Higher Education

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Highlighted
Frequent Contributor II
Posts: 249
Registered: ‎09-14-2011
Clearpass on hardline?.?.?

As our wireless environment has grown and developed into what we have now, with ClearPass and all of its role based goodness, I have been thinking. (I know, that's a dangerous thing for me to do) Can ClearPass also do role based access for hardwired networks as well as wireless? I have heard that it can in conjunction with 802.1x security on switch ports along with dynamic VLAN assignment. So this leads me to a few questions;

 

1 - Has anyone here done this and how did they do it?

2 - Where are you putting your access rules for your roles? Are you just running hardwired traffic through your controller and in essence using your controller for your core router? Are you just placing traffic on VLANs at the edge and then having a separate router/firewall take care of access restrictions?

3 - I know Bradford Networks has a NAC solution that essentially works like ClearPass but have heard from several of Bradfords customers that VLAN transition times can be upwards of 3 minutes per login (3 #$%^ing MINUTES!!) The ClearPass/Controller combo transitions VLAN very quickly for wireless clients, usually within 5 seconds or so, but would hardwiring this process slow it down too?

4 - Why did Ben (Kylo) kill his Dad? I am so pissed!

5 - Any other advice on the subject is welcome. This is something my team and I are beginning to discuss as an option as we are really not satisfied with our current NAC solution (Trustwave)

 

Thanks gang!

Scott McNeil - IT Specialist, Global Process Automation
Network+ | CWNA | CWTS | ACSP | ACMP | ACMA | BREC
Guru Elite
Posts: 8,637
Registered: ‎09-08-2010
Re: Clearpass on hardline?.?.?
Absolutely. A large number of customers deploy wireless then the wired side comes next. 

Some customers just do authentication and update identity throughout the network, others do full policy at the edge using the switches various features. 

Bradford is often deployed inline. ClearPass uses the standards based features of the switch. 

I would recommend starting with authentication then as a phase 2, start applying policy. The wired side is much more complex often due to the large mix of very different clients, lots of older devices and many different use cases. 

Sent from Nine

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Member
Posts: 1
Registered: ‎10-29-2010
Re: Clearpass on hardline?.?.?
Hi

We have been using clearpass with wired networks for 2 years and works very well

Clearpass make use of standards so if your switchs are compliant you can go further without problems

You must take care of the endpoints, pc, printers. Phones and their capabilities to create the roles and access rules

I recommend to read the design references and go ahead

Regards


Andrés Mauricio Espinosa M.
CESA Colegio de Estudios Superiores de Administración
Casa Casa Lleras -  Calle 35 # 5A-38
Pbx: (57 1) 339 53 00 
Contributor II
Posts: 68
Registered: ‎08-20-2007
Re: Clearpass on hardline?.?.?

We started down this same road a bit back, but we've really put a hold on it for Students and/or any BYOD devices on the wired side. With wired connections neither the Mac or PC defaults with 802.1x on, so getting the students to turn on extra services (Windows) and do more tweaking to get on the wired, non-guest, was even more of a reason for them to just get on Wireless. We get enough complaints with students having to change Win7 defaults for dot1x wifi; that and many of the wired connections are gaming devices.

Contributor II
Posts: 146
Registered: ‎05-12-2010
Re: Clearpass on hardline?.?.?

1. At Liberty University, we do full 802,1X on Aruba wireless and on Cisco switches in the residence halls for several years. We do not currently use RADIUS CoA, but we need to look at that fuirther.

A connected user first hits a captive web portal that has linke to either provision the client for 802.1X (currently using CloudPath XpressConnect) or registering the mac address for mac auth. We have separate VLans for Registration, Registered Devices (mac auth), Students, Staff, & IT Administrators. We assign VLANs by name so differenv=t access switches can have differing VLAN IDs for the same role. For our Cisco voice, we let CDP determine the VLAN? and use either the installed certicicate or mac auth on older phones, so ClearPass have the switch mark it as a voice device. We ise multi-domain authentication which only permits 1 voice & 1 data mac address per port.

 

We use 802.1X & registration information to map username to ip address for Internet bandwidth management purposes.

 

2. We are using RADIUS from the access switches to ClearPass.

 

3. In the past we used Bradford NAC (Aruba ECS) and found it lacking when we looked at mocing to 802.1X in 2006.

 

5. ClearPass is a very good standards-based solution, especially if you currently have Aruba wireless or wired equipmen

 



t. 

Bruce Osborne - Wireless Engineer
ACCP, ACMP
Search Airheads
Showing results for 
Search instead for 
Did you mean: