Dynamic VLAN assignment using Clearpass to Cisco FlexConnect not working

Dnet009 · ‎07-25-2021

I was designing a dot1x setup where the machine authentication gets a restricted vlan and the user+ machine authentication gets the full access vlan. So when a user opens up his laptop , it will first perform the machine authentication. Clearpass will push down the vlan to cisco controller. When the user login to the laptop, he will get the full access vlan. At this time clearpass will enforce allow access profile. So the vlan mapped under the WLAN VLAN mapping section must be assigned to the user. I have tested this scenario in Cisco controller 5508 (Software version : 7.6.100.12) and it is working perfectly fine.

But I'm having an issue with version 8.5.135.0.

The issue is user gets the proper vlan pushed down from Clearpass when he is machine authenticated, but when the user+machine authentication happens, he is not falling into the full access vlan. But when he disconnect and connect back , he will fall into the full access vlan.

The configurations on both the versions are the same. Can someone help me understand if it is related to some version bug or any configuration change needed ?

Arshad Safrulla · ‎07-26-2021

Sounds like COA issue, I am not sure whether there are any bugs in this code as I dont have any production controllers running this;

But you can check the below from WLC side;

Support for COA under Radius server config
Under WLAN aaa overdide enabled

Double check the ACL, for AireOS permit statements mean traffic should not be redirected and deny statements mean traffic should be redirected.

P.S. If feasible upgrade your controllers to the latest cisco recommended AireOS

https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Dnet009 · ‎07-26-2021

Hi Arshadsaf,

Thanks for your response.

Yes the CoA and AAA override has already been enabled.

I have taken a pcap from clearpass and I could not find any CoA is being sent to the controller.

So does this vlan change really need CoA to work ?

Thanks for the doc link. We will think of an upgrade as well.

Arshad Safrulla · ‎07-27-2021

Traditional dynamic VLAN assignment deployments doesnt require COA, but your case is machine gets authirzed first and then it should change after the user logs in.

Usually when the machine is authenticated and VLAN is assigned, I don't think it is possible to change the assigned VLAN through authorization unless the user has disconnected and reconnected. So the radius server uses COA support to overcome this.

Are you doing EAP-TEAP?

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Rich R · ‎07-27-2021

If you're not using CoA how else are you going to signal the vlan change?

If using 8.5 then you should be using 8.5.171.0 not an old version like 8.5.135.0!

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Dnet009 · ‎07-27-2021

Hi Arshadsaf and rrudling,

Thank you for your responses.

Noted on that.

To verify on CoA, I have taken few pcap from Clearpass to cisco and I could not see any Radius disconnect-request from clearpass to cisco. Even the vlan change was working after disabling the Support for RFC 3576 option in Cisco WLC.

From clearpass , once it is machine authenticated it will send down vlan ID using Tunnel-Private-Group-Id attribute. I have called this vlan id under the FlexConnect vlan ACL mapping. Then when the PC is machine + User authenticated , clearpass will just send down radius access-accept using Allow access profile. At this time the vlan mapped under FlexConnect WLAN VLAN mapping will be used.

So I'm not using any CoA profile from Clearpass specifically for this purpose. And it is working perfectly for version 7.6.100.12(no firewall in between this WLC and Clearpass).

Only the difference is there is a firewall between clearpass and WLC with 8.5.135 version. So I will try to open CoA port.

Dnet009 · ‎07-27-2021

Hi Arshadsaf,

I'm using EAP-PEAP

Arshad Safrulla · ‎07-27-2021

As far as I know EAP-PEAP doesn't support machine and user auth both. You need EAP-TEAP or EAP chaining for this. Are you doing a basic Dot1x dynamic VLAN assignment where the user connects he receives an IP from a quarantine VLAN (VLAN is not sent from Radius) then once the user logs in Radius send the Tunnel attribute with Radius Access Accept to change the VLAN?

If that's the case can you check whether you have dynamic interface for both VLANs?

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Dnet009 · ‎07-27-2021

Hi Arshadsaf,

Actually Auth method EAP-PEAP,EAP-MSCHAPv2 is working fine for both machine and user authentication ( Tested in Aruba and Cisco Wireless).

Are you doing a basic Dot1x dynamic VLAN assignment where the user connects he receives an IP from a quarantine VLAN (VLAN is not sent from Radius) then once the user logs in Radius send the Tunnel attribute with Radius Access Accept to change the VLAN?

Yes it is a basic Dot1x dynamic VLAN assignment where the machine authenticated will get vlan( Vlan 200) pushed down from Clearpass using Tunnel attribute. After this when the user login to the PC , PC will try dot1x again with user credentials, at this time Clearpass will accept the radius request(VLAN is not send from Radius server). So the vlan( Vlan 204) mapped under cisco FlexConnect WLAN VLAN Mapping should be assigned. I have added the vlan 200 under AAA VLAN ACL Mapping to let the AP know about this VLAN.

Apparently this is working perfectly fine on Cisco WLC(version 7.6.100.12) and not on WLC( version 8.5.135)

I have uploaded some screenshots for better understanding of this scenario.