Security

Reply
Regular Contributor II
Posts: 202
Registered: ‎01-30-2013

Clearpass and AD

Hi all,

 

We are in the process of implementing clearpass policy manager and clearpass Guest.

 

I have some initial doughts:

 

1. Clearpass is going to integrate with AD. that is done using data port correct?

Clearpass only queries Ad correct?

 

2. implement 802.1x on corporate access. ( users login with ad credencials and then depending on the device they are using a policy is applied. is this the best way and more secure 802.1.x? what do I need ?

For know we are using wpa2 on aruba

 

3. clearpass guest will delivered guest access to users ( http https) SSid already created on aruba controller.

 

Thanks

 

Regards

Super Contributor II
Posts: 397
Registered: ‎09-05-2012

Re: Clearpass and AD

Hey,

 

1.

Yes the AD should communicate with your ClearPass over the data port. From what I have observed ClearPass only queries.

 

2.

802.1X is secure. It is recommened over wpa2-psk, at least in a corporate environment.

In order to do what you want you can use your AD groups with some role mappings to identify the users and devices and place them into the correct User Role and VLAN. You can also look at Onboarding as well.

We have made it so that smart phones and tablets go into their own VLAN with their own User Role and authenticated computers go into another. CPPM can pretty much do whatever you want you just have to know what that is.

Aruba_Role_Mappings_0001.png

 

3. Not sure if this is a question or just a statement. You can also use the CPPM to handle your guests though if you have the licensing for ClearPass Guest. I would recommend maybe using this so that everything can be managed through the CPPM.

 

Cheers

Regular Contributor II
Posts: 202
Registered: ‎01-30-2013

Re: Clearpass and AD

Hi,

 

Thanks for the info and help.

 

Do you have onguard module on clearpass? We only have Policy manager and guest.

 

We will have the need to distinguish between iphones, androids ipad´s and corporate computers. But that is done with policy manager correct?

 

And another thing? IS it possible on access tracker to see what devices are connected and what tcp or udp ports are they using ? BEcause we have a  firewall but it only states the aruba source IP address and not the clients IP. That is because of the NAT.

 

Regards

Guru Elite
Posts: 8,792
Registered: ‎09-08-2010

Re: Clearpass and AD

[ Edited ]

You can distinguish between corporate devices and other devices in three ways:

 

- Maintain a database of corporate device MAC addresses (not very secure, but works)

- Use TLS and issue computer certificates to corporate owned machines

- Use machine authentication

 

 

In terms of access tracker, it is only concerned with authentication requests. You will not be able to display session based information as that all happens post-authentication.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor II
Posts: 397
Registered: ‎09-05-2012

Re: Clearpass and AD

To add to what @cappalli suggested.

 

You could also use the Endpoints database to manage your  Apple iPhones/Tablets and Android phones/tablets.

Once there is an Endpoint profile exists for your device you could add a custom attribute to the device to identify it as a company owned device.

 

You could then design your rules to look for the device type + this custom attribute. It is a little bit of work in the beginning but once it's done it should be fairly easy to maintain.

 

And for coporate computers, if you can't issue certificates, just use EAP-PEAP and the [Machine Authenticated] TIPS Role.

 

As for the visibility for the TCP UDP ports, you could use the following command on the controller: show datapath session table <A.B.C.D>


This will show you all the active connects of the clients.

 

Cheers

Guru Elite
Posts: 8,792
Registered: ‎09-08-2010

Re: Clearpass and AD

You could also automate the attribute process a little bit.


For example:

 

You could create a ClearPass Entity Update Enforcement profile that says if machine authenticated, then update endpoint database attribute "Corporate Asset" to true. Then when you have all of the data you need, you can use the endpoint database as your authoritative source.

 

endpoint-corporate.PNG

 

endpoint-tipsmachine.PNG

 

 

We used this method before we went live with the endpoint database to help build up the data.

 

 

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor II
Posts: 397
Registered: ‎09-05-2012

Re: Clearpass and AD

@cappalli

 

Very cool. I didn't know you could do this! Thank you for sharing!!

 

Cheers

Guru Elite
Posts: 8,792
Registered: ‎09-08-2010

Re: Clearpass and AD

[ Edited ]

In terms of the firewall visibility, if you are using mobility controllers, you can use the new firewall visbility feature in 6.3.

 

You can view the data in the controller itself or inside of AirWave. It will autoclassify certain web traffic such as dropbox, facebook, etc.

 

Here's an example. This is for my phone (these things aren't so quiet when they're in your pocket!). You can get very granular and view by application, destinations, devices, WLANs, users, and roles.

 

firewall-applications.PNG

 

firewall-destinations.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: