View Only
last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Would UBT be a good solution?

This thread has been viewed 6 times
  • 1.  Would UBT be a good solution?

    Posted Oct 04, 2022 07:15 AM
    So, i'm planning to rollout new access switches (6200F and 2930M) for a production location for a customer. They already use Clearpass with port authentication based on DUR for 2930M switches for another location, and it works great. The production location currently doesn't use port authentication, but after implementing the 6200F/2930M switches we also want to use port authentication together with Clearpass. This poses some challenges however.

    The production location has around 20 to 30 "packaging tables" in a warehouse, and there is a single copper connection wired to each packaging table. On the packaging table there is a workstation, a printer and sometimes a CNC machine. They currently use simple unmanaged switches to connect the multiple devices on a single table. Everybody can connect to use unmanaged switches and have access to the internal network, so this is a security threat.

    Replacing those unmanaged switches with managed switches would be too costly, and running multiple copper connections is also a huge undertake and challenge.

    Since this customer also has an AOS8 solution with two 7205 mobility controllers, i was thinking if i could secure those specific ports with user-based tunneling on the 2930M or 6200F switches. If i could do Per User Tunneling or Per Port Tunneling, and tunnel all end devices connected to the unmanaged switches to the AOS8 MC's and handle authentication there, my issue would be solved.

    However, i am not sure if this a recommended/ideal solution? Does anyone have some suggestions on what i could do in this situation?

  • 2.  RE: Would UBT be a good solution?

    Posted Oct 04, 2022 08:51 AM
    You can still perform authentication on multiple devices behind one port without UBT/PBT. I would only tunnel users/devices to a controller if it is a security requirement (use traffic must exit through controller to a VLAN/Segment)

    Dustin Burns

    Lead Mobility Engineer @Worldcom Exchange, Inc.

    ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022
    If my post was useful accept solution and/or give kudos