Aruba, a Hewlett Packard Enterprise company, profile picture
Uploaded byAruba, a Hewlett Packard Enterprise company
PPTX, PDF4,301 views

Advanced Aruba ClearPass Workshop

The document outlines a workshop on advanced ClearPass conducted by Ashwath Murthy in March 2014, focusing on network security through discovery, monitoring, and securing wired and wireless networks. Key topics include BYOD (Bring Your Own Device) policies, NAC (Network Access Control) best practices, TACACS+ for device security, and troubleshooting techniques. It emphasizes the need for strong authentication methods and provides insights into managing guest access and securing enterprise environments.

Embed presentation

Downloaded 315 times
Advanced ClearPass – Workshop Ashwath Murthy March, 2014
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 2 #AirheadsConf Agenda Discover  Monitor  Secure Network Security with ClearPass Deploying NAC with OnGuard Wired & Wireless NAC NAC – Best Practices TACACS+ for Network Device Security BYOD with Onboard Monitoring & Troubleshooting
3 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Network Security with ClearPass
4 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Discover  Monitor  Secure • Discover – Discover via profiling • DHCP • Non-DHCP • Monitor – Enable policies in “Monitor” Mode • Secure – Secure Wireless, Wired and VPNs
5 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Network Security – Wired & Wireless • Strong Security with 802.1X – Enterprise Users – Need for strong, session-driven security • Captive Portals for Guest Access – Transient users such as Guests, Contractors – Limited network access zones – Weaker security settings • BYOD with unique credentials – Employee BYO Devices – Non-IT assets
6 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Network Security – Wired & Wireless • Authenticate & Authorize – Certificates – UserID/Password – Tokens/OTP
7 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Network Security – Wired • Enable 802.1X on access ports • Allow fall-back to less secure modes of access – Limit network access • Segregate responsibilities – Aruba Roles – VLANs – ACLs/dACLs – Upstream enforcement with L3-L7 firewalls such as Palo Alto
8 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Network Security – Wired • But I have older switches that do not support 802.1X! • Use SNMP to enforce port status – Set VLANs and Session-Timeout values – “Bounce” a port – Send LinkUp/LinkDown and MAC Notification Traps to ClearPass
9 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Network Security – Wired • How will ClearPass set VLANs using SNMP? – Using the standard If-MIB • SNMP VLANs and MAC Authentication? What!? – Redirect the user to a captive portal after MAB – Authenticate & Authorize with the captive portal
10 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Wireless Access Security
11 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Wireless – Enterprise • Enable 802.1X – WPA/WPA2 Enterprise – Session-based keys for secure connectivity – Terminate EAP on ClearPass – infrastructure is EAP- agnostic – Consistent user experience and security practice across deployments
12 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Wireless – Guest • Enable Guest Access/MAC Authentication – This can be combined with a WPA/WPA2 Passphrase – Networks are inherently open unless secured! – Strong access restrictions • Tunneled VLANs • Stateful ACLs • DPI/Application Monitoring
13 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Wireless – BYOD • What about BYO Devices? • BYO Devices on the enterprise network – Deliver certificates to BYO Devices using Onboard – Segregate responsibilities by identifying BYO Devices – Control device life cycle • BYO Devices on the guest network – Devices use a segregated guest network – Limited network access – Challenges with device life cycle
14 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf NAC is Back, Baby!!!
15 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf NAC • Agent Types – Persistent/Dissolvable • Posture Assessment – Windows, Mac, Linux – Agent Types – Health Check Options • Enforcement Options – Role-based – Application-based – To remediate, or not to remediate? • Wired NAC vs. Wireless NAC • NAC for VPN • Best Practices, Thoughts
16 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf TACACS+ for Network Devices
17 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf TACACS+ • TACACS+ Authentication – Console, Shell, UI Login • TACACS+ Authorization – Command Authorization – Command Levels • TACACS+ Accounting – Accounting & Audit Trails – Authorization vs. Accounting • Vendor Specifics – TACACS+ Dictionaries
18 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf BYOD with Onboard
19 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf BYOD with Onboard • CA Settings – Stand-alone CA – Intermediate CA – ADCS • Configuration Payloads – iOS & Mac OS X – Microsoft Windows – Android • Provisioning Settings – TLS? PEAP-MSCHAPv2? – Security Settings – Certificate Renewal
20 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Monitoring & Troubleshooting
21 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Monitoring & Troubleshooting • Monitoring on ClearPass – Access Tracker • Alerts Tab • Accounting Tab • “Show Logs” – Analysis & Trending • Drill Down – Policy Simulation – Authentication Simulation – Insight
22 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Monitoring & Troubleshooting • External Monitoring – SIEM with Syslog/APIs – SNMP – SQL Access
23 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Q & A
24 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Thank You #AirheadsConf
25

