Upload
aruba-networks-an-hp-company
View
1.034
Download
3
Tags:
Embed Size (px)
Citation preview
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc. All rights
reserved
Advanced ClearPass - Workshop
Ashwath Murthy
June 2014
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Agenda
• Discover Monitor Secure
• Network Security with ClearPass
• Deploying NAC with OnGuard
– Wired & Wireless NAC
– NAC – Best Practices
• TACACS+ for Network Device Security
• BYOD with Onboard
• Monitoring & Troubleshooting
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Discover Monitor Secure
• Discover
– Discover via profiling
• DHCP
• Non-DHCP
• Monitor
– Enable policies in “Monitor” Mode
• Secure
– Secure Wireless, Wired and VPNs
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Network Security – Wired & Wireless
• Strong Security with 802.1X
– Enterprise Users
– Need for strong, session-driven security
• Captive Portals for Guest Access
– Transient users such as Guests, Contractors
– Limited network access zones
– Weaker security settings
• BYOD with unique credentials
– Employee BYO Devices
– Non-IT assets
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Network Security – Wired & Wireless
• Authenticate & Authorize
– Certificates
– UserID/Password
– Tokens/OTP
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Network Security – Wired
• Enable 802.1X on access ports
• Allow fall-back to less secure modes of access
– Limit network access
• Segregate responsibilities
– Aruba Roles
– VLANs
– ACLs/dACLs
– Upstream enforcement with L3-L7 firewalls such as Palo Alto
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Network Security – Wired
• But I have older switches that do not support
802.1X!
• Use SNMP to enforce port status
– Set VLANs and Session-Timeout values
– “Bounce” a port
– Send LinkUp/LinkDown and MAC Notification Traps to
ClearPass
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Network Security – Wired
• How will ClearPass set VLANs using SNMP?
– Using the standard If-MIB
• SNMP VLANs and MAC Authentication? What!?
– Redirect the user to a captive portal after MAB
– Authenticate & Authorize with the captive portal
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Wireless – Enterprise
• Enable 802.1X – WPA/WPA2 Enterprise
– Session-based keys for secure connectivity
– Terminate EAP on ClearPass – infrastructure is EAP-
agnostic
– Consistent user experience and security practice across
deployments
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Wireless – Guest
• Enable Guest Access/MAC Authentication
– This can be combined with a WPA/WPA2 Passphrase
– Networks are inherently open unless secured!
– Strong access restrictions
• Tunneled VLANs
• Stateful ACLs
• DPI/Application Monitoring
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Wireless – BYOD
• What about BYO Devices?
• BYO Devices on the enterprise network
– Deliver certificates to BYO Devices using Onboard
– Segregate responsibilities by identifying BYO Devices
– Control device life cycle
• BYO Devices on the guest network
– Devices use a segregated guest network
– Limited network access
– Challenges with device life cycle
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
NAC
• Agent Types – Persistent/Dissolvable
• Posture Assessment – Windows, Mac, Linux
– Agent Types
– Health Check Options
• Enforcement Options
– Role-based
– Application-based
– To remediate, or not to remediate?
• Wired NAC vs. Wireless NAC
• NAC for VPN
• Best Practices, Thoughts
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
TACACS+
• TACACS+ Authentication
– Console, Shell, UI Login
• TACACS+ Authorization
– Command Authorization
– Command Levels
• TACACS+ Accounting
– Accounting & Audit Trails
– Authorization vs. Accounting
• Vendor Specifics
– TACACS+ Dictionaries
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
BYOD with Onboard
• CA Settings
– Stand-alone CA
– Intermediate CA
– ADCS
• Configuration Payloads
– iOS & Mac OS X
– Microsoft Windows
– Android
• Provisioning Settings
– TLS? PEAP-MSCHAPv2?
– Security Settings
– Certificate Renewal
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Monitoring & Troubleshooting
• Monitoring on ClearPass
– Access Tracker
• Alerts Tab
• Accounting Tab
• “Show Logs”
– Analysis & Trending
• Drill Down
– Policy Simulation
– Authentication Simulation
– Insight
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Monitoring & Troubleshooting
• External Monitoring
– SIEM with Syslog/APIs
– SNMP
– SQL Access