Security

Hello Everyone,

I have q question regarding Switch Between VLANs From Users to Quarantine and vice versa

We have:
1. authentication service and WebAuth (Posture Policy)

2. Wired Healthy Profile  (VLAN 3 Users)

3. Wired Unhealthy Profile (VLAN 4 Quarantine)


The flow:

When the user connect to the network his posture token is (unknown100) default for the first request and Wired Unhealthy Profile will be assigned to him and session should terminated and second request his posture token will be healthy or quarantine.

if the user is quarantine VLAN 4 will assigned to his port but i noticed he is not getting IP from dhcp (10.70.70.x) unless unplug/plug the cable or disable/enable from the switch so the client will start sending dhcp request. after fixing the issues with posture policy now his token is healthy and wired Healthy Profile will be assigned to him and VLAN 3 again his not sending dhcp request for (192.168.100.x).

so should i add [ArubaOS Switching - Bounce Switch Port] to force the client to send dhcp request every time the VLAN is changed or is there any other solution for this problem



------------------------------
BR,
Mohanad
------------------------------

yes you need to add [ArubaOS Switching - Bounce Switch Port] as this way the client is forced to send a DHCP request.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: Aug 28, 2022 10:26 AM
From: Mohanad Abdelrazik
Subject: DHCP Issue when Switch Between VLANs From Users to Quarantine and vice versa

Hello Everyone,

I have q question regarding Switch Between VLANs From Users to Quarantine and vice versa

We have:
1. authentication service and WebAuth (Posture Policy)

2. Wired Healthy Profile  (VLAN 3 Users)

3. Wired Unhealthy Profile (VLAN 4 Quarantine)

The flow:

When the user connect to the network his posture token is (unknown100) default for the first request and Wired Unhealthy Profile will be assigned to him and session should terminated and second request his posture token will be healthy or quarantine.

if the user is quarantine VLAN 4 will assigned to his port but i noticed he is not getting IP from dhcp (10.70.70.x) unless unplug/plug the cable or disable/enable from the switch so the client will start sending dhcp request. after fixing the issues with posture policy now his token is healthy and wired Healthy Profile will be assigned to him and VLAN 3 again his not sending dhcp request for (192.168.100.x).

so should i add [ArubaOS Switching - Bounce Switch Port] to force the client to send dhcp request every time the VLAN is changed or is there any other solution for this problem

------------------------------
BR,
Mohanad
------------------------------

Thank you so much Ariyap

------------------------------
BR,
Mohanad
------------------------------

Original Message:
Sent: Aug 28, 2022 07:45 PM
From: Ariya Parsamanesh
Subject: DHCP Issue when Switch Between VLANs From Users to Quarantine and vice versa

yes you need to add [ArubaOS Switching - Bounce Switch Port] as this way the client is forced to send a DHCP request.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Aug 28, 2022 10:26 AM
From: Mohanad Abdelrazik
Subject: DHCP Issue when Switch Between VLANs From Users to Quarantine and vice versa

Hello Everyone,

I have q question regarding Switch Between VLANs From Users to Quarantine and vice versa

We have:
1. authentication service and WebAuth (Posture Policy)

2. Wired Healthy Profile  (VLAN 3 Users)

3. Wired Unhealthy Profile (VLAN 4 Quarantine)

The flow:

When the user connect to the network his posture token is (unknown100) default for the first request and Wired Unhealthy Profile will be assigned to him and session should terminated and second request his posture token will be healthy or quarantine.

if the user is quarantine VLAN 4 will assigned to his port but i noticed he is not getting IP from dhcp (10.70.70.x) unless unplug/plug the cable or disable/enable from the switch so the client will start sending dhcp request. after fixing the issues with posture policy now his token is healthy and wired Healthy Profile will be assigned to him and VLAN 3 again his not sending dhcp request for (192.168.100.x).

so should i add [ArubaOS Switching - Bounce Switch Port] to force the client to send dhcp request every time the VLAN is changed or is there any other solution for this problem

------------------------------
BR,
Mohanad
------------------------------

In addition to the Switch Port Bounce, you should also consider keeping the same VLAN and use a quarantine role instead of a quarantine VLAN. With the quarantine role you keep the VLAN (and IP) the same, but change with ACLs the access for the client.