More Related Content

PPTX
Access Management with Aruba ClearPass
byAruba, a Hewlett Packard Enterprise company
 
PPT
Access Management with Aruba ClearPass
byAruba, a Hewlett Packard Enterprise company
 
PPTX
ClearPass design scenarios that solve the toughest security policy requirements
byAruba, a Hewlett Packard Enterprise company
 
PDF
Aruba ClearPass Guest 6.3 User Guide
byAruba, a Hewlett Packard Enterprise company
 
PDF
ClearPass Overview
byJoAnna Cheshire
 
PDF
Aruba Networks - Overview ClearPass
byPaulo Eduardo Sibalde
 
PPTX
Large scale, distributed access management deployment with aruba clear pass
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads ClearPass guest with MAC- caching using Time Source
byAruba, a Hewlett Packard Enterprise company
 
Access Management with Aruba ClearPass
byAruba, a Hewlett Packard Enterprise company
 
Access Management with Aruba ClearPass
byAruba, a Hewlett Packard Enterprise company
 
ClearPass design scenarios that solve the toughest security policy requirements
byAruba, a Hewlett Packard Enterprise company
 
Aruba ClearPass Guest 6.3 User Guide
byAruba, a Hewlett Packard Enterprise company
 
ClearPass Overview
byJoAnna Cheshire
 
Aruba Networks - Overview ClearPass
byPaulo Eduardo Sibalde
 
Large scale, distributed access management deployment with aruba clear pass
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads ClearPass guest with MAC- caching using Time Source
byAruba, a Hewlett Packard Enterprise company
 

What's hot

PPTX
Advanced ClearPass Workshop
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Real-world 802.1X Deployment Challenges
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Cisco Security portfolio update
byAtanas Gergiminov
 
PPTX
EMEA Airheads- Aruba Central with Instant AP
byAruba, a Hewlett Packard Enterprise company
 
PDF
Aruba clearpass ebook_chpt1_final
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Wi-Fi Behavior of Popular Mobile Devices #AirheadsConf Italy
byAruba, a Hewlett Packard Enterprise company
 
PDF
EMEA Airheads- Aruba Instant AP- VPN Troubleshooting
byAruba, a Hewlett Packard Enterprise company
 
PDF
Guest Access with ArubaOS
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Getting the most out of the aruba policy enforcement firewall
byAruba, a Hewlett Packard Enterprise company
 
PDF
Aruba Mobility Controllers
byAruba, a Hewlett Packard Enterprise company
 
PDF
EMEA Airheads- Troubleshooting 802.1x issues
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads- ArubaOS - Cluster Manager
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads - Aruba Remote Access Point (RAP) Troubleshooting
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Airheads Tech Talks: Advanced Clustering in AOS 8.x
byAruba, a Hewlett Packard Enterprise company
 
PDF
ClearPass Policy Model - An Introduction
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads - AP Discovery Logic and AP Deployment
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads- Aruba 8.x Architecture overview & UI Navigation
byAruba, a Hewlett Packard Enterprise company
 
PDF
Managing and Optimizing RF Spectrum for Aruba WLANs
byAruba, a Hewlett Packard Enterprise company
 
PDF
Aruba mobility access switch useful commands v2
byAruba, a Hewlett Packard Enterprise company
 
PDF
Useful cli commands v1
byAruba, a Hewlett Packard Enterprise company
 
Advanced ClearPass Workshop
byAruba, a Hewlett Packard Enterprise company
 
Real-world 802.1X Deployment Challenges
byAruba, a Hewlett Packard Enterprise company
 
Cisco Security portfolio update
byAtanas Gergiminov
 
EMEA Airheads- Aruba Central with Instant AP
byAruba, a Hewlett Packard Enterprise company
 
