topic Change VLAN only if check fails in Network Access Control

Change VLAN only if check fails

david_austria — Mon, 11 Mar 2019 02:51:14 GMT

Hello,

does anybody know if it's possible to change the Client only then to the Auth VLAN if the check fails? We want to authenticated the pc by the MAC-Adressfilter and than the user with the NAC-Agent. But the pc should be always in the default Access-Vlan and only change to Auth-Vlan if the NAC-Agent check fails.

greetings,

David

Change VLAN only if check fails

edondurguti — Tue, 04 Dec 2012 19:24:12 GMT

Try playing with

Authorization

Session:PostureStatus = compliant/NonCompliant/Unknown [then] = AUTH_VLAN

Change VLAN only if check fails

jw.sl9 — Tue, 04 Dec 2012 21:07:37 GMT

All checks? Some checks? One Check?

If all, then you are looking to use a AUTHZ policy for something like this:

Fail-Check if Session:PostureStatus EQUALS NonCompliant then NonCompliantVLAN

Do I understand you want your machines to all pass by MAB and not 802.1X? Or are you referencing the MAC as part of an 802.1X AUTHC rule?

On your switch, you might want to consider how to handle the access policy if the authenticaiton server (RADIUS/ISE) is unavailable/dead... Just to be thourough.

Change VLAN only if check fails

david_austria — Wed, 05 Dec 2012 05:51:08 GMT

Yes, first we want to pass the PC by the MAC-Address and after the User is logged on, we want to check the PC for anti virus software and so on. And only if the check with the NAC-Agent fails, the PC should come into the Auth-VLAN.

Change VLAN only if check fails

edondurguti — Wed, 05 Dec 2012 14:44:23 GMT

As me and JW.SL9 (who was more thourough) stated you can do that if the status of that client is non compliant then client should go to Auth-Vlan, because if they fail to pass NAC-Agent checks and/or NAC-Agent itself fails they will not be compliant(allowed access) and will fall in Auth-Vlan.