Security

last person joined: 19 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Minimum requierements to use clearpass

  • 1.  Minimum requierements to use clearpass

    Posted Mar 19, 2020 12:05 PM

    I would like to know which are the minimum requirements of switches  if i would like to use the clearpass for example for 802.1x  and on guard

     

    For example 

    If i wanted to use it on a switch Dell that support 802.1x and i dont find that device on network devices what happens? what i put in there??? This mean clearpass does not support that switch or what does this means to me?

    I have jus worked with HPE swiches and Cisco switches actually, i admit it.    We got a client tha has some small bussiness switches that would like to use clearpass but im not sure what happen in this case.

    Other example would be netgear switches

     

    Thanks

     

    Thanks

     



  • 2.  RE: Minimum requierements to use clearpass

    Posted Mar 19, 2020 12:44 PM

    The ClearPass Solution Guide for Wired Policy Enforcement has a section highlighting the protocols/features required for certain workflows.



  • 3.  RE: Minimum requierements to use clearpass

    Posted Mar 20, 2020 03:49 AM

    it depends on your expectation clearpass can enforcement even with  snmp 



  • 4.  RE: Minimum requierements to use clearpass

    Posted Mar 20, 2020 08:46 AM

    Hello,

    I'm still a novice, what expectation please ?



  • 5.  RE: Minimum requierements to use clearpass

    Posted Mar 20, 2020 09:18 AM

    minimum as just authenticating with eap peap while they get new switches.

     

    also i see for example that  in devices, the brand of the switches is not there on the list, guess i can add them with the radius dictionary? so it appears on the list?



  • 6.  RE: Minimum requierements to use clearpass

    Posted Mar 23, 2020 11:43 AM

    Hi, 

     

    For basic username/password authentication, you will need EAP-PEAP, you can also do EAP-TLS, since no extra configuration would be required on NAS (switches). 

     

    For Onguard, Radius Change of Authorization is mandatory if you want to change the user's role or Vlan during post authentication. 

     

    Then comes the requirement to install OnGuard on the client machines. In this case either you can manually do it (through AD GPO etc) or some other automation tool, if that is not possible and you want to redirect them to a web page and instructing them to download the onguard plugin, for this you need Captive Portal redirect. 

     

    Can you tell me which dell switches you are currently working on? i think 15xx and above support web redirect and CoA (need to confirm though).

     

    For netgear i am not sure since its SMB.



  • 7.  RE: Minimum requierements to use clearpass

    Posted Mar 23, 2020 12:13 PM

    Hi, 

     

    Regarding your second query about adding Radius Dictionary. You can add the dictionary so that you may pass on the VSA when configuring profiles. 

     

    However if you go to add devices, the new device (for example, NetGear in my case)  wont show up just because its dictionary is added.



  • 8.  RE: Minimum requierements to use clearpass

    Posted Apr 18, 2020 05:30 AM

    I have had cases where i integrated Clearpass with Unmanaged switches, such as TPLink, who don't even have a GUI.


    Clearpass works session based, and usually Enforcing Profiles and such works in that concept.

     

    In cases where you have switches which do not support 802.1x or MAC-Auth, Clearpass offers the possibility to do SNMP Enforcement.
    https://www.arubanetworks.com/techdocs/ClearPass/Aruba_CPPMOnlineHelp/Content/CPPM_UserGuide/Enforce/EPSNMP_Based.htm

     

    Also, if you have lots of unmanned switches, what you can do is place behind a Managed Switch and connect unmanned in cascade. Similar to a simple drawing i am posting on here.  I had those types of deployments and they work perfectly. Enforcement for connected users on the PC work perfectly, Profiling and dACL for Camera, Printers workers perfectly, etc. 

     

    IMG1.jpg