Aruba clearpass ebook_chpt1_final
byAruba, a Hewlett Packard Enterprise company
 
Wi-Fi Behavior of Popular Mobile Devices #AirheadsConf Italy
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Aruba Instant AP- VPN Troubleshooting
byAruba, a Hewlett Packard Enterprise company
 
Guest Access with ArubaOS
byAruba, a Hewlett Packard Enterprise company
 
Getting the most out of the aruba policy enforcement firewall
byAruba, a Hewlett Packard Enterprise company
 
Aruba Mobility Controllers
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Troubleshooting 802.1x issues
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- ArubaOS - Cluster Manager
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads - Aruba Remote Access Point (RAP) Troubleshooting
byAruba, a Hewlett Packard Enterprise company
 
Airheads Tech Talks: Advanced Clustering in AOS 8.x
byAruba, a Hewlett Packard Enterprise company
 
ClearPass Policy Model - An Introduction
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads - AP Discovery Logic and AP Deployment
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Aruba 8.x Architecture overview & UI Navigation
byAruba, a Hewlett Packard Enterprise company
 
Managing and Optimizing RF Spectrum for Aruba WLANs
byAruba, a Hewlett Packard Enterprise company
 
Aruba mobility access switch useful commands v2
byAruba, a Hewlett Packard Enterprise company
 
Useful cli commands v1
byAruba, a Hewlett Packard Enterprise company
 

Viewers also liked

PPTX
Aruba WLANs 101 and design fundamentals
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Advanced Access Management with Aruba ClearPass #AirheadsConf Italy
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Aruba ClearPass Exchange Deep Dive
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Network Management with Aruba AirWave
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Getting the most out of the Aruba Policy Enforcement Firewall
byAruba, a Hewlett Packard Enterprise company
 
POTX
Network management with Aruba AirWave
byAruba, a Hewlett Packard Enterprise company
 
PDF
Base Designs Lab Setup for Validated Reference Design
byAruba, a Hewlett Packard Enterprise company
 
POTX
Packets never lie: An in-depth overview of 802.11 frames
byAruba, a Hewlett Packard Enterprise company
 
PPTX
The Aruba Tech Support Top 10: WLAN design, configuration and troubleshooting...
byAruba, a Hewlett Packard Enterprise company
 
PDF
Aruba Campus Wireless Networks
byContent Rules, Inc.
 
PDF
Aruba presentation solutions overview - v1
byHasan Zuberi
 
PPTX
Enhance network security with Multi-Factor Authentication for BYOD and guest ...
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Best Practices on Migrating to 802.11ac Wi-Fi
byAruba, a Hewlett Packard Enterprise company
 
PPTX
RF characteristics and radio fundamentals
byAruba, a Hewlett Packard Enterprise company
 
PPTX
A-to-Z design guide for the all-wireless workplace
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Extend mobility to remote branch networks with Aruba's new cloud services con...
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Self-Registration, Policy & Branding for Guest Access #AirheadsConf Italy
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Wi-Fi Security Fundamentals
byAruba, a Hewlett Packard Enterprise company
 
PDF
RF planning for high-densities of mobile devices and bandwidth-hungry mobile ...
byAruba, a Hewlett Packard Enterprise company
 
PDF
Fast-track your career by going from wireless to mobility engineer
byAruba, a Hewlett Packard Enterprise company
 
Aruba WLANs 101 and design fundamentals
byAruba, a Hewlett Packard Enterprise company
 
Advanced Access Management with Aruba ClearPass #AirheadsConf Italy
byAruba, a Hewlett Packard Enterprise company
 
Aruba ClearPass Exchange Deep Dive
byAruba, a Hewlett Packard Enterprise company
 
Network Management with Aruba AirWave
byAruba, a Hewlett Packard Enterprise company
 
Getting the most out of the Aruba Policy Enforcement Firewall
byAruba, a Hewlett Packard Enterprise company
 
Network management with Aruba AirWave
byAruba, a Hewlett Packard Enterprise company
 
Base Designs Lab Setup for Validated Reference Design
byAruba, a Hewlett Packard Enterprise company
 
Packets never lie: An in-depth overview of 802.11 frames
byAruba, a Hewlett Packard Enterprise company
 
The Aruba Tech Support Top 10: WLAN design, configuration and troubleshooting...
byAruba, a Hewlett Packard Enterprise company
 
Aruba Campus Wireless Networks
byContent Rules, Inc.
 
