Security

Reply
Occasional Contributor II
Posts: 12
Registered: ‎09-17-2015

Clearpass Feature Query

[ Edited ]

Please advice ,
which features can we use to secure 3com&hpe wired environment, according the next scenario :


there are 2 vlans
1.management vlan
2.users vlan


there is no L3 connection between those 2 vlans, we are not allowed to configue the clearpass server to use 2 defrent interfaces (mgmt&data..) , we can chose to work only in one segment .

there is access to the dc only from the users vlan . 


we being asked to supply solution for 2 main issues ,

1. computer with 2 active network cards (wireless/wired)
will be sent to quarantine vlan / switch port blocked 

until the wireless conection will get disconected ..


2.verify & enforce that only domain / corporate machines will be allowed to connect to the wired network .


in the future there will be aruba wireless controller connected to the mgmt vlan (but untill then we need to find solution .. )

 

according to the scenario limitations , which clearpass features we can use in order to achieve the above ?


is llldp being used to collect information .. ?


Best Regards ,
Shay

MVP
Posts: 978
Registered: ‎04-13-2009

Re: Clearpass Feature Query

Hi Shay,

 

1. computer with 2 active network cards (wireless/wired) will be sent to quarantine vlan / switch port blocked until the wireless conection will get disconected ..

 

ClearPass OnGuard can do this. See the image below where we are checking that a windows 10 devices only have a single wired network connection. If wirelss is enabled then the device can be quarantined. Also you can configure an remediation action where the wireless is automatically disabled or disconnected. 

onguard.jpg

 

2.verify & enforce that only domain / corporate machines will be allowed to connect to the wired network .

 

There are many ways to do this. You can do 802.1x (EAP-PEAP or EAP-TLS) machine only authentication can configure a ClearPass service to support it. 

 

according to the scenario limitations , which clearpass features we can use in order to achieve the above ?

 

ClearPass Policy Manager & ClearPass Onguard. 

 

is llldp being used to collect information .. ?

 

 

No. 

 

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Occasional Contributor II
Posts: 12
Registered: ‎09-17-2015

Re: Clearpass Feature Query

Hi james ,

 

1. I familiar with the onguard option .

the client device and the clearpass server are in two deffrent vlans there is no Layer3 routing between them .. how exactly the clearpass will be able to collect information from the station agent in this method ..?

 

2.  So except 802.1x that we can use only with local db (we cant connect the cppm to both users & mgmt vlan , DC is located in the users vlan) OR preconfigured endpoints db / mac mask,  what other methods can we use ? 

 

-- About LLDP -- 

SNMP Collector is using lldp,cdp,arp.. to collect information .

 

Thanks, 

Shay

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: