• Like

Advanced ClearPass Workshop

  • 550 views
Uploaded on

Workshop on ClearPass from our Airheads Local events.

Workshop on ClearPass from our Airheads Local events.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
550
On Slideshare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
42
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44

Transcript

  • 1. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Advanced ClearPass - Workshop Ashwath Murthy June 2014
  • 2. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Agenda • Discover  Monitor  Secure • Network Security with ClearPass • Deploying NAC with OnGuard – Wired & Wireless NAC – NAC – Best Practices • TACACS+ for Network Device Security • BYOD with Onboard • Monitoring & Troubleshooting
  • 3. Network Security with ClearPass
  • 4. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Discover  Monitor  Secure • Discover – Discover via profiling • DHCP • Non-DHCP • Monitor – Enable policies in “Monitor” Mode • Secure – Secure Wireless, Wired and VPNs
  • 5. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Network Security – Wired & Wireless • Strong Security with 802.1X – Enterprise Users – Need for strong, session-driven security • Captive Portals for Guest Access – Transient users such as Guests, Contractors – Limited network access zones – Weaker security settings • BYOD with unique credentials – Employee BYO Devices – Non-IT assets
  • 6. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Network Security – Wired & Wireless • Authenticate & Authorize – Certificates – UserID/Password – Tokens/OTP
  • 7. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Network Security – Wired • Enable 802.1X on access ports • Allow fall-back to less secure modes of access – Limit network access • Segregate responsibilities – Aruba Roles – VLANs – ACLs/dACLs – Upstream enforcement with L3-L7 firewalls such as Palo Alto
  • 8. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Network Security – Wired • But I have older switches that do not support 802.1X! • Use SNMP to enforce port status – Set VLANs and Session-Timeout values – “Bounce” a port – Send LinkUp/LinkDown and MAC Notification Traps to ClearPass
  • 9. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Network Security – Wired • How will ClearPass set VLANs using SNMP? – Using the standard If-MIB • SNMP VLANs and MAC Authentication? What!? – Redirect the user to a captive portal after MAB – Authenticate & Authorize with the captive portal
  • 10. Wireless Access Security
  • 11. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Wireless – Enterprise • Enable 802.1X – WPA/WPA2 Enterprise – Session-based keys for secure connectivity – Terminate EAP on ClearPass – infrastructure is EAP- agnostic – Consistent user experience and security practice across deployments
  • 12. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Wireless – Guest • Enable Guest Access/MAC Authentication – This can be combined with a WPA/WPA2 Passphrase – Networks are inherently open unless secured! – Strong access restrictions • Tunneled VLANs • Stateful ACLs • DPI/Application Monitoring
  • 13. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Wireless – BYOD • What about BYO Devices? • BYO Devices on the enterprise network – Deliver certificates to BYO Devices using Onboard – Segregate responsibilities by identifying BYO Devices – Control device life cycle • BYO Devices on the guest network – Devices use a segregated guest network – Limited network access – Challenges with device life cycle
  • 14. NAC is Back, Baby!!!
  • 15. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved NAC • Agent Types – Persistent/Dissolvable • Posture Assessment – Windows, Mac, Linux – Agent Types – Health Check Options • Enforcement Options – Role-based – Application-based – To remediate, or not to remediate? • Wired NAC vs. Wireless NAC • NAC for VPN • Best Practices, Thoughts
  • 16. TACACS+ for Network Devices
  • 17. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved TACACS+ • TACACS+ Authentication – Console, Shell, UI Login • TACACS+ Authorization – Command Authorization – Command Levels • TACACS+ Accounting – Accounting & Audit Trails – Authorization vs. Accounting • Vendor Specifics – TACACS+ Dictionaries
  • 18. BYOD with Onboard
  • 19. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved BYOD with Onboard • CA Settings – Stand-alone CA – Intermediate CA – ADCS • Configuration Payloads – iOS & Mac OS X – Microsoft Windows – Android • Provisioning Settings – TLS? PEAP-MSCHAPv2? – Security Settings – Certificate Renewal
  • 20. Monitoring & Troubleshooting
  • 21. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Monitoring & Troubleshooting • Monitoring on ClearPass – Access Tracker • Alerts Tab • Accounting Tab • “Show Logs” – Analysis & Trending • Drill Down – Policy Simulation – Authentication Simulation – Insight
  • 22. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Monitoring & Troubleshooting • External Monitoring – SIEM with Syslog/APIs – SNMP – SQL Access
  • 23. #AirheadsLocal