Aruba presentation solutions overview - v1
byHasan Zuberi
 
Enhance network security with Multi-Factor Authentication for BYOD and guest ...
byAruba, a Hewlett Packard Enterprise company
 
Best Practices on Migrating to 802.11ac Wi-Fi
byAruba, a Hewlett Packard Enterprise company
 
RF characteristics and radio fundamentals
byAruba, a Hewlett Packard Enterprise company
 
A-to-Z design guide for the all-wireless workplace
byAruba, a Hewlett Packard Enterprise company
 
Extend mobility to remote branch networks with Aruba's new cloud services con...
byAruba, a Hewlett Packard Enterprise company
 
Self-Registration, Policy & Branding for Guest Access #AirheadsConf Italy
byAruba, a Hewlett Packard Enterprise company
 
Wi-Fi Security Fundamentals
byAruba, a Hewlett Packard Enterprise company
 
RF planning for high-densities of mobile devices and bandwidth-hungry mobile ...
byAruba, a Hewlett Packard Enterprise company
 
Fast-track your career by going from wireless to mobility engineer
byAruba, a Hewlett Packard Enterprise company
 

Similar to Advanced Aruba ClearPass Workshop

PDF
Clear pass policy manager advanced_ashwath murthy
byAruba, a Hewlett Packard Enterprise company
 
PDF
BYOD with ClearPass
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Access Management with Aruba ClearPass #AirheadsConf Italy
byAruba, a Hewlett Packard Enterprise company
 
PPTX
ClearPass Guest Overview
byAruba, a Hewlett Packard Enterprise company
 
PDF
ClearPass Policy Manager 6.3 User Guide
byAruba, a Hewlett Packard Enterprise company
 
PDF
ClearPass Policy Manager 6.3 User Guide
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Shanghai Breakout: Access Management with Aruba ClearPass
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Defining Advanced AAA Policies for Access Networks
byAruba, a Hewlett Packard Enterprise company
 
PDF
Security advanced rich langston_jon green
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Secure Enterprise Mobility
byAruba, a Hewlett Packard Enterprise company
 
PPTX
ClearPass_Design Info.pptx
byssuser63c018
 
PDF
2012 ah vegas guest access fundamentals
byAruba, a Hewlett Packard Enterprise company
 
PDF
Clear pass access management basics zach jennings
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Remote & Branch Networking Fundamentals #AirheadsConf Italy
byAruba, a Hewlett Packard Enterprise company
 
PDF
ARUBA - Remote Branch-networking-fundamentals-2014
byMarcello Marchesini
 
PDF
Breakout - Airheads Macau 2013 - ClearPass Access Management Basics
byAruba, a Hewlett Packard Enterprise company
 
PDF
2012 ah apj wlan security fundamentals
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Breakout - Airheads Macau 2013 - BYOD, MDM, and MAM
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Adaptive Trust Security
byAruba, a Hewlett Packard Enterprise company
 
PDF
2012 ah apj guest access fundamentals
byAruba, a Hewlett Packard Enterprise company
 
Clear pass policy manager advanced_ashwath murthy
byAruba, a Hewlett Packard Enterprise company
 
BYOD with ClearPass
byAruba, a Hewlett Packard Enterprise company
 
Access Management with Aruba ClearPass #AirheadsConf Italy
byAruba, a Hewlett Packard Enterprise company
 
ClearPass Guest Overview
byAruba, a Hewlett Packard Enterprise company
 
ClearPass Policy Manager 6.3 User Guide
byAruba, a Hewlett Packard Enterprise company
 
ClearPass Policy Manager 6.3 User Guide
byAruba, a Hewlett Packard Enterprise company
 
Shanghai Breakout: Access Management with Aruba ClearPass
byAruba, a Hewlett Packard Enterprise company
 
Defining Advanced AAA Policies for Access Networks
byAruba, a Hewlett Packard Enterprise company
 
Security advanced rich langston_jon green
byAruba, a Hewlett Packard Enterprise company
 
Secure Enterprise Mobility
byAruba, a Hewlett Packard Enterprise company
 
ClearPass_Design Info.pptx
byssuser63c018
 
2012 ah vegas guest access fundamentals
byAruba, a Hewlett Packard Enterprise company
 
