Advanced ClearPass Workshop

CONFIDENTIAL

© Copyright 2014. Aruba Networks, Inc. All rights

reserved

Advanced ClearPass - Workshop

Ashwath Murthy

June 2014

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Agenda

• Discover Monitor Secure

• Network Security with ClearPass

• Deploying NAC with OnGuard

– Wired & Wireless NAC

– NAC – Best Practices

• TACACS+ for Network Device Security

• BYOD with Onboard

• Monitoring & Troubleshooting

Network Security with ClearPass


Discover Monitor Secure

• Discover

– Discover via profiling

• DHCP

• Non-DHCP

• Monitor

– Enable policies in “Monitor” Mode

• Secure

– Secure Wireless, Wired and VPNs


Network Security – Wired & Wireless

• Strong Security with 802.1X

– Enterprise Users

– Need for strong, session-driven security

• Captive Portals for Guest Access

– Transient users such as Guests, Contractors

– Limited network access zones

– Weaker security settings

• BYOD with unique credentials

– Employee BYO Devices

– Non-IT assets


Network Security – Wired & Wireless

• Authenticate & Authorize

– Certificates

– UserID/Password

– Tokens/OTP


Network Security – Wired

• Enable 802.1X on access ports

• Allow fall-back to less secure modes of access

– Limit network access

• Segregate responsibilities

– Aruba Roles

– VLANs

– ACLs/dACLs

– Upstream enforcement with L3-L7 firewalls such as Palo Alto



• But I have older switches that do not support

802.1X!

• Use SNMP to enforce port status

– Set VLANs and Session-Timeout values

– “Bounce” a port

– Send LinkUp/LinkDown and MAC Notification Traps to

ClearPass



• How will ClearPass set VLANs using SNMP?

– Using the standard If-MIB

• SNMP VLANs and MAC Authentication? What!?

– Redirect the user to a captive portal after MAB

– Authenticate & Authorize with the captive portal

Wireless Access Security


Wireless – Enterprise

• Enable 802.1X – WPA/WPA2 Enterprise

– Session-based keys for secure connectivity

– Terminate EAP on ClearPass – infrastructure is EAP-

agnostic

– Consistent user experience and security practice across

deployments


Wireless – Guest

• Enable Guest Access/MAC Authentication

– This can be combined with a WPA/WPA2 Passphrase

– Networks are inherently open unless secured!

– Strong access restrictions

• Tunneled VLANs

• Stateful ACLs

• DPI/Application Monitoring


Wireless – BYOD

• What about BYO Devices?

• BYO Devices on the enterprise network

– Deliver certificates to BYO Devices using Onboard

– Segregate responsibilities by identifying BYO Devices

– Control device life cycle

• BYO Devices on the guest network

– Devices use a segregated guest network

– Limited network access

– Challenges with device life cycle

NAC is Back, Baby!!!


NAC

• Agent Types – Persistent/Dissolvable

• Posture Assessment – Windows, Mac, Linux

– Agent Types

– Health Check Options

• Enforcement Options

– Role-based

– Application-based

– To remediate, or not to remediate?

• Wired NAC vs. Wireless NAC

• NAC for VPN

• Best Practices, Thoughts

TACACS+ for Network Devices


TACACS+

• TACACS+ Authentication

– Console, Shell, UI Login

• TACACS+ Authorization

– Command Authorization

– Command Levels

• TACACS+ Accounting

– Accounting & Audit Trails

– Authorization vs. Accounting

• Vendor Specifics

– TACACS+ Dictionaries

BYOD with Onboard


BYOD with Onboard

• CA Settings

– Stand-alone CA

– Intermediate CA

– ADCS

• Configuration Payloads

– iOS & Mac OS X

– Microsoft Windows

– Android

• Provisioning Settings

– TLS? PEAP-MSCHAPv2?

– Security Settings

– Certificate Renewal

Monitoring & Troubleshooting



• Monitoring on ClearPass

– Access Tracker

• Alerts Tab

• Accounting Tab

• “Show Logs”

– Analysis & Trending

• Drill Down

– Policy Simulation

– Authentication Simulation

– Insight



• External Monitoring

– SIEM with Syslog/APIs

– SNMP

– SQL Access

#AirheadsLocal

Technology

Advanced ClearPass Workshop