Security

Reply
Contributor I
Posts: 25
Registered: ‎05-07-2014

NAC

Hi Team,

 

what are the requirements that must be considered to implement "NAC" on a network?

 

What are the steps to implement ONGUARD with cisco switches?

 

Please a need help me

 

Regards,

 

Guru Elite
Posts: 7,852
Registered: ‎09-08-2010

Re: NAC

OnGuard is only available for desktop operating systems (Windows, OS X, Linux).

 

Implementation is relatively simple.

 

At a high level:

 

In ClearPass, you configure the posture policies by operating system. These can include:

   - Firewall enforcement

   - Antivirus enforcement

   - Installed application enforcement

 

If the device does not have OnGuard installed, ClearPass tells the Cisco switch to redirect the user to the install page.

 

Once OnGuard is installed, it communicates with ClearPass directly to inform about posture changes. If the device goes out of compliance, ClearPass can trigger the switch to bump the user and redirect them to a quarantine VLAN.

 

 


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor I
Posts: 25
Registered: ‎05-07-2014

Re: NAC

Hi,

 

cappalli, 

 

In the configuration the ClearPass in the service.

 

First is user authentication?

   For example 802.1x

And then the verification of compliance?

 

Regards,

 

 

Guru Elite
Posts: 7,852
Registered: ‎09-08-2010

Re: NAC

Correct. If a client doesn't have OnGuard installed, they'll usually get the "Unknown" posture token. In your 802.1X authorization, you can say:

If TIPS POSTURE EQUALS Unknown
Return a quarantine VLAN and Cisco redirect URL.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor I
Posts: 25
Registered: ‎05-07-2014

Re: NAC

Hi.

 

Perfect.

 

When using 802.1x (WIRED). That is advisable to use authentication?

 

Regards,

Guru Elite
Posts: 7,852
Registered: ‎09-08-2010

Re: NAC

You can use MAC-Auth or 802.1X on the wire. 802.1X would be the most secure.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor I
Posts: 25
Registered: ‎05-07-2014

Re: NAC

Ok,

 

If a guest user should then use MAC authentication and not use agent.

 

Regards,

Guru Elite
Posts: 7,852
Registered: ‎09-08-2010

Re: NAC

You could have a guest user use the dissolvable web agent if you wanted.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor I
Posts: 25
Registered: ‎05-07-2014

Re: NAC

Hi,

 

Perfect. I thank you for the support. It has been very helpful

 

Regards,

Contributor I
Posts: 25
Registered: ‎05-07-2014

Re: NAC

Sorry Tim,

 

What is the redirect to the ENFORCEMENT PROFILE set to cisco

 

Regards,

Search Airheads
Showing results for 
Search instead for 
Did you mean: