Security

Reply
Contributor II
Posts: 46
Registered: ‎06-19-2015

ClearPass Devices; Using a CatchAll Subnet vs Each Device

I am curious about using a catchall subnet for our company in CPPM, since we have over 750 devices that we wish to point to CPPM for RADIUS authentication. We are using CPPM to point to Active Directory and hit upon a particular network admin profile so that it returns the proper role, its not like anyone can just authenticate to it. 

Is there anything wrong with just using a catchall subnet, like 10.0.0.0/8 to cover our internal network, instead of entering every single device in there one by one? I also was working on a XML file that I could import, but even that takes forever to make with 750 devices. 

What are the downsides or concerns of using a catchall subnet in the Devices tab on CPPM?

Guru Elite
Posts: 7,851
Registered: ‎09-08-2010

Re: ClearPass Devices; Using a CatchAll Subnet vs Each Device

The only downside would be it is a little loose on the security side but it's a very common scenario.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor II
Posts: 46
Registered: ‎06-19-2015

Re: ClearPass Devices; Using a CatchAll Subnet vs Each Device

Thank you, this is what I expected. 

But what makes this loose on the security side if we are manually pointing the devices to the CPPM and it checks against AD for a particular group membership before granting access?

MVP
Posts: 1,392
Registered: ‎11-30-2011

Re: ClearPass Devices; Using a CatchAll Subnet vs Each Device

you don't control anymore which devices can use ClearPass. so someone could introduce a device and have that do regular authentication against the ClearPass while perhaps sniffing credentials.

 

the chance isn't that great i think and they still need the shared secret also.

Search Airheads
Showing results for 
Search instead for 
Did you mean: