on 01-30-2016 09:24 AM
As our wireless environment has grown and developed into what we have now, with ClearPass and all of its role based goodness, I have been thinking. (I know, that's a dangerous thing for me to do) Can ClearPass also do role based access for hardwired networks as well as wireless? I have heard that it can in conjunction with 802.1x security on switch ports along with dynamic VLAN assignment. So this leads me to a few questions;
1 - Has anyone here done this and how did they do it?
2 - Where are you putting your access rules for your roles? Are you just running hardwired traffic through your controller and in essence using your controller for your core router? Are you just placing traffic on VLANs at the edge and then having a separate router/firewall take care of access restrictions?
3 - I know Bradford Networks has a NAC solution that essentially works like ClearPass but have heard from several of Bradfords customers that VLAN transition times can be upwards of 3 minutes per login (3 #$%^ing MINUTES!!) The ClearPass/Controller combo transitions VLAN very quickly for wireless clients, usually within 5 seconds or so, but would hardwiring this process slow it down too?
4 - Why did Ben (Kylo) kill his Dad? I am so pissed!
5 - Any other advice on the subject is welcome. This is something my team and I are beginning to discuss as an option as we are really not satisfied with our current NAC solution (Trustwave)
Network+ | CWNA | ACSP | ACMP | ACMA | BREC
on 01-30-2016 09:31 AM
Some customers just do authentication and update identity throughout the network, others do full policy at the edge using the switches various features.
Bradford is often deployed inline. ClearPass uses the standards based features of the switch.
I would recommend starting with authentication then as a phase 2, start applying policy. The wired side is much more complex often due to the large mix of very different clients, lots of older devices and many different use cases.
Sent from Nine
on 01-30-2016 10:33 AM
We have been using clearpass with wired networks for 2 years and works very well
Clearpass make use of standards so if your switchs are compliant you can go further without problems
You must take care of the endpoints, pc, printers. Phones and their capabilities to create the roles and access rules
I recommend to read the design references and go ahead
Andrés Mauricio Espinosa M.
CESA Colegio de Estudios Superiores de Administración
Casa Casa Lleras - Calle 35 # 5A-38
Pbx: (57 1) 339 53 00
on 02-01-2016 07:22 AM
We started down this same road a bit back, but we've really put a hold on it for Students and/or any BYOD devices on the wired side. With wired connections neither the Mac or PC defaults with 802.1x on, so getting the students to turn on extra services (Windows) and do more tweaking to get on the wired, non-guest, was even more of a reason for them to just get on Wireless. We get enough complaints with students having to change Win7 defaults for dot1x wifi; that and many of the wired connections are gaming devices.
on 02-01-2016 07:50 AM
1. At Liberty University, we do full 802,1X on Aruba wireless and on Cisco switches in the residence halls for several years. We do not currently use RADIUS CoA, but we need to look at that fuirther.
A connected user first hits a captive web portal that has linke to either provision the client for 802.1X (currently using CloudPath XpressConnect) or registering the mac address for mac auth. We have separate VLans for Registration, Registered Devices (mac auth), Students, Staff, & IT Administrators. We assign VLANs by name so differenv=t access switches can have differing VLAN IDs for the same role. For our Cisco voice, we let CDP determine the VLAN? and use either the installed certicicate or mac auth on older phones, so ClearPass have the switch mark it as a voice device. We ise multi-domain authentication which only permits 1 voice & 1 data mac address per port.
We use 802.1X & registration information to map username to ip address for Internet bandwidth management purposes.
2. We are using RADIUS from the access switches to ClearPass.
3. In the past we used Bradford NAC (Aruba ECS) and found it lacking when we looked at mocing to 802.1X in 2006.
5. ClearPass is a very good standards-based solution, especially if you currently have Aruba wireless or wired equipmen