Switching VLAN results in many issues, like the one you described. If you can avoid it, that is probably the best solution. Otherwise, carefully test.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 28, 2022 10:26 AM
From: Mohanad Abdelrazik
Subject: DHCP Issue when Switch Between VLANs From Users to Quarantine and vice versa

Hello Everyone,

I have q question regarding Switch Between VLANs From Users to Quarantine and vice versa

We have:
1. authentication service and WebAuth (Posture Policy)

2. Wired Healthy Profile  (VLAN 3 Users)

3. Wired Unhealthy Profile (VLAN 4 Quarantine)

The flow:

When the user connect to the network his posture token is (unknown100) default for the first request and Wired Unhealthy Profile will be assigned to him and session should terminated and second request his posture token will be healthy or quarantine.

if the user is quarantine VLAN 4 will assigned to his port but i noticed he is not getting IP from dhcp (10.70.70.x) unless unplug/plug the cable or disable/enable from the switch so the client will start sending dhcp request. after fixing the issues with posture policy now his token is healthy and wired Healthy Profile will be assigned to him and VLAN 3 again his not sending dhcp request for (192.168.100.x).

so should i add [ArubaOS Switching - Bounce Switch Port] to force the client to send dhcp request every time the VLAN is changed or is there any other solution for this problem

------------------------------
BR,
Mohanad
------------------------------

Thank yo so much Herman, yes you are right! switching between VLAN causing a lot of issues, delays.. I will search for how to apply quarantine role

------------------------------
BR,
Mohanad
------------------------------

Original Message:
Sent: Aug 29, 2022 04:50 AM
From: Herman Robers
Subject: DHCP Issue when Switch Between VLANs From Users to Quarantine and vice versa

In addition to the Switch Port Bounce, you should also consider keeping the same VLAN and use a quarantine role instead of a quarantine VLAN. With the quarantine role you keep the VLAN (and IP) the same, but change with ACLs the access for the client.

Switching VLAN results in many issues, like the one you described. If you can avoid it, that is probably the best solution. Otherwise, carefully test.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 28, 2022 10:26 AM
From: Mohanad Abdelrazik
Subject: DHCP Issue when Switch Between VLANs From Users to Quarantine and vice versa

Hello Everyone,

I have q question regarding Switch Between VLANs From Users to Quarantine and vice versa

We have:
1. authentication service and WebAuth (Posture Policy)

2. Wired Healthy Profile  (VLAN 3 Users)

3. Wired Unhealthy Profile (VLAN 4 Quarantine)

The flow:

When the user connect to the network his posture token is (unknown100) default for the first request and Wired Unhealthy Profile will be assigned to him and session should terminated and second request his posture token will be healthy or quarantine.

if the user is quarantine VLAN 4 will assigned to his port but i noticed he is not getting IP from dhcp (10.70.70.x) unless unplug/plug the cable or disable/enable from the switch so the client will start sending dhcp request. after fixing the issues with posture policy now his token is healthy and wired Healthy Profile will be assigned to him and VLAN 3 again his not sending dhcp request for (192.168.100.x).

so should i add [ArubaOS Switching - Bounce Switch Port] to force the client to send dhcp request every time the VLAN is changed or is there any other solution for this problem

------------------------------
BR,
Mohanad
------------------------------

Hello Herman,


Here is the network topology:


please correct me if i'm wrong

If the client is Healthy so match on access-list "Healthy_ACL" to permit any any and filtering done on the firewall as normal case

If the client is Unhealthy so clearpass will guide the switch to assign quarantine ACL to Unhealthy users

ip access-list extended "Quarantine_ACL"
10 permit ip 10.10.10.0 255.255.255.0 192.168.168.7 0.0.0.0    (To CPPM)
20  permit 192.168.168.7 0.0.0.0 10.10.10.0 255.255.255.0       (From CPPM)
30 permit tcp 10.10.10.0 255.255.255.0 192.168.5.10 0.0.0.0    (Symantec Server)
40 permit tcp 10.10.10.0 255.255.255.0 172.16.16.10 0.0.0.0    (WSUS server)
50 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

when become healthy clearpass will guide the switch to assign "Healthy_ACL"

------------------------------
BR,
Mohanad
------------------------------

Original Message:
Sent: Aug 29, 2022 04:50 AM
From: Herman Robers
Subject: DHCP Issue when Switch Between VLANs From Users to Quarantine and vice versa

In addition to the Switch Port Bounce, you should also consider keeping the same VLAN and use a quarantine role instead of a quarantine VLAN. With the quarantine role you keep the VLAN (and IP) the same, but change with ACLs the access for the client.

