Security

 View Only
last person joined: 18 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass wired Mac static list and 802.1X.

This thread has been viewed 47 times
  • 1.  Clearpass wired Mac static list and 802.1X.

    Posted Jan 25, 2023 07:59 AM

    Hi,

    I'am pretty new in clearpass and I'am looking for connect wired PC with Mac static list and 802.1X.

    My switch is Aruba 2930F


    In my use case I want to connect a PC which is in a static MAC list with 802.1X

    anyone have à process ? Or someone can explain to me

     

    best,

    Olivier



  • 2.  RE: Clearpass wired Mac static list and 802.1X.

    Posted Jan 25, 2023 09:24 AM
    If you are using a static MAC list you need to perform MAB (MAC Address Bypass), not 802.1X.  Why not setup the PC for 802.1X instead?


  • 3.  RE: Clearpass wired Mac static list and 802.1X.

    Posted Jan 25, 2023 04:55 PM
    Hi @Olivier,

    what do you want to realize with this combination? 802.1x is a very secure authentication method and mac-address authentication is totally insecure. If I had the choice I would clearly prefer 802.1x.

    You can set up 802.1x and fallback to mac-address authentication on the Aruba switch. You can configure the order and priority. But you can't really use both authentication types at the same time.

    If you really need to do mac-address authentication, then use the [Guest Device Repository] rather than a static host list. This way you are much more flexible and can use e.g. rolemapping or set an expiration date.

    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACA - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 4.  RE: Clearpass wired Mac static list and 802.1X.

    EMPLOYEE
    Posted Jan 25, 2023 05:09 PM
    you can refer to this technote for various wired enforcement policy
    https://support.hpe.com/hpesc/public/docDisplay?docId=a00091135en_us

    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 5.  RE: Clearpass wired Mac static list and 802.1X.

    Posted Jan 27, 2023 03:39 AM
    Hi,
    thank you for your reply
    
    I need to do both MAB and 802.1X authentication as I am in a sensitive university environment
    
    Some students need to have access to a sensitive network with certain PCs.
    But these same students when they are connected with other PC than those of the sensitive environment, then they are connected to the classic network like the other students
    best,
    Olivier



  • 6.  RE: Clearpass wired Mac static list and 802.1X.

    Posted Jan 27, 2023 04:44 AM
    Hi Oliver

    Can you describe how the student computers authenticate? Is it managed computers joined to Active Directory?
    Is it a bring your own device scenario? Are you using EAP-PEAP, EAP-TLS or EAP-TEAP as authentication method?

    Instead of trying to do both 802.1x and MAC authentication, you can work with any of the folowing as authorization information in the 802.1x:
    - group membership in the Active Directory for the computer (require that the computers are domain joined)
    - ClearPass Onboard for devices that should have access to the secured network
    - external system for authorized devices to connect to the secured network. Could be Intune, Jamf, or other MDM tool, CMDB etc.
    - Assign the devices that are allowed to connect to the seccured network a role in ClearPass, either by adding a role under Guest Device Repository or custom attributes in Endpoints Repository
    - If the device typs are different, you may be able to have rules based on the profiling information.
    - A combination of any of the above methods

    Personally I would prefer ClearPass Onboard or AD group membership to distinguish the clients. But integration with Intune or similar system will also work good.

    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACMP, ACDP, ACP-Network Security, ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 7.  RE: Clearpass wired Mac static list and 802.1X.

    Posted Jan 27, 2023 05:48 AM
    hi jonas,

    the student computers in LAB room authenticate just whith MAB

    they are not in AD domain

    this computer are desktop in this LAB Room, they don't move


    it's not a bring your own device scenario

    For the computer, just Mac authentification

    I need to authenticate computers first

    If the computer is in the authorized mac address list, then the student can log in with his AD 802.1X account

    PCs are Ubuntu

    thank you for your reply




  • 8.  RE: Clearpass wired Mac static list and 802.1X.

    EMPLOYEE
    Posted Jan 27, 2023 06:17 AM
    Olivier,

    There are many unknowns, and what you are asking for is coming down to make a design for a good security policy and the implementation. I would really recommend to work with your Aruba partner or consultant to first create a proper design. There are many things possible with ClearPass, but that does not necessarily be what matches your environment.

    You probably would not do a separate MAC authentication as in the 802.1X service you can include checks on the MAC Adress, lookups in the Endpoint Database, verify against a database, check if the switch or switch port is in a specific location, and much more. But MAC+802.1X for clients that do 802.1X you would do in the 802.1X service; and you may use a separate MAC authentication service for clients that don't do 802.1X.

    As Ariyap mentions, this is covered in the Wired Policy Enforcement guide (link a few responses back) and going through a ClearPass training or the ClearPass Workshop video series will cover the building blocks for your scenario. In most cases, it's best to get the knowledge and experience from someone external to make sure you start with a good design that works and matches what you want to achieve.

    EDIT: To respond to the topic: Static MAC lists is probably one of the worst methods to achieve whatever your requirement is... there are better methods that are better manageable. Static lists are deprecated and should only be used in some corner-cases, if at all. I don't want to be harsh, but would not want you either to spend a lot of time on researching something that has better solutions if you look at the design requirements.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 9.  RE: Clearpass wired Mac static list and 802.1X.

    Posted Jan 27, 2023 08:45 AM

    Hello herman

    I want to set up a clearpass rule that allows users who are part of an AD LABO group to connect to 20 computers in a room

    This room has its own switch ( Aruba 2930 )

    I don't want another computer to be able to connect in this room

    I have as data

    -              The MAC address of the PCs

    -              The AD group of users

    -              The NAD IP

    We were accompanied by an ARUBA pre-sales and a sales representative who helped us on the first project.

    The project was done very quickly and I did not have time to follow the official trainings.

    When I ask certain questions, I am referred to documents that I have read at least 3 times

    I'm part of a large group and my colleagues aren't as advanced as I am on clearpass

     

    I've seen all your videos, videos on udemy, book official certification study guide

    I know that training does not replace experience

    So my only solutions are to ask for help on the community

    And to pass the clearpass training (scheduled in 4 months)

    Thank you for your help

    If you have interesting books or contacts, can you share me please




  • 10.  RE: Clearpass wired Mac static list and 802.1X.
    Best Answer

    EMPLOYEE
    Posted Jan 27, 2023 09:13 AM
    Then an enforcement/role map like this may work for the 802.1X service:
    Rule 1: NAD IP = <NAD IP of the switch> AND AD:Groups EQUALS <authorized user group> AND Endpoint:LabPC EQUALS True => Allow privileged access
    Rule 2: NAD IP = <NAD IP of the switch> => Allow no/limited access + send alert
    Rule 3: rest of your rules... for the other switches

    Thing is that I'm quite sure that this might oversee some scenarios, and it is really hard in a forum to provide the proper guidance. Also, I'm convinced that when you found your solution, at that point it looks really obvious but to get there may take some and brainstorming about all conditions and exceptions.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 11.  RE: Clearpass wired Mac static list and 802.1X.

    Posted Jan 27, 2023 09:22 AM
    many thanks !!!