09-26-2013 03:43 AM
We are in the process of implementing clearpass policy manager and clearpass Guest.
I have some initial doughts:
1. Clearpass is going to integrate with AD. that is done using data port correct?
Clearpass only queries Ad correct?
2. implement 802.1x on corporate access. ( users login with ad credencials and then depending on the device they are using a policy is applied. is this the best way and more secure 802.1.x? what do I need ?
For know we are using wpa2 on aruba
3. clearpass guest will delivered guest access to users ( http https) SSid already created on aruba controller.
09-26-2013 06:32 AM
Yes the AD should communicate with your ClearPass over the data port. From what I have observed ClearPass only queries.
802.1X is secure. It is recommened over wpa2-psk, at least in a corporate environment.
In order to do what you want you can use your AD groups with some role mappings to identify the users and devices and place them into the correct User Role and VLAN. You can also look at Onboarding as well.
We have made it so that smart phones and tablets go into their own VLAN with their own User Role and authenticated computers go into another. CPPM can pretty much do whatever you want you just have to know what that is.
3. Not sure if this is a question or just a statement. You can also use the CPPM to handle your guests though if you have the licensing for ClearPass Guest. I would recommend maybe using this so that everything can be managed through the CPPM.
09-27-2013 03:09 AM
Thanks for the info and help.
Do you have onguard module on clearpass? We only have Policy manager and guest.
We will have the need to distinguish between iphones, androids ipad´s and corporate computers. But that is done with policy manager correct?
And another thing? IS it possible on access tracker to see what devices are connected and what tcp or udp ports are they using ? BEcause we have a firewall but it only states the aruba source IP address and not the clients IP. That is because of the NAT.
09-27-2013 05:07 AM - edited 09-27-2013 05:07 AM
You can distinguish between corporate devices and other devices in three ways:
- Maintain a database of corporate device MAC addresses (not very secure, but works)
- Use TLS and issue computer certificates to corporate owned machines
- Use machine authentication
In terms of access tracker, it is only concerned with authentication requests. You will not be able to display session based information as that all happens post-authentication.
09-27-2013 05:19 AM
To add to what @cappalli suggested.
You could also use the Endpoints database to manage your Apple iPhones/Tablets and Android phones/tablets.
Once there is an Endpoint profile exists for your device you could add a custom attribute to the device to identify it as a company owned device.
You could then design your rules to look for the device type + this custom attribute. It is a little bit of work in the beginning but once it's done it should be fairly easy to maintain.
And for coporate computers, if you can't issue certificates, just use EAP-PEAP and the [Machine Authenticated] TIPS Role.
As for the visibility for the TCP UDP ports, you could use the following command on the controller: show datapath session table <A.B.C.D>
This will show you all the active connects of the clients.
09-27-2013 05:34 AM
You could also automate the attribute process a little bit.
You could create a ClearPass Entity Update Enforcement profile that says if machine authenticated, then update endpoint database attribute "Corporate Asset" to true. Then when you have all of the data you need, you can use the endpoint database as your authoritative source.
We used this method before we went live with the endpoint database to help build up the data.
09-27-2013 05:41 AM - edited 09-27-2013 05:43 AM
In terms of the firewall visibility, if you are using mobility controllers, you can use the new firewall visbility feature in 6.3.
You can view the data in the controller itself or inside of AirWave. It will autoclassify certain web traffic such as dropbox, facebook, etc.
Here's an example. This is for my phone (these things aren't so quiet when they're in your pocket!). You can get very granular and view by application, destinations, devices, WLANs, users, and roles.