Security

last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Dot1x and mab- are they compulsory

  • 1.  Dot1x and mab- are they compulsory

    Posted Dec 19, 2020 08:13 PM

    Hi,

    Dot1x and mab- we know there ia a challenge to maintain abd setup dotxot1x - AD ,internal CA .

    For downloadable user defined roles, is there a need for dot1x / mab to be enabled?

    What if not enabled? What is default authentication clear pass will see - mab ?

    Also , what if we have cisco switch and we want to avoid dot1x/mab?

    What are the alternatives to these two aith methods.



    ------------------------------
    AG
    ------------------------------



  • 2.  RE: Dot1x and mab- are they compulsory

    Posted Dec 21, 2020 02:49 AM

    Hi,

    For the request to reach ClearPass, the switch needs to authenticate the device that is trying to access the network. There are many ways to achieve this but the most common ones are MAB and Dot1x (most secure option)- I suggest you check this guide to better understand your options - It even explains your options with Cisco switches.

    Wired Policy Enforcement (Solution Guide) 

    By default, the ports are not configured to do any authentication so ClearPass will not see any request.



    ------------------------------
    Ayman Mukaddam
    ------------------------------



  • 3.  RE: Dot1x and mab- are they compulsory

    Posted Dec 21, 2020 02:09 PM

    Thanks , i had a look at it .

    The Guide is very good indeed but it has more focus on RAdius .

    Enabling dot1x is not easy as customer has many Wired  IOT devices ( in large number) connected to Wired switches and having a non dot1x solution may be needed . 



    ------------------------------
    AG
    ------------------------------



  • 4.  RE: Dot1x and mab- are they compulsory

    Posted Dec 21, 2020 05:10 AM

    When I see this question, I would strongly advise involving an Aruba partner or engineer that knows this type of deployment.

    If you don't want to do authentication, there is an option for SNMP enforcement with OnConnect (also covered in the document that Ayman referred to), but I would not recommend that if there is a possibility to deploy 802.1X/MAC-Auth over RADIUS. Also if you want to use downloadable roles, these run over RADIUS, so no RADIUS, no Downloadable roles. There may be solutions around this, but again consult someone who knows this to explain and find out what is best in your specific situation.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 5.  RE: Dot1x and mab- are they compulsory

    Posted Dec 21, 2020 02:06 PM

    Thanks you as always .

    I understand but customer is also evaluating Forescout and they pitch saying dot1x/MAB are only making things complex

    and nac can be achieved without dot1x

    Of course this means by snmp or other means .

    Last point about Downloadable user roles , do i need to touch each port for anything or only global config related to ntp/radius etc on Switch ( Aruba OS )

    This is based on Aruba Videos put on Youtube where it is explained that we only need very limited config on switch (ntp/radius:enable downloadable user role) . The video does not say that anything is required on wired switch port

    The point is customer is very interested in Downloadable user roles as there environment is very much Aruba Wired ( mix Wireless though), but touching each port like in a normal case of cisco switch where dot1x/mab priority etc has to be enabled is something customer wants to avoid / . and everything has to be managed centrally through CPPM ( Primary role , secondary role) and no config to be done on switch port on which user is connecting .



    ------------------------------
    AG
    ------------------------------



  • 6.  RE: Dot1x and mab- are they compulsory

    Posted Dec 22, 2020 04:56 AM

    I would not listen too much to what other vendors are claiming. I heard the claim that 802.1X is complex, which is only true if you intentionally make it complex. ClearPass can do SNMP enforcement as well with OnConnect, but in general if you have switches that support 802.1X combined with MAC Authentication on both ports (which are more or less most switches produced in the last 15 years), you can deploy 802.1X for devices that can do it for a high security authentication. For devices that don't do 802.1X or where it is hard to configure it, like many IoT devices you can fallback to MAC authentication. So there is no need to do SNMP enforcement, but if you really want it you can do it with ClearPass.

    The benefit of using RADIUS is that it is pro-active and real-time. When a device connects, it will be first authenticated (either 802.1X or MAC auth), then you decide what to do and the device will be enforced immediately with the intended policy. With SNMP you have to respond, and that is one of the reasons that for ClearPass deployments the vast majority of the customers embraced the concept of the colorless port on wired to combine the benefits of strong authentication with 802.1X with the flexibility of profiling combined with MAC authentication. OnConnect SNMP enforcement is really an exception and only deployed on switches that don't support RADIUS (properly).

    I agree with you that the configuration on the switches to enable 802.1X and MAC authentication is really straight-forward. You can check the wired part of the ClearPass Workshop Series to see what is needed to implement the combination.

    Please work with your partner or local Aruba SE to get more information to put claims or positioning from other NAC vendors in perspective to avoid a decision made on biased/unbalanced information.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 7.  RE: Dot1x and mab- are they compulsory

    Posted Dec 22, 2020 08:17 AM

    Thanks Herman for the detailed explanation as always . I am always a great supporter of CPPM .

    Last point , DUDR - do we have to touch each port on Aruba Wired Switch? or all access config will be downloaded the moment endpoint connects to the port ?

    or do we have to go to each port and define priority like dot1x first and mab second etc

    Here i am purely talking about Aruba OS Wired Switches .



    ------------------------------
    AG
    ------------------------------



  • 8.  RE: Dot1x and mab- are they compulsory

    Posted Dec 22, 2020 08:44 AM

    Dowloadable user roles are enabled on switch level. If the ports are already configured for authentication (802.1X/authenticator or mac-based), there is no port-specific configuration as all is controlled and pushed through the ClearPass enforcement.

    (config)# radius-server cppm.arubalab.com identity aos-switch-dur key secretPassword
    (config)# aaa authorization user-role enable download
    


    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 9.  RE: Dot1x and mab- are they compulsory

    Posted Dec 21, 2020 06:28 AM

    What device (ArubaOS ou ArubaCX ?)



    ------------------------------
    PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

    PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

    PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

    ACEP / ACMX #107 / ACDX #1281
    ------------------------------



  • 10.  RE: Dot1x and mab- are they compulsory

    Posted Dec 21, 2020 02:07 PM

    Hi , Aruba OS Wired Switches and Wireless controller ( Aruba) , Aruba Instant Access Points



    ------------------------------
    AG
    ------------------------------