Security

I am starting up a PoC for CPPM and would like to integrate CPPM into my PoC scenario. 

 

I have been implementing 802.1x configuration to a group of phones. They are authenticated via NPS, however only if they have the correct EAP-PEAP settings and root certificate. 

 

If the phone is factory reset, this configuration will be deleted and then it will fail to authenticate on the network and be able to grab its configuration files from the provisioning server. 

 

I thought of throwing CPPM into the mix and for all auth requests that fail on the NPS cluster, they'd be forwarded to CPPM where I could get them placed into a restricted network, based on a static MAC list, that they'd be able to communicate with the provisioning server to grab their configuration files. The phone would reboot and then be able to go back into the configured VLAN based on my existing NPS policies. 

 

In this scenario, how can I get CPPM to communicate back to the originating switch to place this client to a specific radius assigned VLAN provided the MAC of the host device is in the static host list?  

802.1X cannot fail open.

I am aware, however, this scenario is based on devices that have failed the DotX authentication on the NPS servers. 

 

From my understanding NPS doesn't have a solid way of working with a MAC Address Bypass list to deal with these devices .. this is where I was hoping that CPPM could come in. 

 

I need to find a way to deal with these defaulted or non-provisioned devices in a restricted network. 

 

If they phones in this instance can be restricted to only communicate back to the provisioing server (I'll deal with the firewall policies for this), it can pull its config files, if it was able provisioned. 

 

if not, I'll deal with the device manually. 

What is the network device? Does it have the ability to fall back to MAC authentication?

 

If it does, you would just point the MAC auth config to ClearPass and leave the 802.1X config pointed to NPS (although I'm not sure why you wouldn't just point everything to ClearPass).

 

You can then use Device Registration in ClearPass to register the MAC addresses and attach a role.

Thanks for picking up this thread.... 

 

I am referring to a Polycom VVX phone.If it loses it configuration, including the DotX information and is rebooted, all I have left for it is MAC authentication. 

 

My NPS policies only provide authentication for EAP-TLS and EAP-PEAP (for the Polycom phones).

 

As it is a PoC, I'm not ready to alow CPPM take over the DotX authentication requests at this time. 

 

I can see when the VVX fails auth on the NPS, it is being sent over to the CPPM server. I can see the username as the MAC of the phone and the originating switch and port the request was made from. 

 

I would imagine that I need to setup the switch in CPPM so that the request can be sent back to the requestor. 

 

I've not played around much in CPPM, but how would I go about setting the right configuration to allow the MAC to be parsed in a host list, then if found send back a VLAN ID to the switch? 

 

Please take a look at the ClearPass Solution Guide for Wired Policy Enforcement. It is covered in great depth.