More Related Content
Similar to Advanced ClearPass Workshop (20)
More from Aruba, a Hewlett Packard Enterprise company (20)
Advanced ClearPass Workshop
- 2. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Agenda
• Discover Monitor Secure
• Network Security with ClearPass
• Deploying NAC with OnGuard
– Wired & Wireless NAC
– NAC – Best Practices
• TACACS+ for Network Device Security
• BYOD with Onboard
• Monitoring & Troubleshooting
- 4. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Discover Monitor Secure
• Discover
– Discover via profiling
• DHCP
• Non-DHCP
• Monitor
– Enable policies in “Monitor” Mode
• Secure
– Secure Wireless, Wired and VPNs
- 5. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Network Security – Wired & Wireless
• Strong Security with 802.1X
– Enterprise Users
– Need for strong, session-driven security
• Captive Portals for Guest Access
– Transient users such as Guests, Contractors
– Limited network access zones
– Weaker security settings
• BYOD with unique credentials
– Employee BYO Devices
– Non-IT assets
- 6. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Network Security – Wired & Wireless
• Authenticate & Authorize
– Certificates
– UserID/Password
– Tokens/OTP
- 7. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Network Security – Wired
• Enable 802.1X on access ports
• Allow fall-back to less secure modes of access
– Limit network access
• Segregate responsibilities
– Aruba Roles
– VLANs
– ACLs/dACLs
– Upstream enforcement with L3-L7 firewalls such as Palo Alto
- 8. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Network Security – Wired
• But I have older switches that do not support
802.1X!
• Use SNMP to enforce port status
– Set VLANs and Session-Timeout values
– “Bounce” a port
– Send LinkUp/LinkDown and MAC Notification Traps to
ClearPass
- 9. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Network Security – Wired
• How will ClearPass set VLANs using SNMP?
– Using the standard If-MIB
• SNMP VLANs and MAC Authentication? What!?
– Redirect the user to a captive portal after MAB
– Authenticate & Authorize with the captive portal
- 11. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Wireless – Enterprise
• Enable 802.1X – WPA/WPA2 Enterprise
– Session-based keys for secure connectivity
– Terminate EAP on ClearPass – infrastructure is EAP-
agnostic
– Consistent user experience and security practice across
deployments
- 12. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Wireless – Guest
• Enable Guest Access/MAC Authentication
– This can be combined with a WPA/WPA2 Passphrase
– Networks are inherently open unless secured!
– Strong access restrictions
• Tunneled VLANs
• Stateful ACLs
• DPI/Application Monitoring
- 13. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Wireless – BYOD
• What about BYO Devices?
• BYO Devices on the enterprise network
– Deliver certificates to BYO Devices using Onboard
– Segregate responsibilities by identifying BYO Devices
– Control device life cycle
• BYO Devices on the guest network
– Devices use a segregated guest network
– Limited network access
– Challenges with device life cycle
- 15. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
NAC
• Agent Types – Persistent/Dissolvable
• Posture Assessment – Windows, Mac, Linux
– Agent Types
– Health Check Options
• Enforcement Options
– Role-based
– Application-based
– To remediate, or not to remediate?
• Wired NAC vs. Wireless NAC
• NAC for VPN
• Best Practices, Thoughts
- 17. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
TACACS+
• TACACS+ Authentication
– Console, Shell, UI Login
• TACACS+ Authorization
– Command Authorization
– Command Levels
• TACACS+ Accounting
– Accounting & Audit Trails
– Authorization vs. Accounting
• Vendor Specifics
– TACACS+ Dictionaries
- 19. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
BYOD with Onboard
• CA Settings
– Stand-alone CA
– Intermediate CA
– ADCS
• Configuration Payloads
– iOS & Mac OS X
– Microsoft Windows
– Android
• Provisioning Settings
– TLS? PEAP-MSCHAPv2?
– Security Settings
– Certificate Renewal
- 21. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Monitoring & Troubleshooting
• Monitoring on ClearPass
– Access Tracker
• Alerts Tab
• Accounting Tab
• “Show Logs”
– Analysis & Trending
• Drill Down
– Policy Simulation
– Authentication Simulation
– Insight
- 22. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Monitoring & Troubleshooting
• External Monitoring
– SIEM with Syslog/APIs
– SNMP
– SQL Access
Editor's Notes
- 30:24 – 32:44
- 30:24 – 32:44
- 30:24 – 32:44
- 30:24 – 32:44
- 30:24 – 32:44
- 30:24 – 32:44
- 30:24 – 32:44
- 30:24 – 32:44
- 30:24 – 32:44
- 30:24 – 32:44
- 30:24 – 32:44
- 30:24 – 32:44
- 30:24 – 32:44
- 30:24 – 32:44