Switching VLAN results in many issues, like the one you described. If you can avoid it, that is probably the best solution. Otherwise, carefully test.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 28, 2022 10:26 AM
From: Mohanad Abdelrazik
Subject: DHCP Issue when Switch Between VLANs From Users to Quarantine and vice versa

Hello Everyone,

I have q question regarding Switch Between VLANs From Users to Quarantine and vice versa

We have:
1. authentication service and WebAuth (Posture Policy)

2. Wired Healthy Profile  (VLAN 3 Users)

3. Wired Unhealthy Profile (VLAN 4 Quarantine)

The flow:

When the user connect to the network his posture token is (unknown100) default for the first request and Wired Unhealthy Profile will be assigned to him and session should terminated and second request his posture token will be healthy or quarantine.

if the user is quarantine VLAN 4 will assigned to his port but i noticed he is not getting IP from dhcp (10.70.70.x) unless unplug/plug the cable or disable/enable from the switch so the client will start sending dhcp request. after fixing the issues with posture policy now his token is healthy and wired Healthy Profile will be assigned to him and VLAN 3 again his not sending dhcp request for (192.168.100.x).

so should i add [ArubaOS Switching - Bounce Switch Port] to force the client to send dhcp request every time the VLAN is changed or is there any other solution for this problem

------------------------------
BR,
Mohanad
------------------------------

It depends on your switch, but ArubaOS Switches (like 2540/2930/3810/5400) will probably use 10.10.10.0 0.0.0.255 as mask for your subnet 10.10.10.0/24.

And with this access-list, you don't allow DNS and DHCP, which are normally a prerequisite for clients to work.

For the CPPM you have rule 20 to allow return traffic, which is only needed if you enforce the ACL in both directions (in+out). If you do, you should probably do the same for the other servers. If you just enforce inbound, rule 20 is not needed.

The concept seems good, you probably will need to finetune the access-list contents.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 29, 2022 08:28 PM
From: Mohanad Abdelrazik
Subject: DHCP Issue when Switch Between VLANs From Users to Quarantine and vice versa

Hello Herman,


Here is the network topology:

please correct me if i'm wrong

If the client is Healthy so match on access-list "Healthy_ACL" to permit any any and filtering done on the firewall as normal case

If the client is Unhealthy so clearpass will guide the switch to assign quarantine ACL to Unhealthy users

ip access-list extended "Quarantine_ACL"
10 permit ip 10.10.10.0 255.255.255.0 192.168.168.7 0.0.0.0    (To CPPM)
20  permit 192.168.168.7 0.0.0.0 10.10.10.0 255.255.255.0       (From CPPM)
30 permit tcp 10.10.10.0 255.255.255.0 192.168.5.10 0.0.0.0    (Symantec Server)
40 permit tcp 10.10.10.0 255.255.255.0 172.16.16.10 0.0.0.0    (WSUS server)
50 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

when become healthy clearpass will guide the switch to assign "Healthy_ACL"

------------------------------
BR,
Mohanad

Original Message:
Sent: Aug 29, 2022 04:50 AM
From: Herman Robers
Subject: DHCP Issue when Switch Between VLANs From Users to Quarantine and vice versa

In addition to the Switch Port Bounce, you should also consider keeping the same VLAN and use a quarantine role instead of a quarantine VLAN. With the quarantine role you keep the VLAN (and IP) the same, but change with ACLs the access for the client.

Switching VLAN results in many issues, like the one you described. If you can avoid it, that is probably the best solution. Otherwise, carefully test.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 28, 2022 10:26 AM
From: Mohanad Abdelrazik
Subject: DHCP Issue when Switch Between VLANs From Users to Quarantine and vice versa

Hello Everyone,

I have q question regarding Switch Between VLANs From Users to Quarantine and vice versa

We have:
1. authentication service and WebAuth (Posture Policy)

2. Wired Healthy Profile  (VLAN 3 Users)

3. Wired Unhealthy Profile (VLAN 4 Quarantine)

The flow:

When the user connect to the network his posture token is (unknown100) default for the first request and Wired Unhealthy Profile will be assigned to him and session should terminated and second request his posture token will be healthy or quarantine.

if the user is quarantine VLAN 4 will assigned to his port but i noticed he is not getting IP from dhcp (10.70.70.x) unless unplug/plug the cable or disable/enable from the switch so the client will start sending dhcp request. after fixing the issues with posture policy now his token is healthy and wired Healthy Profile will be assigned to him and VLAN 3 again his not sending dhcp request for (192.168.100.x).

so should i add [ArubaOS Switching - Bounce Switch Port] to force the client to send dhcp request every time the VLAN is changed or is there any other solution for this problem

------------------------------
BR,
Mohanad
------------------------------