Change VLAN only if check fails

david_austria · ‎12-04-2012

Hello,

does anybody know if it's possible to change the Client only then to the Auth VLAN if the check fails? We want to authenticated the pc by the MAC-Adressfilter and than the user with the NAC-Agent. But the pc should be always in the default Access-Vlan and only change to Auth-Vlan if the NAC-Agent check fails.

greetings,

David

edondurguti · ‎12-04-2012

Try playing with

Authorization

Session:PostureStatus = compliant/NonCompliant/Unknown [then] = AUTH_VLAN

jw.sl9 · ‎12-04-2012

All checks? Some checks? One Check?

If all, then you are looking to use a AUTHZ policy for something like this:

Fail-Check if Session:PostureStatus EQUALS NonCompliant then NonCompliantVLAN

Do I understand you want your machines to all pass by MAB and not 802.1X? Or are you referencing the MAC as part of an 802.1X AUTHC rule?

On your switch, you might want to consider how to handle the access policy if the authenticaiton server (RADIUS/ISE) is unavailable/dead... Just to be thourough.

I hope you find this information useful, if it was satisfactory for you, please mark the question as Answered. Please rate post you consider useful. -James

david_austria · ‎12-04-2012

Yes, first we want to pass the PC by the MAC-Address and after the User is logged on, we want to check the PC for anti virus software and so on. And only if the check with the NAC-Agent fails, the PC should come into the Auth-VLAN.

edondurguti · ‎12-05-2012

As me and JW.SL9 (who was more thourough) stated you can do that if the status of that client is non compliant then client should go to Auth-Vlan, because if they fail to pass NAC-Agent checks and/or NAC-Agent itself fails they will not be compliant(allowed access) and will fall in Auth-Vlan.