05-17-2017 04:35 PM
I am new to CPPM and would like to get help from others.
The requirment of the tasks as below,
- The end devices (servers, printers, and etc) are configured by the static IP addresses
- Certification has been installed on the devices
- No profiled yet but after authentication, the VLAN will be assigned to the device and be profied into the right category
I have a few questions
1. When the static IP already assigned on the device, what is the best way to use authentication method?
Adding all static IP addresses into Active Directory under 'computer' and use AD for authentication method with devices' IP or MAC address save on the AD?
Using Static Host List from 'Device' menu on CPPM by adding IP or MAC address and use authentication method? I found that 'belongs to group' is selected, then 'Static Host List' save with IP based won't be available (only MAC address list is avalable)
2. Can I use 'certification' installed on the devices as authentication method combined with above (AD or Static Host List)? please show me how to.
3. How can CPPM allocate the correct VLAN per device group (Server, printer and etc)?
4. How can the devices be profiled ater completing task above?
Thanks in advance.
05-18-2017 11:13 AM - edited 05-18-2017 12:19 PM
I'll try to help a bit even if i'm not sure to follow on everything :)
First, to profile devices, Clearpass uses different collectors. In your case, since devices have static IP addresses you can't use the DHCP collector.
For this, you can use the Subnet Scanner and the ARP read feature.
Please refer to this amazing tech note which describes clearly everything : (starts at page 16)
Secondly, 802.1x auth or MAC auth are at layer 2, this is before the concept of having an IP and access. The switch only forwards your authentication request to Clearpass and then if accepted by Clearpass, it will return an accept to the switch thus giving you network access.
Once profiled, you can create authorization on the endpoints based on their profile. Basically, if a server with a cert is plugged into a switch port, the TLS authentication will go thru, then the authorization will be done according to the endpoint type or else if you want.
Another way to authorize the devices would be to have them in AD groups based on their purpose so the authorization of the devices will be done in regard to their AD group membership.
If a device matches X condition, then you can return X VLAN to the switch with enforcement profiles.
05-18-2017 11:20 AM