Advanced ClearPass Workshop

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Advanced ClearPass - Workshop

Ashwath Murthy

June 2014


Agenda

• Discover Monitor Secure• Network Security with ClearPass• Deploying NAC with OnGuard – Wired & Wireless NAC

– NAC – Best Practices

• TACACS+ for Network Device Security• BYOD with Onboard• Monitoring & Troubleshooting

Network Security with ClearPass


Discover Monitor Secure

• Discover– Discover via profiling• DHCP

• Non-DHCP

• Monitor– Enable policies in “Monitor” Mode

• Secure– Secure Wireless, Wired and VPNs


Network Security – Wired & Wireless

• Strong Security with 802.1X– Enterprise Users

– Need for strong, session-driven security

• Captive Portals for Guest Access– Transient users such as Guests, Contractors

– Limited network access zones

– Weaker security settings

• BYOD with unique credentials– Employee BYO Devices

– Non-IT assets


Network Security – Wired & Wireless

• Authenticate & Authorize– Certificates

– UserID/Password

– Tokens/OTP


Network Security – Wired

• Enable 802.1X on access ports• Allow fall-back to less secure modes of access– Limit network access

• Segregate responsibilities– Aruba Roles

– VLANs

– ACLs/dACLs

– Upstream enforcement with L3-L7 firewalls such as Palo Alto



• But I have older switches that do not support 802.1X!

• Use SNMP to enforce port status– Set VLANs and Session-Timeout values

– “Bounce” a port

– Send LinkUp/LinkDown and MAC Notification Traps to ClearPass



• How will ClearPass set VLANs using SNMP?– Using the standard If-MIB

• SNMP VLANs and MAC Authentication? What!?– Redirect the user to a captive portal after MAB

– Authenticate & Authorize with the captive portal

Wireless Access Security


Wireless – Enterprise

• Enable 802.1X – WPA/WPA2 Enterprise– Session-based keys for secure connectivity

– Terminate EAP on ClearPass – infrastructure is EAP-agnostic

– Consistent user experience and security practice across deployments


Wireless – Guest

• Enable Guest Access/MAC Authentication– This can be combined with a WPA/WPA2 Passphrase

– Networks are inherently open unless secured!

– Strong access restrictions• Tunneled VLANs

• Stateful ACLs

• DPI/Application Monitoring


Wireless – BYOD

• What about BYO Devices?• BYO Devices on the enterprise network– Deliver certificates to BYO Devices using Onboard

– Segregate responsibilities by identifying BYO Devices

– Control device life cycle

• BYO Devices on the guest network– Devices use a segregated guest network

– Limited network access

– Challenges with device life cycle

NAC is Back, Baby!!!


NAC

• Agent Types – Persistent/Dissolvable• Posture Assessment – Windows, Mac, Linux– Agent Types

– Health Check Options

• Enforcement Options– Role-based

– Application-based

– To remediate, or not to remediate?

• Wired NAC vs. Wireless NAC• NAC for VPN• Best Practices, Thoughts

TACACS+ for Network Devices


TACACS+

• TACACS+ Authentication– Console, Shell, UI Login

• TACACS+ Authorization– Command Authorization

– Command Levels

• TACACS+ Accounting– Accounting & Audit Trails

– Authorization vs. Accounting

• Vendor Specifics– TACACS+ Dictionaries

BYOD with Onboard


BYOD with Onboard

• CA Settings– Stand-alone CA

– Intermediate CA

– ADCS

• Configuration Payloads– iOS & Mac OS X

– Microsoft Windows

– Android

• Provisioning Settings– TLS? PEAP-MSCHAPv2?

– Security Settings

– Certificate Renewal

Monitoring & Troubleshooting



• Monitoring on ClearPass– Access Tracker• Alerts Tab

• Accounting Tab

• “Show Logs”

– Analysis & Trending• Drill Down

– Policy Simulation

– Authentication Simulation

– Insight



• External Monitoring– SIEM with Syslog/APIs

– SNMP

– SQL Access

#AirheadsLocal

Advanced ClearPass Workshop

Technology