Clear pass access management basics zach jennings
byAruba, a Hewlett Packard Enterprise company
 
Remote & Branch Networking Fundamentals #AirheadsConf Italy
byAruba, a Hewlett Packard Enterprise company
 
ARUBA - Remote Branch-networking-fundamentals-2014
byMarcello Marchesini
 
Breakout - Airheads Macau 2013 - ClearPass Access Management Basics
byAruba, a Hewlett Packard Enterprise company
 
2012 ah apj wlan security fundamentals
byAruba, a Hewlett Packard Enterprise company
 
Breakout - Airheads Macau 2013 - BYOD, MDM, and MAM
byAruba, a Hewlett Packard Enterprise company
 
Adaptive Trust Security
byAruba, a Hewlett Packard Enterprise company
 
2012 ah apj guest access fundamentals
byAruba, a Hewlett Packard Enterprise company
 

More from Aruba, a Hewlett Packard Enterprise company

PPTX
EMEA Airheads_ Advance Aruba Central
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Airheads Tech Talks: Understanding ClearPass OnGuard Agents
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads_ Aruba AppRF – AOS 6.x & 8.x
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Airheads Tech Talks: Cloud Guest SSID on Aruba Central
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads- Layer-3 Redundancy for Mobility Master - ArubaOS 8.x
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads- Manage Devices at Branch Office (BOC)
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads - Configuring different APIs in Aruba 8.x
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Introduction to AirWave 10
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads - Multi zone ap and centralized image upgrade
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Airheads Meetups- High density WLAN
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads - What does AirMatch do differently?v2
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads- LACP and distributed LACP – ArubaOS Switch
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads- Virtual Switching Framework- Aruba OS Switch
byAruba, a Hewlett Packard Enterprise company
 
PPT
Bringing up Aruba Mobility Master, Managed Device & Access Point
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Airheads Meetups: 8400 Presentation
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads- Switch stacking_ ArubaOS Switch
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads- Getting Started with the ClearPass REST API – CPPM
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads- AirGroup profiling changes across 8.1 & 8.2 – ArubaOS 8.x
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Airheads Meetups- Avans Hogeschool goes Aruba
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Airheads Meetups: Ekahau Presentation
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads_ Advance Aruba Central
byAruba, a Hewlett Packard Enterprise company
 
Airheads Tech Talks: Understanding ClearPass OnGuard Agents
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads_ Aruba AppRF – AOS 6.x & 8.x
byAruba, a Hewlett Packard Enterprise company
 
Airheads Tech Talks: Cloud Guest SSID on Aruba Central
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Layer-3 Redundancy for Mobility Master - ArubaOS 8.x
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Manage Devices at Branch Office (BOC)
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads - Configuring different APIs in Aruba 8.x
byAruba, a Hewlett Packard Enterprise company
 
Introduction to AirWave 10
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads - Multi zone ap and centralized image upgrade
byAruba, a Hewlett Packard Enterprise company
 
Airheads Meetups- High density WLAN
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads - What does AirMatch do differently?v2
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- LACP and distributed LACP – ArubaOS Switch
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Virtual Switching Framework- Aruba OS Switch
byAruba, a Hewlett Packard Enterprise company
 
Bringing up Aruba Mobility Master, Managed Device & Access Point
byAruba, a Hewlett Packard Enterprise company
 
Airheads Meetups: 8400 Presentation
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Switch stacking_ ArubaOS Switch
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Getting Started with the ClearPass REST API – CPPM
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- AirGroup profiling changes across 8.1 & 8.2 – ArubaOS 8.x
byAruba, a Hewlett Packard Enterprise company
 
Airheads Meetups- Avans Hogeschool goes Aruba
byAruba, a Hewlett Packard Enterprise company
 
Airheads Meetups: Ekahau Presentation
byAruba, a Hewlett Packard Enterprise company
 

