Security

Hi,

Dot1x and mab- we know there ia a challenge to maintain abd setup dotxot1x - AD ,internal CA .

For downloadable user defined roles, is there a need for dot1x / mab to be enabled?

What if not enabled? What is default authentication clear pass will see - mab ?

Also , what if we have cisco switch and we want to avoid dot1x/mab?

What are the alternatives to these two aith methods.

------------------------------
AG
------------------------------

Hi,

For the request to reach ClearPass, the switch needs to authenticate the device that is trying to access the network. There are many ways to achieve this but the most common ones are MAB and Dot1x (most secure option)- I suggest you check this guide to better understand your options - It even explains your options with Cisco switches.

Wired Policy Enforcement (Solution Guide) 

By default, the ports are not configured to do any authentication so ClearPass will not see any request.

------------------------------
Ayman Mukaddam

Original Message:
Sent: Dec 19, 2020 08:12 PM
From: Anupam Gaur
Subject: Dot1x and mab- are they compulsory

Hi,

Dot1x and mab- we know there ia a challenge to maintain abd setup dotxot1x - AD ,internal CA .

For downloadable user defined roles, is there a need for dot1x / mab to be enabled?

What if not enabled? What is default authentication clear pass will see - mab ?

Also , what if we have cisco switch and we want to avoid dot1x/mab?

What are the alternatives to these two aith methods.

------------------------------
AG
------------------------------

Hi,

Dot1x and mab- we know there ia a challenge to maintain abd setup dotxot1x - AD ,internal CA .

For downloadable user defined roles, is there a need for dot1x / mab to be enabled?

What if not enabled? What is default authentication clear pass will see - mab ?

Also , what if we have cisco switch and we want to avoid dot1x/mab?

What are the alternatives to these two aith methods.

------------------------------
AG
------------------------------

When I see this question, I would strongly advise involving an Aruba partner or engineer that knows this type of deployment.

If you don't want to do authentication, there is an option for SNMP enforcement with OnConnect (also covered in the document that Ayman referred to), but I would not recommend that if there is a possibility to deploy 802.1X/MAC-Auth over RADIUS. Also if you want to use downloadable roles, these run over RADIUS, so no RADIUS, no Downloadable roles. There may be solutions around this, but again consult someone who knows this to explain and find out what is best in your specific situation.

Hi,

Dot1x and mab- we know there ia a challenge to maintain abd setup dotxot1x - AD ,internal CA .

For downloadable user defined roles, is there a need for dot1x / mab to be enabled?

What if not enabled? What is default authentication clear pass will see - mab ?

Also , what if we have cisco switch and we want to avoid dot1x/mab?

What are the alternatives to these two aith methods.

------------------------------
AG
------------------------------

Thanks you as always .

I understand but customer is also evaluating Forescout and they pitch saying dot1x/MAB are only making things complex

and nac can be achieved without dot1x

Of course this means by snmp or other means .

Last point about Downloadable user roles , do i need to touch each port for anything or only global config related to ntp/radius etc on Switch ( Aruba OS )

This is based on Aruba Videos put on Youtube where it is explained that we only need very limited config on switch (ntp/radius:enable downloadable user role) . The video does not say that anything is required on wired switch port

The point is customer is very interested in Downloadable user roles as there environment is very much Aruba Wired ( mix Wireless though), but touching each port like in a normal case of cisco switch where dot1x/mab priority etc has to be enabled is something customer wants to avoid / . and everything has to be managed centrally through CPPM ( Primary role , secondary role) and no config to be done on switch port on which user is connecting .

When I see this question, I would strongly advise involving an Aruba partner or engineer that knows this type of deployment.

If you don't want to do authentication, there is an option for SNMP enforcement with OnConnect (also covered in the document that Ayman referred to), but I would not recommend that if there is a possibility to deploy 802.1X/MAC-Auth over RADIUS. Also if you want to use downloadable roles, these run over RADIUS, so no RADIUS, no Downloadable roles. There may be solutions around this, but again consult someone who knows this to explain and find out what is best in your specific situation.

