This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Quarantine VLAN or Policy based on Assessment?

Quarantine VLAN or Policy based on Assessment?

Peter_Chang
New Contributor II

‎05-30-2016 09:04 AM

Hello,

I'm currently in the middle of integrating an Extreme solution in our test environment before we bring it over to production. To keep it simple, my main question is that I have a NAC policy that will authenticate a user, and do assessment. If assessment fails, then I want to apply a Quarantine rule. I'm unsure if I am supposed to create a separate Quarantine VLAN or apply policies to have these users in a limited role. I have asked Extreme consultants and some have advised going the policy route giving end users limited access. Therfore this is the route that I am trying to pursue

Here's a rundown of what we have done:
  • Integrated Active Directory, and MDM JAMF's Casper Suite for Assessment.
  • Have 2 NAC's and 2 Extreme Wireless Controllers working.
  • Have Dynamic VLAN working utilizing one SSID, "ASD_EXT". Based on LDAP:
    • If you are a High School Student, get placed into VLAN 72
    • If you are a Middle School Student, get placed into VLAN 64
    • If you are Staff, get placed into VLAN 100
    Now with the Casper Suite integration I can create dynamic groups and link them from Casper Suite. Casper Suite is a solution we use to manage all of our Apple Mac's. With this, I setup an assessment rule basically saying that if a machine hasn't reported in after "x" amount of days to Casper, then we will put a quarantine rule. If it has "reported in" in the required timeline, then they get placed into their correct VLAN, 72 (High School), 64 (Middle School), or 100 (Staff)
    • So I sort of have this working, My Quarantine policy works where I have denied internet, allowed access to the Casper Server to remediate
    • however, the authenticated VLAN, whether 72 (High School), 64 (Middle School), or 100 (Staff), doesn't get honoured, and the client receives an IP that is in the VLAN of the Wireless AP's when in quarantine
    • On the switch port I have the Access Point untagged with the Wireless Management VLAN 102, and have VLAN's 72, 64,100 tagged.
Should I continue on this path or would it be best practice to place failed assessment users into a Quarantine VLAN?

Thanks in advance!
Peter

0 Kudos
0 REPLIES 0
li.common.scroll-to.top
GTM-P2G8KFN