03-31-2014 11:56 AM
During a discovery call, a customer asked if we supported a feature similar to Cisco’s ISE/SGA as copied below. The way we proposed the Celarpass solution to the customer indicated that there was really little difference to what they were currently doing. They are interested in deploying SGA/ISE because it provided the capability of something he (the customer) referred to as "secure labels" to uniquely identify the users and devices:
Understanding the SGA Architecture
The Cisco Security Group Access (SGA) solution establishes clouds of trusted network devices to build secure networks. Each device in the Cisco SGA cloud is authenticated by its neighbors (peers). Communication between the devices in the SGA cloud is secured with a combination of encryption, message integrity checks, and data-path replay protection mechanisms. The SGA solution uses the device and user identity information that it obtains during authentication to classify, or color, the packets as they enter the network. This packet classification is maintained by tagging packets when they enter the SGA network so that they can be properly identified for the purpose of applying security and other policy criteria along the data path. The tag, also called the security group tag (SGT), allows ISE to enforce access control policies by enabling the endpoint device to act upon the SGT to filter traffic.
04-01-2014 04:30 AM - edited 04-01-2014 04:36 AM
I think the way to word this is Cisco's Security Group Tagging is their "comparable" solution to Aruba's role-based access controls. If your customer wants "secure labels" to identify the users and devcies, explain to them what a role is and how powerful it can be to secure their devices.
Clearpass doesn't have a comparable solution itself, because ArubaOS (irrespective of ClearPass) has been doing this all along through role-based access controls. ClearPass merely assists with the assignment of those roles through context of the user/device/connection/etc.
Aruba's solution is to assign a role to every device at the time of connection; and apply firewall policies on the controller before its gets on the wire. Aruba doesn't tag things through to every device in a group, because there is no need to; they are already allowed/restricted before they hit those other devices.
Also, this solution is Cisco proprietary....whereas role-based access controls will overlay to any infrastructure.
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX
08-14-2015 09:57 AM
In th emiddle of a PoC for Cisco ISE with trustsec and SGT. For the most part ISE looks alot like CPPM with the exception that ISE can push SGT information to the Cisco switches. Based on what I think I know :-) this allows the users packets to be tagged with a SGT # and as it exits each hop/device interface the SGT is checked and appropriate access given.
I am stuggling to see why this is needed if access at the access layer is already enforced with 802.1x and maybe some downloadable ACLs from ISE or CPPM. Can anyone help me understand how SGT is better?
To the point in the post above Aruba roles are awesome but in a large campus with 40 Cisco 6509s with 10gig uplinks in IDFs to the core how could we leverage Aruba roles? My thought is Aruba roles are only of value if the traffic flows through a controlelr or MAS and the only way I can apply an Aruba security option is to use CPPM for NAC with downloadable ACLs.
Any thoughts, comments or solutions appriciated. I love my Aruba gear.
08-14-2015 10:01 AM
update other network devices upstream. That is the beauty of an open product
like ClearPass vs a completely closed product like ISE.
SGT is typical Cisco marketecture.
08-14-2015 10:13 AM
Thanks for the quick reply. Could you please just expand a little on the API option so I can do some searching on this. Would the APIs come from configuration in CPPM or an external server? And what types of upstrean updates would be possible?
I asked my local Aruba team about compariable options of SGT and they were not aware of any so I was going to take the approach of why is SGT so important if we already have access controller at the access layer.
08-14-2015 10:16 AM
ClearPass can send updates to almost any other network device that supports
an API or RADIUS accounting. Individual capabilities will depend on the
network device. So things like updating the user's identity, dACLs, etc.