Hi,

Dot1x and mab- we know there ia a challenge to maintain abd setup dotxot1x - AD ,internal CA .

For downloadable user defined roles, is there a need for dot1x / mab to be enabled?

What if not enabled? What is default authentication clear pass will see - mab ?

Also , what if we have cisco switch and we want to avoid dot1x/mab?

What are the alternatives to these two aith methods.

------------------------------
AG
------------------------------

I would not listen too much to what other vendors are claiming. I heard the claim that 802.1X is complex, which is only true if you intentionally make it complex. ClearPass can do SNMP enforcement as well with OnConnect, but in general if you have switches that support 802.1X combined with MAC Authentication on both ports (which are more or less most switches produced in the last 15 years), you can deploy 802.1X for devices that can do it for a high security authentication. For devices that don't do 802.1X or where it is hard to configure it, like many IoT devices you can fallback to MAC authentication. So there is no need to do SNMP enforcement, but if you really want it you can do it with ClearPass.

The benefit of using RADIUS is that it is pro-active and real-time. When a device connects, it will be first authenticated (either 802.1X or MAC auth), then you decide what to do and the device will be enforced immediately with the intended policy. With SNMP you have to respond, and that is one of the reasons that for ClearPass deployments the vast majority of the customers embraced the concept of the colorless port on wired to combine the benefits of strong authentication with 802.1X with the flexibility of profiling combined with MAC authentication. OnConnect SNMP enforcement is really an exception and only deployed on switches that don't support RADIUS (properly).

I agree with you that the configuration on the switches to enable 802.1X and MAC authentication is really straight-forward. You can check the wired part of the ClearPass Workshop Series to see what is needed to implement the combination.

Please work with your partner or local Aruba SE to get more information to put claims or positioning from other NAC vendors in perspective to avoid a decision made on biased/unbalanced information.

Thanks you as always .

I understand but customer is also evaluating Forescout and they pitch saying dot1x/MAB are only making things complex

and nac can be achieved without dot1x

Of course this means by snmp or other means .

Last point about Downloadable user roles , do i need to touch each port for anything or only global config related to ntp/radius etc on Switch ( Aruba OS )

This is based on Aruba Videos put on Youtube where it is explained that we only need very limited config on switch (ntp/radius:enable downloadable user role) . The video does not say that anything is required on wired switch port

The point is customer is very interested in Downloadable user roles as there environment is very much Aruba Wired ( mix Wireless though), but touching each port like in a normal case of cisco switch where dot1x/mab priority etc has to be enabled is something customer wants to avoid / . and everything has to be managed centrally through CPPM ( Primary role , secondary role) and no config to be done on switch port on which user is connecting .

When I see this question, I would strongly advise involving an Aruba partner or engineer that knows this type of deployment.

If you don't want to do authentication, there is an option for SNMP enforcement with OnConnect (also covered in the document that Ayman referred to), but I would not recommend that if there is a possibility to deploy 802.1X/MAC-Auth over RADIUS. Also if you want to use downloadable roles, these run over RADIUS, so no RADIUS, no Downloadable roles. There may be solutions around this, but again consult someone who knows this to explain and find out what is best in your specific situation.

Hi,

Dot1x and mab- we know there ia a challenge to maintain abd setup dotxot1x - AD ,internal CA .

For downloadable user defined roles, is there a need for dot1x / mab to be enabled?

What if not enabled? What is default authentication clear pass will see - mab ?

Also , what if we have cisco switch and we want to avoid dot1x/mab?

What are the alternatives to these two aith methods.

------------------------------
AG
------------------------------

Thanks Herman for the detailed explanation as always . I am always a great supporter of CPPM .

Last point , DUDR - do we have to touch each port on Aruba Wired Switch? or all access config will be downloaded the moment endpoint connects to the port ?

or do we have to go to each port and define priority like dot1x first and mab second etc

Here i am purely talking about Aruba OS Wired Switches .

