Security

Dears, 
I have a Problem on Clearpass, 

I have created a mac authentication service with downloadable Access list, once the device authenticated he cannot reach the other devices in the same Vlan. 

is there any solution to solve this restriction ? 

Hi,

Are your authenticated devices in the same VLAN as devices who are not yet authenticed, as configured in your services/policies?

What is defined in the dACL?

Kr

Hi, 
All our devices in the same VLAN and authenticated using mac authentication,when i tried to add the below ACL as dACL, all authenticated user in the same VLAN cannot reach each other

dACL :

permit ip any host 10.x.x.x
deny ip any any 

Hey,

We use a dACL to restrict users when they are not know (no cert, no guest, no onboarding), so that they only may access the clearpass (and DHCP & DNS).

The dACL is;

ip access-list extended Onboard_ACL
   deny   udp any any eq bootpc
   deny   udp any any eq bootps
   Remark CP
   deny   tcp any host 10.x.y.a
   deny   tcp any host 10.x.y.b
   deny   tcp any host 10.x.y.c
   deny   udp any any eq domain
   permit ip any any

So try to invert your ACL; 

deny ip any host 10.x.x.x
permit ip any any 

Hi, 

If i tried to invert my ACL 

it will block all connection from users to 10.x.x.x that what i don't want it.

what i want to tell you, I need to allowed the Connection between authenticated users on L2 "Same Vlan".

if i have user with ip 10.10.10.1 and another user with ip 10.10.10.2 

and these users authenticated and if i insert this ACL using dACL

permit ip any host 10.x.x.x
deny ip any any

the connection between users will be block,

what i need is to allow this connection on L2 level.

** I think ClearPass dACL block all connections on L2 level if these connection not permitted using dACL 

What does it do whithout the dACL?

Have you tried to follow https://www.youtube.com/watch?v=yJ6kt85WBjg