Security

Hi All,

Me and my client want to go one step futher with our Proof of Concept ClearPass Cluster and hook it to a 'live' environment. We are using 802.1x and MAB on Wired and setup a few services. 
The part that is unclear to me, how can I apply the monitoring mode (not just on the ClearPass services), but also on the authenticator devices? 

In my view; once I configure a 'live' switch to use ClearPass as a RADIUS-server, configure the switch ports, and set all CPPM services in monitor mode, all traffic is unable to authenticate, and thus, will have no access to the internal network? This is not what I want when 'monitoring' the policies on a live-environment..

My question is: What is a good way to extent the Proof of Concept to a real environment without enforcing the policies? What is the best-practice on using monitoring mode? 

I hope you guys understand my question, thanks in advance!

------------------------------
Lex
------------------------------

Duplicate post for: https://community.arubanetworks.com/community-home/digestviewer/viewthread?MessageKey=0e623094-c132-42d2-a323-7e02247ae763&CommunityKey=2477474f-de43-4598-a465-c179d41fdd0b

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: May 12, 2021 08:15 AM
From: Lex Krijnen
Subject: ClearPass Monitoring Mode - Best Practices?

Hi All,

Me and my client want to go one step futher with our Proof of Concept ClearPass Cluster and hook it to a 'live' environment. We are using 802.1x and MAB on Wired and setup a few services. 
The part that is unclear to me, how can I apply the monitoring mode (not just on the ClearPass services), but also on the authenticator devices? 

In my view; once I configure a 'live' switch to use ClearPass as a RADIUS-server, configure the switch ports, and set all CPPM services in monitor mode, all traffic is unable to authenticate, and thus, will have no access to the internal network? This is not what I want when 'monitoring' the policies on a live-environment..

My question is: What is a good way to extent the Proof of Concept to a real environment without enforcing the policies? What is the best-practice on using monitoring mode? 

I hope you guys understand my question, thanks in advance!

------------------------------
Lex
------------------------------