Security

last person joined: 17 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass OnGuard Quarantine VLAN Setup

This thread has been viewed 4 times

  • 1.  ClearPass OnGuard Quarantine VLAN Setup

    Posted Dec 18, 2018 04:38 PM

    Hi,

     

    I have tried to have a look for this information but have not found anything useful as yet.

     

    I want to know general information on how to setup a quarantine VLAN correctly with OnGuard and what is the best way to set this up with HP MSM.

     

    With Aruba wireless controllers, you can send a quarantine role back and you do not even need to have a separate VLAN for this as the role will define the access.

    The specific question for this is, what do you need to allow in this role?

    Does Aruba have a list of sites that need to be allowed and is this something that is maintained by Aruba?

    I have seen other people’s install implement the following on the role:

    (Unfortunately those people are not around anymore to ask the question to.)

    User role example:

     

    User any appcategory antivirus permit

    Any ClearPass VIP https permit

    Any ClearPass VIP tcp6658 permit

     

    So if I end up in remediation how does the above rule allow me to contact remediation sites to get my update?

    Looking at the controller antivirus category it allows the following:

     

    #show dpi application category antivirus

     

    List of Applications

    --------------------

    Name              App ID  App Category  Default Ports  Applied

    ----              ------  ------------  -------------  -------

    fsecure           2249    antivirus     tcp 80,443     0

    ghostsurf         1107    antivirus     tcp 12200      0

    mcafee            111     antivirus     tcp 80         0

    peerguardian      2006    antivirus     tcp 80,443     0

    sophos-update     1096    antivirus     tcp 80         0

    zonealarm-update  754     antivirus     tcp 80,443     0

     

    Total applications in this category = 6

     

    For example, if I fail for not having up to date definitions for my AVG AV, how does the above allow me to get my updates when AVG is not listed ?

    This would be the same question for any other AV i.e Kaspersky, Avast, etc

    They are not listed above so how will they get any updates?

     

    I am doing a HP MSM Wireless configuration with ClearPass and they would like to use OnGuard.

    What is the correct way in creating a remediation VLAN?

    What sites do I need to allow access to?

    How can the VLAN be restricted through the firewall? Is restricting on the firewall the correct way to do it?

     

    Please let me know your thoughts on the correct way to create a remediation VLAN when using Aruba Wireless, Wired, non-Aruba Wireless and Non-Aruba Wired?

     

    Thanks,

     

     

     

     

     

     

     



  • 2.  RE: ClearPass OnGuard Quarantine VLAN Setup

    Posted Jan 22, 2019 11:25 AM

    I have similar questions. Some users are having difficulty downloading OS updates while being quarantined. Our policy, in part, allows access to windows-update and apple-update. The commands below show what ports are allowed, but doesn't show how the destination is determined/restricted.

     

    Does anyone have any idea how to see what the application os updates are actually doing?

     

    any any app windows-update permit
    any any app apple-update permit

     

    show dpi application windows-update

    Applications
    ------------
    Name App ID App Category Default Ports Applied
    ---- ------ ------------ ------------- -------
    windows-update 562 web tcp 80,443 0

     

    show dpi application apple-update

    Applications
    ------------
    Name App ID App Category Default Ports Applied
    ---- ------ ------------ ------------- -------
    apple-update 563 web tcp 80 0



  • 3.  RE: ClearPass OnGuard Quarantine VLAN Setup

    Posted May 17, 2019 04:34 AM

    i guess that no one has the answers to yours or my questions. 



  • 4.  RE: ClearPass OnGuard Quarantine VLAN Setup

    Posted May 17, 2019 12:26 PM

    Hey Mr. Wilson!

     

    It is my understanding that the fingerprints are updated as needed in updates to AOS. I have not found a resource that shows how each is defined. However, you can use some clues found in the sessions table using the below commands.

    To get the desired appid:

    show dpi application all | include windows-update

     

    To see active sessions that match that appid. (562 for windows-udpate)

    show datapath session dpi table appid 562

     



  • 5.  RE: ClearPass OnGuard Quarantine VLAN Setup

    Posted May 17, 2019 12:34 PM

    I don't create a rememdiation VLAN, I create a role on AOS as you mentioned.

     

    The list of things to allow is up to you, really. Here is my general role barring any specific requirements:

    ALLOW DHCP/DNS to corp

    ALLOW OnGuard to CPPM

    ALLOW HTTP/HTTPS to CPPM

    ALLOW HTTP/HTTPS to rememdiation servers. (WSUS if local, etc.)

    DENY any any to corp network(s)

    ALLOW HTTP/HTTPS to any

     

    The deny to corp, then allow to HTTP/HTTPS will generally work for most products as they check the web over HTTPS to get their updates.