Advanced ClearPass – Workshop

Ashwath Murthy

March, 2014

CONFIDENTIAL

© Copyright 2014. Aruba Networks, Inc.

All rights reserved2 #AirheadsConf

Agenda

Discover Monitor Secure

Network Security with ClearPass

Deploying NAC with OnGuard

Wired & Wireless NAC

NAC – Best Practices

TACACS+ for Network Device Security

BYOD with Onboard

Monitoring & Troubleshooting

3CONFIDENTIAL

© Copyright 2014. Aruba Networks, Inc.

All rights reserved#AirheadsConf

Network Security with ClearPass

4CONFIDENTIAL

© Copyright 2014. Aruba Networks, Inc.

All rights reserved#AirheadsConf

Discover Monitor Secure

• Discover

– Discover via profiling

• DHCP

• Non-DHCP

• Monitor

– Enable policies in “Monitor” Mode

• Secure

– Secure Wireless, Wired and VPNs

5CONFIDENTIAL

© Copyright 2014. Aruba Networks, Inc.

All rights reserved#AirheadsConf

Network Security – Wired & Wireless

• Strong Security with 802.1X

– Enterprise Users

– Need for strong, session-driven security

• Captive Portals for Guest Access

– Transient users such as Guests, Contractors

– Limited network access zones

– Weaker security settings

• BYOD with unique credentials

– Employee BYO Devices

– Non-IT assets

6CONFIDENTIAL

© Copyright 2014. Aruba Networks, Inc.

All rights reserved#AirheadsConf

Network Security – Wired & Wireless

• Authenticate & Authorize

– Certificates

– UserID/Password

– Tokens/OTP

7CONFIDENTIAL

© Copyright 2014. Aruba Networks, Inc.

All rights reserved#AirheadsConf

Network Security – Wired

• Enable 802.1X on access ports

• Allow fall-back to less secure modes of access

– Limit network access

• Segregate responsibilities

– Aruba Roles

– VLANs

– ACLs/dACLs

– Upstream enforcement with L3-L7 firewalls such as Palo Alto

8CONFIDENTIAL

© Copyright 2014. Aruba Networks, Inc.

All rights reserved#AirheadsConf

Network Security – Wired

• But I have older switches that do not support

802.1X!

• Use SNMP to enforce port status

– Set VLANs and Session-Timeout values

– “Bounce” a port

– Send LinkUp/LinkDown and MAC Notification Traps to

ClearPass

9CONFIDENTIAL

© Copyright 2014. Aruba Networks, Inc.

All rights reserved#AirheadsConf

Network Security – Wired

• How will ClearPass set VLANs using SNMP?

– Using the standard If-MIB

• SNMP VLANs and MAC Authentication? What!?

– Redirect the user to a captive portal after MAB

– Authenticate & Authorize with the captive portal

10CONFIDENTIAL

© Copyright 2014. Aruba Networks, Inc.

All rights reserved#AirheadsConf

Wireless Access Security

11CONFIDENTIAL

© Copyright 2014. Aruba Networks, Inc.

All rights reserved#AirheadsConf

Wireless – Enterprise

• Enable 802.1X – WPA/WPA2 Enterprise

– Session-based keys for secure connectivity

– Terminate EAP on ClearPass – infrastructure is EAP-

agnostic

– Consistent user experience and security practice across

deployments

12CONFIDENTIAL

© Copyright 2014. Aruba Networks, Inc.

All rights reserved#AirheadsConf

Wireless – Guest

• Enable Guest Access/MAC Authentication

– This can be combined with a WPA/WPA2 Passphrase

– Networks are inherently open unless secured!

– Strong access restrictions

• Tunneled VLANs

• Stateful ACLs

• DPI/Application Monitoring

13CONFIDENTIAL

© Copyright 2014. Aruba Networks, Inc.

All rights reserved#AirheadsConf

Wireless – BYOD

• What about BYO Devices?

• BYO Devices on the enterprise network

– Deliver certificates to BYO Devices using Onboard

– Segregate responsibilities by identifying BYO Devices

– Control device life cycle

• BYO Devices on the guest network

– Devices use a segregated guest network

– Limited network access

– Challenges with device life cycle

14CONFIDENTIAL

© Copyright 2014. Aruba Networks, Inc.

All rights reserved#AirheadsConf

NAC is Back, Baby!!!

15CONFIDENTIAL

© Copyright 2014. Aruba Networks, Inc.

All rights reserved#AirheadsConf

NAC

• Agent Types – Persistent/Dissolvable

• Posture Assessment – Windows, Mac, Linux

– Agent Types

– Health Check Options

• Enforcement Options

– Role-based

– Application-based

– To remediate, or not to remediate?

• Wired NAC vs. Wireless NAC

• NAC for VPN

• Best Practices, Thoughts

16CONFIDENTIAL

© Copyright 2014. Aruba Networks, Inc.

All rights reserved#AirheadsConf

TACACS+ for Network Devices

17CONFIDENTIAL

© Copyright 2014. Aruba Networks, Inc.

All rights reserved#AirheadsConf

TACACS+

• TACACS+ Authentication

– Console, Shell, UI Login

• TACACS+ Authorization

– Command Authorization

– Command Levels

• TACACS+ Accounting

– Accounting & Audit Trails

– Authorization vs. Accounting

• Vendor Specifics

– TACACS+ Dictionaries

18CONFIDENTIAL

© Copyright 2014. Aruba Networks, Inc.

All rights reserved#AirheadsConf

BYOD with Onboard

19CONFIDENTIAL

© Copyright 2014. Aruba Networks, Inc.

All rights reserved#AirheadsConf

BYOD with Onboard

• CA Settings

– Stand-alone CA

– Intermediate CA

– ADCS

• Configuration Payloads

– iOS & Mac OS X

– Microsoft Windows

– Android

• Provisioning Settings

– TLS? PEAP-MSCHAPv2?

– Security Settings

– Certificate Renewal

20CONFIDENTIAL

© Copyright 2014. Aruba Networks, Inc.

All rights reserved#AirheadsConf

Monitoring & Troubleshooting

21CONFIDENTIAL

© Copyright 2014. Aruba Networks, Inc.

All rights reserved#AirheadsConf

Monitoring & Troubleshooting

• Monitoring on ClearPass

– Access Tracker

• Alerts Tab

• Accounting Tab

• “Show Logs”

– Analysis & Trending

• Drill Down

– Policy Simulation

– Authentication Simulation

– Insight

22CONFIDENTIAL

© Copyright 2014. Aruba Networks, Inc.

All rights reserved#AirheadsConf

Monitoring & Troubleshooting

• External Monitoring

– SIEM with Syslog/APIs

– SNMP

– SQL Access

23CONFIDENTIAL

© Copyright 2014. Aruba Networks, Inc.

All rights reserved#AirheadsConf

Q & A

24CONFIDENTIAL

© Copyright 2014. Aruba Networks, Inc.

All rights reserved

Thank You

#AirheadsConf

25