consider. But you are just using IETF RADIUS attrib, so no need for the cisco dictionary.

you need to check if Cisco switch supports IETF EGESS-VLAN-ID
generally for cisco multi-domain auth, Cisco VSA AV-pair is used.

this is the example for a voice port

radius:cisco   /  cisco:avpair  /   device-traffic-class=voice

and this is for what you are trying to achieve with the APs.
radius:cisco   /  cisco:avpair  /   device-traffic-class=switch

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.


Original Message:
Sent: Apr 07, 2022 02:02 AM
From: Bram D'hoore
Subject: Authenticate AP incl tagged vlans on Cisco switches with Clearpass

Hi,
thanks for your reply. I checked out this document and did some more googling too, but still didn't find the required settings.

FYI: the below enforcement policy works for Aruba switches (i.e. 2930F's and 2540's). I'm just trying to do the same for AP's on cisco switches (2960's)


Could it be possible that I need to upload some cisco dictionary to enable these settings?
Does anyone have a URL where I can download Clearpass dictionaries for Cisco switches?

Thanks in advance!

Original Message:
Sent: Apr 01, 2022 03:02 PM
From: Colin Joseph
Subject: Authenticate AP incl tagged vlans on Cisco switches with Clearpass

I don't have a direct answer to your question.  Have you already seen the Cisco chapter of the ClearPass wired authentication guide here?  https://support.hpe.com/hpesc/public/docDisplay?docId=a00091135en_us

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

I now typed in (did not chose from the list) the below:
device-traffic-class=switch
So the complete Clearpass policy is now:

Next week I'll configure this on a switch and ask someone on site to test. I'll update here with the results.



Original Message:
Sent: Apr 07, 2022 07:48 AM
From: Ariya Parsamanesh
Subject: Authenticate AP incl tagged vlans on Cisco switches with Clearpass

you need to type the whole thing in


------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------


Original Message:
Sent: Apr 07, 2022 04:38 AM
From: Bram D'hoore
Subject: Authenticate AP incl tagged vlans on Cisco switches with Clearpass

Thanks for your reply, that looks promising!

I checked the dictionaries and there is indeed a "Cisco" dictionary (vendor ID 9) which is enabled.

I now tried this in a new test-policy, but the "device-traffic-class" is not there. See screenshot below. That's why I was thinking that some cisco library was incomplete or not there.


If dictionary is not it, do you know what a possible reason for this could be?

Original Message:
Sent: Apr 07, 2022 03:04 AM
From: Ariya Parsamanesh
Subject: Authenticate AP incl tagged vlans on Cisco switches with Clearpass

Cisco dictionary is already available in ClearPass "Administration » Dictionaries » RADIUS" which is used if you are using Cisco VSA, which you might want to consider. But you are just using IETF RADIUS attrib, so no need for the cisco dictionary.

you need to check if Cisco switch supports IETF EGESS-VLAN-ID
generally for cisco multi-domain auth, Cisco VSA AV-pair is used.

this is the example for a voice port

radius:cisco   /  cisco:avpair  /   device-traffic-class=voice

and this is for what you are trying to achieve with the APs.
radius:cisco   /  cisco:avpair  /   device-traffic-class=switch

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.


Original Message:
Sent: Apr 07, 2022 02:02 AM
From: Bram D'hoore
Subject: Authenticate AP incl tagged vlans on Cisco switches with Clearpass

Hi,
thanks for your reply. I checked out this document and did some more googling too, but still didn't find the required settings.

FYI: the below enforcement policy works for Aruba switches (i.e. 2930F's and 2540's). I'm just trying to do the same for AP's on cisco switches (2960's)


Could it be possible that I need to upload some cisco dictionary to enable these settings?
Does anyone have a URL where I can download Clearpass dictionaries for Cisco switches?

Thanks in advance!

Original Message:
Sent: Apr 01, 2022 03:02 PM
From: Colin Joseph
Subject: Authenticate AP incl tagged vlans on Cisco switches with Clearpass

I don't have a direct answer to your question.  Have you already seen the Cisco chapter of the ClearPass wired authentication guide here?  https://support.hpe.com/hpesc/public/docDisplay?docId=a00091135en_us

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.