I would not listen too much to what other vendors are claiming. I heard the claim that 802.1X is complex, which is only true if you intentionally make it complex. ClearPass can do SNMP enforcement as well with OnConnect, but in general if you have switches that support 802.1X combined with MAC Authentication on both ports (which are more or less most switches produced in the last 15 years), you can deploy 802.1X for devices that can do it for a high security authentication. For devices that don't do 802.1X or where it is hard to configure it, like many IoT devices you can fallback to MAC authentication. So there is no need to do SNMP enforcement, but if you really want it you can do it with ClearPass.

The benefit of using RADIUS is that it is pro-active and real-time. When a device connects, it will be first authenticated (either 802.1X or MAC auth), then you decide what to do and the device will be enforced immediately with the intended policy. With SNMP you have to respond, and that is one of the reasons that for ClearPass deployments the vast majority of the customers embraced the concept of the colorless port on wired to combine the benefits of strong authentication with 802.1X with the flexibility of profiling combined with MAC authentication. OnConnect SNMP enforcement is really an exception and only deployed on switches that don't support RADIUS (properly).

I agree with you that the configuration on the switches to enable 802.1X and MAC authentication is really straight-forward. You can check the wired part of the ClearPass Workshop Series to see what is needed to implement the combination.

Please work with your partner or local Aruba SE to get more information to put claims or positioning from other NAC vendors in perspective to avoid a decision made on biased/unbalanced information.

Thanks you as always .

I understand but customer is also evaluating Forescout and they pitch saying dot1x/MAB are only making things complex

and nac can be achieved without dot1x

Of course this means by snmp or other means .

Last point about Downloadable user roles , do i need to touch each port for anything or only global config related to ntp/radius etc on Switch ( Aruba OS )

This is based on Aruba Videos put on Youtube where it is explained that we only need very limited config on switch (ntp/radius:enable downloadable user role) . The video does not say that anything is required on wired switch port

The point is customer is very interested in Downloadable user roles as there environment is very much Aruba Wired ( mix Wireless though), but touching each port like in a normal case of cisco switch where dot1x/mab priority etc has to be enabled is something customer wants to avoid / . and everything has to be managed centrally through CPPM ( Primary role , secondary role) and no config to be done on switch port on which user is connecting .

When I see this question, I would strongly advise involving an Aruba partner or engineer that knows this type of deployment.

If you don't want to do authentication, there is an option for SNMP enforcement with OnConnect (also covered in the document that Ayman referred to), but I would not recommend that if there is a possibility to deploy 802.1X/MAC-Auth over RADIUS. Also if you want to use downloadable roles, these run over RADIUS, so no RADIUS, no Downloadable roles. There may be solutions around this, but again consult someone who knows this to explain and find out what is best in your specific situation.

Hi,

Dot1x and mab- we know there ia a challenge to maintain abd setup dotxot1x - AD ,internal CA .

For downloadable user defined roles, is there a need for dot1x / mab to be enabled?

What if not enabled? What is default authentication clear pass will see - mab ?

Also , what if we have cisco switch and we want to avoid dot1x/mab?

What are the alternatives to these two aith methods.

------------------------------
AG
------------------------------

Hi,

Dot1x and mab- we know there ia a challenge to maintain abd setup dotxot1x - AD ,internal CA .

For downloadable user defined roles, is there a need for dot1x / mab to be enabled?

What if not enabled? What is default authentication clear pass will see - mab ?

Also , what if we have cisco switch and we want to avoid dot1x/mab?

What are the alternatives to these two aith methods.

------------------------------
AG
------------------------------

What device (ArubaOS ou ArubaCX ?)

Hi,

Dot1x and mab- we know there ia a challenge to maintain abd setup dotxot1x - AD ,internal CA .

For downloadable user defined roles, is there a need for dot1x / mab to be enabled?

What if not enabled? What is default authentication clear pass will see - mab ?

Also , what if we have cisco switch and we want to avoid dot1x/mab?

What are the alternatives to these two aith methods.

------------------------------
AG
------------------------------