Your SlideShare is downloading. ×
  • Like

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Advanced Aruba ClearPass Workshop

  • 1,405 views
Published

Practice makes perfect - let's get together to walk through the Aruba ClearPass product in real-time to better understand all the configuration, monitoring and reporting options available. In this …

Practice makes perfect - let's get together to walk through the Aruba ClearPass product in real-time to better understand all the configuration, monitoring and reporting options available. In this session you will be able to gather practical knowledge on how to use Clearpass features such as Single Sign-On (SSO), TACACS+, RADIUS return attributes and more.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,405
On SlideShare
0
From Embeds
0
Number of Embeds
6

Actions

Shares
Downloads
108
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Advanced ClearPass – Workshop Ashwath Murthy March, 2014
  • 2. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 2 #AirheadsConf Agenda Discover  Monitor  Secure Network Security with ClearPass Deploying NAC with OnGuard Wired & Wireless NAC NAC – Best Practices TACACS+ for Network Device Security BYOD with Onboard Monitoring & Troubleshooting
  • 3. 3 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Network Security with ClearPass
  • 4. 4 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Discover  Monitor  Secure • Discover – Discover via profiling • DHCP • Non-DHCP • Monitor – Enable policies in “Monitor” Mode • Secure – Secure Wireless, Wired and VPNs
  • 5. 5 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Network Security – Wired & Wireless • Strong Security with 802.1X – Enterprise Users – Need for strong, session-driven security • Captive Portals for Guest Access – Transient users such as Guests, Contractors – Limited network access zones – Weaker security settings • BYOD with unique credentials – Employee BYO Devices – Non-IT assets
  • 6. 6 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Network Security – Wired & Wireless • Authenticate & Authorize – Certificates – UserID/Password – Tokens/OTP
  • 7. 7 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Network Security – Wired • Enable 802.1X on access ports • Allow fall-back to less secure modes of access – Limit network access • Segregate responsibilities – Aruba Roles – VLANs – ACLs/dACLs – Upstream enforcement with L3-L7 firewalls such as Palo Alto
  • 8. 8 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Network Security – Wired • But I have older switches that do not support 802.1X! • Use SNMP to enforce port status – Set VLANs and Session-Timeout values – “Bounce” a port – Send LinkUp/LinkDown and MAC Notification Traps to ClearPass
  • 9. 9 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Network Security – Wired • How will ClearPass set VLANs using SNMP? – Using the standard If-MIB • SNMP VLANs and MAC Authentication? What!? – Redirect the user to a captive portal after MAB – Authenticate & Authorize with the captive portal
  • 10. 10 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Wireless Access Security
  • 11. 11 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Wireless – Enterprise • Enable 802.1X – WPA/WPA2 Enterprise – Session-based keys for secure connectivity – Terminate EAP on ClearPass – infrastructure is EAP- agnostic – Consistent user experience and security practice across deployments
  • 12. 12 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Wireless – Guest • Enable Guest Access/MAC Authentication – This can be combined with a WPA/WPA2 Passphrase – Networks are inherently open unless secured! – Strong access restrictions • Tunneled VLANs • Stateful ACLs • DPI/Application Monitoring
  • 13. 13 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Wireless – BYOD • What about BYO Devices? • BYO Devices on the enterprise network – Deliver certificates to BYO Devices using Onboard – Segregate responsibilities by identifying BYO Devices – Control device life cycle • BYO Devices on the guest network – Devices use a segregated guest network – Limited network access – Challenges with device life cycle
  • 14. 14 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf NAC is Back, Baby!!!
  • 15. 15 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf NAC • Agent Types – Persistent/Dissolvable • Posture Assessment – Windows, Mac, Linux – Agent Types – Health Check Options • Enforcement Options – Role-based – Application-based – To remediate, or not to remediate? • Wired NAC vs. Wireless NAC • NAC for VPN • Best Practices, Thoughts
  • 16. 16 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf TACACS+ for Network Devices
  • 17. 17 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf TACACS+ • TACACS+ Authentication – Console, Shell, UI Login • TACACS+ Authorization – Command Authorization – Command Levels • TACACS+ Accounting – Accounting & Audit Trails – Authorization vs. Accounting • Vendor Specifics – TACACS+ Dictionaries
  • 18. 18 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf BYOD with Onboard
  • 19. 19 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf BYOD with Onboard • CA Settings – Stand-alone CA – Intermediate CA – ADCS • Configuration Payloads – iOS & Mac OS X – Microsoft Windows – Android • Provisioning Settings – TLS? PEAP-MSCHAPv2? – Security Settings – Certificate Renewal
  • 20. 20 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Monitoring & Troubleshooting
  • 21. 21 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Monitoring & Troubleshooting • Monitoring on ClearPass – Access Tracker • Alerts Tab • Accounting Tab • “Show Logs” – Analysis & Trending • Drill Down – Policy Simulation – Authentication Simulation – Insight
  • 22. 22 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Monitoring & Troubleshooting • External Monitoring – SIEM with Syslog/APIs – SNMP – SQL Access
  • 23. 23 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Q & A
  • 24. 24 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Thank You #AirheadsConf
  • 25. 25