Advanced Aruba ClearPass Workshop

  • 1.
    Advanced ClearPass –Workshop Ashwath Murthy March, 2014
  • 2.
    CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved 2 #AirheadsConf Agenda Discover  Monitor  Secure Network Security with ClearPass Deploying NAC with OnGuard Wired & Wireless NAC NAC – Best Practices TACACS+ for Network Device Security BYOD with Onboard Monitoring & Troubleshooting
  • 3.
    3 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf Network Security with ClearPass
  • 4.
    4 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf Discover  Monitor  Secure • Discover – Discover via profiling • DHCP • Non-DHCP • Monitor – Enable policies in “Monitor” Mode • Secure – Secure Wireless, Wired and VPNs
  • 5.
    5 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf Network Security – Wired & Wireless • Strong Security with 802.1X – Enterprise Users – Need for strong, session-driven security • Captive Portals for Guest Access – Transient users such as Guests, Contractors – Limited network access zones – Weaker security settings • BYOD with unique credentials – Employee BYO Devices – Non-IT assets
  • 6.
    6 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf Network Security – Wired & Wireless • Authenticate & Authorize – Certificates – UserID/Password – Tokens/OTP
  • 7.
    7 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf Network Security – Wired • Enable 802.1X on access ports • Allow fall-back to less secure modes of access – Limit network access • Segregate responsibilities – Aruba Roles – VLANs – ACLs/dACLs – Upstream enforcement with L3-L7 firewalls such as Palo Alto
  • 8.
    8 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf Network Security – Wired • But I have older switches that do not support 802.1X! • Use SNMP to enforce port status – Set VLANs and Session-Timeout values – “Bounce” a port – Send LinkUp/LinkDown and MAC Notification Traps to ClearPass
  • 9.
    9 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf Network Security – Wired • How will ClearPass set VLANs using SNMP? – Using the standard If-MIB • SNMP VLANs and MAC Authentication? What!? – Redirect the user to a captive portal after MAB – Authenticate & Authorize with the captive portal
  • 10.
    10 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf Wireless Access Security
  • 11.
    11 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf Wireless – Enterprise • Enable 802.1X – WPA/WPA2 Enterprise – Session-based keys for secure connectivity – Terminate EAP on ClearPass – infrastructure is EAP- agnostic – Consistent user experience and security practice across deployments
  • 12.
    12 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf Wireless – Guest • Enable Guest Access/MAC Authentication – This can be combined with a WPA/WPA2 Passphrase – Networks are inherently open unless secured! – Strong access restrictions • Tunneled VLANs • Stateful ACLs • DPI/Application Monitoring
  • 13.
    13 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf Wireless – BYOD • What about BYO Devices? • BYO Devices on the enterprise network – Deliver certificates to BYO Devices using Onboard – Segregate responsibilities by identifying BYO Devices – Control device life cycle • BYO Devices on the guest network – Devices use a segregated guest network – Limited network access – Challenges with device life cycle
  • 14.
    14 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf NAC is Back, Baby!!!
  • 15.
    15 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf NAC • Agent Types – Persistent/Dissolvable • Posture Assessment – Windows, Mac, Linux – Agent Types – Health Check Options • Enforcement Options – Role-based – Application-based – To remediate, or not to remediate? • Wired NAC vs. Wireless NAC • NAC for VPN • Best Practices, Thoughts
  • 16.
    16 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf TACACS+ for Network Devices
  • 17.
    17 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf TACACS+ • TACACS+ Authentication – Console, Shell, UI Login • TACACS+ Authorization – Command Authorization – Command Levels • TACACS+ Accounting – Accounting & Audit Trails – Authorization vs. Accounting • Vendor Specifics – TACACS+ Dictionaries
  • 18.
    18 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf BYOD with Onboard
  • 19.
    19 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf BYOD with Onboard • CA Settings – Stand-alone CA – Intermediate CA – ADCS • Configuration Payloads – iOS & Mac OS X – Microsoft Windows – Android • Provisioning Settings – TLS? PEAP-MSCHAPv2? – Security Settings – Certificate Renewal
  • 20.
    20 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf Monitoring & Troubleshooting
  • 21.
    21 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf Monitoring & Troubleshooting • Monitoring on ClearPass – Access Tracker • Alerts Tab • Accounting Tab • “Show Logs” – Analysis & Trending • Drill Down – Policy Simulation – Authentication Simulation – Insight
  • 22.
    22 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf Monitoring & Troubleshooting • External Monitoring – SIEM with Syslog/APIs – SNMP – SQL Access
  • 23.
    23 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf Q & A
  • 24.
    24 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved Thank You #AirheadsConf
  • 25.