Security

last person joined: 6 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass Devices; Using a CatchAll Subnet vs Each Device

Jump to Best Answer
  • 1.  ClearPass Devices; Using a CatchAll Subnet vs Each Device

    Posted Feb 04, 2016 12:12 PM

    I am curious about using a catchall subnet for our company in CPPM, since we have over 750 devices that we wish to point to CPPM for RADIUS authentication. We are using CPPM to point to Active Directory and hit upon a particular network admin profile so that it returns the proper role, its not like anyone can just authenticate to it. 

    Is there anything wrong with just using a catchall subnet, like 10.0.0.0/8 to cover our internal network, instead of entering every single device in there one by one? I also was working on a XML file that I could import, but even that takes forever to make with 750 devices. 

    What are the downsides or concerns of using a catchall subnet in the Devices tab on CPPM?



  • 2.  RE: ClearPass Devices; Using a CatchAll Subnet vs Each Device
    Best Answer

    Posted Feb 04, 2016 12:15 PM
    The only downside would be it is a little loose on the security side but it's a very common scenario.


  • 3.  RE: ClearPass Devices; Using a CatchAll Subnet vs Each Device

    Posted Feb 04, 2016 12:19 PM

    Thank you, this is what I expected. 

    But what makes this loose on the security side if we are manually pointing the devices to the CPPM and it checks against AD for a particular group membership before granting access?



  • 4.  RE: ClearPass Devices; Using a CatchAll Subnet vs Each Device

    Posted Feb 07, 2016 04:28 PM

    you don't control anymore which devices can use ClearPass. so someone could introduce a device and have that do regular authentication against the ClearPass while perhaps sniffing credentials.

     

    the chance isn't that great i think and they still need the shared secret also.