Your SlideShare is downloading. ×

Advanced ClearPass Workshop

826
views

Published on

Workshop on ClearPass from our Airheads Local events.

Workshop on ClearPass from our Airheads Local events.

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
826
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
88
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • Transcript

    • 1. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Advanced ClearPass - Workshop Ashwath Murthy June 2014
    • 2. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Agenda • Discover  Monitor  Secure • Network Security with ClearPass • Deploying NAC with OnGuard – Wired & Wireless NAC – NAC – Best Practices • TACACS+ for Network Device Security • BYOD with Onboard • Monitoring & Troubleshooting
    • 3. Network Security with ClearPass
    • 4. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Discover  Monitor  Secure • Discover – Discover via profiling • DHCP • Non-DHCP • Monitor – Enable policies in “Monitor” Mode • Secure – Secure Wireless, Wired and VPNs
    • 5. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Network Security – Wired & Wireless • Strong Security with 802.1X – Enterprise Users – Need for strong, session-driven security • Captive Portals for Guest Access – Transient users such as Guests, Contractors – Limited network access zones – Weaker security settings • BYOD with unique credentials – Employee BYO Devices – Non-IT assets
    • 6. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Network Security – Wired & Wireless • Authenticate & Authorize – Certificates – UserID/Password – Tokens/OTP
    • 7. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Network Security – Wired • Enable 802.1X on access ports • Allow fall-back to less secure modes of access – Limit network access • Segregate responsibilities – Aruba Roles – VLANs – ACLs/dACLs – Upstream enforcement with L3-L7 firewalls such as Palo Alto
    • 8. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Network Security – Wired • But I have older switches that do not support 802.1X! • Use SNMP to enforce port status – Set VLANs and Session-Timeout values – “Bounce” a port – Send LinkUp/LinkDown and MAC Notification Traps to ClearPass
    • 9. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Network Security – Wired • How will ClearPass set VLANs using SNMP? – Using the standard If-MIB • SNMP VLANs and MAC Authentication? What!? – Redirect the user to a captive portal after MAB – Authenticate & Authorize with the captive portal
    • 10. Wireless Access Security
    • 11. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Wireless – Enterprise • Enable 802.1X – WPA/WPA2 Enterprise – Session-based keys for secure connectivity – Terminate EAP on ClearPass – infrastructure is EAP- agnostic – Consistent user experience and security practice across deployments
    • 12. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Wireless – Guest • Enable Guest Access/MAC Authentication – This can be combined with a WPA/WPA2 Passphrase – Networks are inherently open unless secured! – Strong access restrictions • Tunneled VLANs • Stateful ACLs • DPI/Application Monitoring
    • 13. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Wireless – BYOD • What about BYO Devices? • BYO Devices on the enterprise network – Deliver certificates to BYO Devices using Onboard – Segregate responsibilities by identifying BYO Devices – Control device life cycle • BYO Devices on the guest network – Devices use a segregated guest network – Limited network access – Challenges with device life cycle
    • 14. NAC is Back, Baby!!!
    • 15. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved NAC • Agent Types – Persistent/Dissolvable • Posture Assessment – Windows, Mac, Linux – Agent Types – Health Check Options • Enforcement Options – Role-based – Application-based – To remediate, or not to remediate? • Wired NAC vs. Wireless NAC • NAC for VPN • Best Practices, Thoughts
    • 16. TACACS+ for Network Devices
    • 17. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved TACACS+ • TACACS+ Authentication – Console, Shell, UI Login • TACACS+ Authorization – Command Authorization – Command Levels • TACACS+ Accounting – Accounting & Audit Trails – Authorization vs. Accounting • Vendor Specifics – TACACS+ Dictionaries
    • 18. BYOD with Onboard
    • 19. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved BYOD with Onboard • CA Settings – Stand-alone CA – Intermediate CA – ADCS • Configuration Payloads – iOS & Mac OS X – Microsoft Windows – Android • Provisioning Settings – TLS? PEAP-MSCHAPv2? – Security Settings – Certificate Renewal
    • 20. Monitoring & Troubleshooting
    • 21. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Monitoring & Troubleshooting • Monitoring on ClearPass – Access Tracker • Alerts Tab • Accounting Tab • “Show Logs” – Analysis & Trending • Drill Down – Policy Simulation – Authentication Simulation – Insight
    • 22. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Monitoring & Troubleshooting • External Monitoring – SIEM with Syslog/APIs – SNMP – SQL Access
    • 23. #AirheadsLocal