Quarantine

The quarantine agent works in conjunction with a quarantine policy rule to perform the action specified in the associated policy role if the policy rule is hit. The quarantine agent also acts in conjunction with anti-spoofing and will perform the configured class action if an anti-spoofing class threshold is met (see Anti-Spoofing Configuration for anti-spoofing configuration details).

The quarantine agent must be enabled globally on the switch and locally on the port to be operational on the port. The quarantine agent is a form of authentication that depends upon the existence of one or more configured quarantine policy rules, with each rule associated with a policy profile. To configure a policy rule as a quarantine profile, configure the policy rule with the desired traffic filtering specifications and specify the quarantine-profile rule option, indicating the associated policy profile.

Once one or more quarantine policy rules are configured and associated with a policy profile, the quarantine authentication agent behaves as any other MultiAuth authentication agent. By default, the quarantine agent has the highest configurable MultiAuth precedence. Static rules have the highest multiauth precedence. Static rule multiauth precedence is not configurable.

There are two circumstance for which actions specified in a quarantine policy are used:

Should you configure quarantine authentication for a lower MultiAuth precedence, if a non-quarantine authentication agent both returns a result and has the highest MultiAuth precedence, quarantine authentication will not be used in that context. If you change the quarantine agent MultiAuth precedence level to a lower precedence, make sure this is the behavior you want.

Quarantine agent accounting is supported and defaults to disabled. To use quarantine agent accounting, RADIUS accounting must be enabled using the set radius accounting command. Quarantine agent accounting can be enabled using the set quarantine-agent accounting command.