cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

555
Views
0
Helpful
4
Replies
david_austria
Beginner

Change VLAN only if check fails

Hello,

does anybody know if it's possible to change the Client only then to the Auth VLAN if the check fails? We want to authenticated the pc by the MAC-Adressfilter and than the user with the NAC-Agent. But the pc should be always in the default Access-Vlan and only change to Auth-Vlan if the NAC-Agent check fails.

greetings,

David

4 REPLIES 4
edondurguti
Enthusiast

Try playing with

Authorization

Session:PostureStatus = compliant/NonCompliant/Unknown [then] = AUTH_VLAN

jw.sl9
Beginner

All checks?  Some checks?  One Check?

If all, then you are looking to use a AUTHZ policy for something like this:

Fail-Check if Session:PostureStatus EQUALS NonCompliant then NonCompliantVLAN


Do I understand you want your machines to all pass by MAB and not 802.1X?  Or are you referencing the MAC as part of an 802.1X AUTHC rule?

On your switch, you might want to consider how to handle the access policy if the authenticaiton server (RADIUS/ISE) is unavailable/dead...  Just to be thourough.


I hope you find this information useful, if it was satisfactory for you, please mark the question as Answered. Please rate post you consider useful. -James

Yes, first we want to pass the PC by the MAC-Address and after the User is logged on, we want to check the PC for anti virus software and so on. And only if the check  with the NAC-Agent fails, the PC should come into the Auth-VLAN.

As me and JW.SL9 (who was more thourough) stated you can do that if the status of that client is non compliant then client should go to Auth-Vlan, because if they fail to pass NAC-Agent checks and/or NAC-Agent itself fails they will not be compliant(allowed access) and will fall in Auth-Vlan.

Content for Community-Ad