Vous êtes sur la page 1sur 23

Advanced ClearPass - Workshop

Ashwath Murthy
June 2014

CONFIDENTIAL
Copyright 2014. Aruba Networks, Inc. All rights
reserved

Agenda
Discover Monitor Secure
Network Security with ClearPass
Deploying NAC with OnGuard
Wired & Wireless NAC
NAC Best Practices

TACACS+ for Network Device Security


BYOD with Onboard
Monitoring & Troubleshooting

CONFIDENTIAL Copyright 2014. Aruba Networks, Inc. All rights reserved

Network Security with ClearPass

Discover Monitor Secure


Discover
Discover via profiling
DHCP
Non-DHCP

Monitor
Enable policies in Monitor Mode

Secure
Secure Wireless, Wired and VPNs

CONFIDENTIAL Copyright 2014. Aruba Networks, Inc. All rights reserved

Network Security Wired & Wireless


Strong Security with 802.1X
Enterprise Users
Need for strong, session-driven security

Captive Portals for Guest Access


Transient users such as Guests, Contractors
Limited network access zones
Weaker security settings

BYOD with unique credentials


Employee BYO Devices
Non-IT assets

CONFIDENTIAL Copyright 2014. Aruba Networks, Inc. All rights reserved

Network Security Wired & Wireless


Authenticate & Authorize
Certificates
UserID/Password
Tokens/OTP

CONFIDENTIAL Copyright 2014. Aruba Networks, Inc. All rights reserved

Network Security Wired


Enable 802.1X on access ports
Allow fall-back to less secure modes of access
Limit network access

Segregate responsibilities

Aruba Roles
VLANs
ACLs/dACLs
Upstream enforcement with L3-L7 firewalls such as Palo Alto

CONFIDENTIAL Copyright 2014. Aruba Networks, Inc. All rights reserved

Network Security Wired


But I have older switches that do not support
802.1X!

Use SNMP to enforce port status


Set VLANs and Session-Timeout values
Bounce a port
Send LinkUp/LinkDown and MAC Notification Traps to
ClearPass

CONFIDENTIAL Copyright 2014. Aruba Networks, Inc. All rights reserved

Network Security Wired


How will ClearPass set VLANs using SNMP?
Using the standard If-MIB

SNMP VLANs and MAC Authentication? What!?


Redirect the user to a captive portal after MAB
Authenticate & Authorize with the captive portal

CONFIDENTIAL Copyright 2014. Aruba Networks, Inc. All rights reserved

Wireless Access Security

Wireless Enterprise
Enable 802.1X WPA/WPA2 Enterprise
Session-based keys for secure connectivity
Terminate EAP on ClearPass infrastructure is EAPagnostic
Consistent user experience and security practice across
deployments

CONFIDENTIAL Copyright 2014. Aruba Networks, Inc. All rights reserved

Wireless Guest
Enable Guest Access/MAC Authentication
This can be combined with a WPA/WPA2 Passphrase
Networks are inherently open unless secured!
Strong access restrictions
Tunneled VLANs

Stateful ACLs
DPI/Application Monitoring

CONFIDENTIAL Copyright 2014. Aruba Networks, Inc. All rights reserved

Wireless BYOD
What about BYO Devices?
BYO Devices on the enterprise network
Deliver certificates to BYO Devices using Onboard
Segregate responsibilities by identifying BYO Devices
Control device life cycle

BYO Devices on the guest network


Devices use a segregated guest network
Limited network access
Challenges with device life cycle

CONFIDENTIAL Copyright 2014. Aruba Networks, Inc. All rights reserved

NAC is Back, Baby!!!

NAC
Agent Types Persistent/Dissolvable
Posture Assessment Windows, Mac, Linux
Agent Types
Health Check Options

Enforcement Options
Role-based
Application-based
To remediate, or not to remediate?

Wired NAC vs. Wireless NAC


NAC for VPN
Best Practices, Thoughts
CONFIDENTIAL Copyright 2014. Aruba Networks, Inc. All rights reserved

TACACS+ for Network Devices

TACACS+
TACACS+ Authentication
Console, Shell, UI Login

TACACS+ Authorization
Command Authorization
Command Levels

TACACS+ Accounting
Accounting & Audit Trails
Authorization vs. Accounting

Vendor Specifics
TACACS+ Dictionaries

CONFIDENTIAL Copyright 2014. Aruba Networks, Inc. All rights reserved

BYOD with Onboard

BYOD with Onboard


CA Settings
Stand-alone CA
Intermediate CA
ADCS

Configuration Payloads
iOS & Mac OS X
Microsoft Windows
Android

Provisioning Settings
TLS? PEAP-MSCHAPv2?
Security Settings
Certificate Renewal
CONFIDENTIAL Copyright 2014. Aruba Networks, Inc. All rights reserved

Monitoring & Troubleshooting

Monitoring & Troubleshooting


Monitoring on ClearPass
Access Tracker
Alerts Tab
Accounting Tab
Show Logs

Analysis & Trending


Drill Down

Policy Simulation
Authentication Simulation
Insight

CONFIDENTIAL Copyright 2014. Aruba Networks, Inc. All rights reserved

Monitoring & Troubleshooting


External Monitoring
SIEM with Syslog/APIs
SNMP
SQL Access

CONFIDENTIAL Copyright 2014. Aruba Networks, Inc. All rights reserved

#AirheadsLocal