Quarantine VLAN or Policy based on Assessment?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-30-2016 09:04 AM
Hello,
I'm currently in the middle of integrating an Extreme solution in our test environment before we bring it over to production. To keep it simple, my main question is that I have a NAC policy that will authenticate a user, and do assessment. If assessment fails, then I want to apply a Quarantine rule. I'm unsure if I am supposed to create a separate Quarantine VLAN or apply policies to have these users in a limited role. I have asked Extreme consultants and some have advised going the policy route giving end users limited access. Therfore this is the route that I am trying to pursue
Here's a rundown of what we have done:
Thanks in advance!
Peter
I'm currently in the middle of integrating an Extreme solution in our test environment before we bring it over to production. To keep it simple, my main question is that I have a NAC policy that will authenticate a user, and do assessment. If assessment fails, then I want to apply a Quarantine rule. I'm unsure if I am supposed to create a separate Quarantine VLAN or apply policies to have these users in a limited role. I have asked Extreme consultants and some have advised going the policy route giving end users limited access. Therfore this is the route that I am trying to pursue
Here's a rundown of what we have done:
- Integrated Active Directory, and MDM JAMF's Casper Suite for Assessment.
- Have 2 NAC's and 2 Extreme Wireless Controllers working.
- Have Dynamic VLAN working utilizing one SSID, "ASD_EXT". Based on LDAP:
- If you are a High School Student, get placed into VLAN 72
- If you are a Middle School Student, get placed into VLAN 64
- If you are Staff, get placed into VLAN 100
- So I sort of have this working, My Quarantine policy works where I have denied internet, allowed access to the Casper Server to remediate
- however, the authenticated VLAN, whether 72 (High School), 64 (Middle School), or 100 (Staff), doesn't get honoured, and the client receives an IP that is in the VLAN of the Wireless AP's when in quarantine
- On the switch port I have the Access Point untagged with the Wireless Management VLAN 102, and have VLAN's 72, 64,100 tagged.
Thanks in advance!
Peter
0 REPLIES 0
