Security

Reply
Occasional Contributor II
Posts: 16
Registered: ‎09-16-2014

Can Clearpass NAC shut off a switchport if the user/computer is not authorized?

I had a question that i just don't know the answer to.

 

Can the clearpass wired NAC shut a port on a switch due to a user/computer not being in AD or bad attempts?

 

If So where/what/how is this done?

Guru Elite
Posts: 8,632
Registered: ‎09-08-2010

Re: Can Clearpass NAC shut off a switchport if the user/computer is not authorized?

It depends on the capabililty of the switch. You could potentially do this via an SNMP enforcement.

 

The more common way of enforcing this policy would be to put the user into a dead-end VLAN.

 

If you shut the port down and the user is connected behind a VoIP phone, for example, the phone would be disabled as well.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 16
Registered: ‎09-16-2014

Re: Can Clearpass NAC shut off a switchport if the user/computer is not authorized?

Thats what i was guessing when thinking about this but is there some policy for this or do you have to write a custom policy to do the shutdown? i just didn't know if it was possible. These are with some clearpass certified Dell N series switches...they were bought before Aruba cuddled up to HP :-p

Guru Elite
Posts: 8,632
Registered: ‎09-08-2010

Re: Can Clearpass NAC shut off a switchport if the user/computer is not authorized?

Do you happen to have the SNMP guide for that series switch? I did a quick Google search and couldn't find one.

 

Also, keep in mind, the HP acquisiton does not impact the open nature of Aruba's products like ClearPass.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 16
Registered: ‎09-16-2014

Re: Can Clearpass NAC shut off a switchport if the user/computer is not authorized?

Dell N series

2000/3000/4000 are pretty much all the same functionality wise except 10gig ports and SFP+ etc...

 

http://www.dell.com/support/home/us/en/04/product-support/product/networking-n3000-series/manuals

 

MVP
Posts: 1,414
Registered: ‎11-30-2011

Re: Can Clearpass NAC shut off a switchport if the user/computer is not authorized?

no defintive yes or no, but on related switches it is possible to set a vlan

 

http://en.community.dell.com/support-forums/network-switches/f/866/t/19257012

 

so the trick it find the interface enabled oid and try to "set" it.

Occasional Contributor II
Posts: 16
Registered: ‎09-16-2014

Re: Can Clearpass NAC shut off a switchport if the user/computer is not authorized?

Just how would i set this up? Doing either putting them on a deadd vlan or shutting the port?

I am very new with clearpass and am just lost on setting something like this up.

 

Sorry i need so much help but i am lost.

MVP
Posts: 1,414
Registered: ‎11-30-2011

Re: Can Clearpass NAC shut off a switchport if the user/computer is not authorized?

do you have an aruba partner that you can ask for help? it might be useful to go through the whole product first with someone who has worked with it before. you will get some replies here most likely, but it is just small things and you might end up with a configuration that be enchanced a lot.

 

it might also be useful to just google and search here on some examples of clearpass policy examples to get an idea of the flow.

 

what do you already have working?

Occasional Contributor II
Posts: 16
Registered: ‎09-16-2014

Re: Can Clearpass NAC shut off a switchport if the user/computer is not authorized?

We have nothing installed.

Its a brand new install that they decided to go with clearpass since they just released the hyper-v version.

having to put in a complete network stack, some AP's and this clearpass policy server.

 

I have some install guides/administrator guides that i can follow but this isn't a standard case as far as i can see or searching can tell me.

MVP
Posts: 1,414
Registered: ‎11-30-2011

Re: Can Clearpass NAC shut off a switchport if the user/computer is not authorized?

who sold you the Aruba ClearPass? can they perhaps also help you with configuring it? what brand is the network switches?

 

looking back at your original question and if nothing has been configured yet. in principle if you build it correctly (the wired 802.1x template will get you there pretty much) then anyone not getting through authorization will just be denied access. there is no specific need to disable a switchport. why do you want that to happen beyond the user not getting access anyway?

Search Airheads
Showing results for 
Search instead for 
Did you mean: