Advanced Aruba ClearPass Workshop
-
Upload
aruba-networks-an-hp-company -
Category
Documents
-
view
1.769 -
download
10
Transcript of Advanced Aruba ClearPass Workshop
Advanced ClearPass – Workshop
Ashwath Murthy
March, 2014
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved2 #AirheadsConf
Agenda
Discover Monitor Secure
Network Security with ClearPass
Deploying NAC with OnGuard
Wired & Wireless NAC
NAC – Best Practices
TACACS+ for Network Device Security
BYOD with Onboard
Monitoring & Troubleshooting
3CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Network Security with ClearPass
4CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Discover Monitor Secure
• Discover
– Discover via profiling
• DHCP
• Non-DHCP
• Monitor
– Enable policies in “Monitor” Mode
• Secure
– Secure Wireless, Wired and VPNs
5CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Network Security – Wired & Wireless
• Strong Security with 802.1X
– Enterprise Users
– Need for strong, session-driven security
• Captive Portals for Guest Access
– Transient users such as Guests, Contractors
– Limited network access zones
– Weaker security settings
• BYOD with unique credentials
– Employee BYO Devices
– Non-IT assets
6CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Network Security – Wired & Wireless
• Authenticate & Authorize
– Certificates
– UserID/Password
– Tokens/OTP
7CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Network Security – Wired
• Enable 802.1X on access ports
• Allow fall-back to less secure modes of access
– Limit network access
• Segregate responsibilities
– Aruba Roles
– VLANs
– ACLs/dACLs
– Upstream enforcement with L3-L7 firewalls such as Palo Alto
8CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Network Security – Wired
• But I have older switches that do not support
802.1X!
• Use SNMP to enforce port status
– Set VLANs and Session-Timeout values
– “Bounce” a port
– Send LinkUp/LinkDown and MAC Notification Traps to
ClearPass
9CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Network Security – Wired
• How will ClearPass set VLANs using SNMP?
– Using the standard If-MIB
• SNMP VLANs and MAC Authentication? What!?
– Redirect the user to a captive portal after MAB
– Authenticate & Authorize with the captive portal
10CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Wireless Access Security
11CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Wireless – Enterprise
• Enable 802.1X – WPA/WPA2 Enterprise
– Session-based keys for secure connectivity
– Terminate EAP on ClearPass – infrastructure is EAP-
agnostic
– Consistent user experience and security practice across
deployments
12CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Wireless – Guest
• Enable Guest Access/MAC Authentication
– This can be combined with a WPA/WPA2 Passphrase
– Networks are inherently open unless secured!
– Strong access restrictions
• Tunneled VLANs
• Stateful ACLs
• DPI/Application Monitoring
13CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Wireless – BYOD
• What about BYO Devices?
• BYO Devices on the enterprise network
– Deliver certificates to BYO Devices using Onboard
– Segregate responsibilities by identifying BYO Devices
– Control device life cycle
• BYO Devices on the guest network
– Devices use a segregated guest network
– Limited network access
– Challenges with device life cycle
14CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
NAC is Back, Baby!!!
15CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
NAC
• Agent Types – Persistent/Dissolvable
• Posture Assessment – Windows, Mac, Linux
– Agent Types
– Health Check Options
• Enforcement Options
– Role-based
– Application-based
– To remediate, or not to remediate?
• Wired NAC vs. Wireless NAC
• NAC for VPN
• Best Practices, Thoughts
16CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
TACACS+ for Network Devices
17CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
TACACS+
• TACACS+ Authentication
– Console, Shell, UI Login
• TACACS+ Authorization
– Command Authorization
– Command Levels
• TACACS+ Accounting
– Accounting & Audit Trails
– Authorization vs. Accounting
• Vendor Specifics
– TACACS+ Dictionaries
18CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
BYOD with Onboard
19CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
BYOD with Onboard
• CA Settings
– Stand-alone CA
– Intermediate CA
– ADCS
• Configuration Payloads
– iOS & Mac OS X
– Microsoft Windows
– Android
• Provisioning Settings
– TLS? PEAP-MSCHAPv2?
– Security Settings
– Certificate Renewal
20CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Monitoring & Troubleshooting
21CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Monitoring & Troubleshooting
• Monitoring on ClearPass
– Access Tracker
• Alerts Tab
• Accounting Tab
• “Show Logs”
– Analysis & Trending
• Drill Down
– Policy Simulation
– Authentication Simulation
– Insight
22CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Monitoring & Troubleshooting
• External Monitoring
– SIEM with Syslog/APIs
– SNMP
– SQL Access
23CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Q & A
24CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
Thank You
#AirheadsConf
25