Open topic with navigation

You are here: What's New in This Release > New Features and Enhancements in the 6.6.1 Release > OnConnect Enforcement

OnConnect Enforcement

The following new features are introduced in ClearPass OnConnect Enforcement in the 6.6.1 release.

ClearPass 6.6.1 includes a new feature called ClearPass OnConnect Enforcement. This feature enables ClearPass to detect and apply enforcement to endpoints connected to wired switches without the need to enable AAA methods such as 802.1x or MAC Authentication. Using standards-based SNMP, wired switches can notify ClearPass when a new device has connected. Then using the native profiling capabilities of ClearPass, it can match the learned MAC address against profiled information to apply a policy using SNMP. OnConnect Enforcement can also use information from Windows Management Instrumentation (WMI) to identify the user in the case of a domain-joined computer in order to apply identity-aware enforcement policies. This also allows enforcement in non-AAA environments without the need for an agent, such as OnGuard, on the endpoint. (#34416, #34422)

Prerequisites:

* Configure SNMP v2c or v3 MIB access on the wired switch.
* Configure SNMP traps from the wired switch to the ClearPass appliance.
* Define a Network Access Device with SNMP information and physical ports to be used with OnConnect Enforcement (at Configuration > Network > Devices).
* Configure Windows Management Instrumentation details in the Profile settings (at Configuration > Profile Settings > WMI Configuration).
* Configure a service using the ClearPass OnConnect Enforcement template (at Configuration > Services > Add, select ClearPass OnConnect Enforcement in the Type drop-down list).

Sample Workflow:

1. Log in to a domain-joined endpoint.
2. Connect the endpoint to the port configured for OnConnect Enforcement.
3. The switch will send an SNMP trap to ClearPass with the endpoint MAC details.
4. ClearPass will learn of the endpoint IP and device details through profiling (for example, DHCP).
5. Using WMI, ClearPass will then initiate a scan against the endpoint to identify the logged-in user.
6. Based upon the user information, the endpoint can be placed into an appropriate VLAN or have its port bounced to apply a different policy.

 

OnConnect Enforcement is in feature-preview mode for ClearPass 6.6.1. It is made available for use in proof-of-concept environments and only tested with a limited number of Cisco and HPE ArubaOS- Switch platforms with domain-joined clients in this release. Support for additional third-party vendors and workflows will be added in subsequent releases.