Security

Hello Airheads,

I'm and the company I work for is pretty new within the ClearPass world. We have started pulling up our ClearPass servers. So far everything is great as we are working on a green field, so we have plenty of opportunities to monitor the setup and slowly close down the ports.

Now, what I'm having a bit of trouble working out:

The company bought up another company where they had Cisco ISE. They used mainly Machine certificates issued by their certificate authority.  Because that system is already assigning VLAN tags to the switches there is no easy way to just disable it, as it would cost a lot of time to go back to manually assign VLANS and then roll out ClearPass on it.

We are also using Machine authentication as a 1st step, so there is no easy way to switch from their certificates to ours.

I would plan to create a new Radius certificate with Services using their certificate chain. But I'm not 100% sure if it's doable. It looks like I should be able to choose which certificates are being used for authentication. Because when I try to add a new service it allows the option to choose a server certificate. But currently, that option is empty.

Does anyone have an idea about this and what would be potentially a good solution?

Thank you,

Greg

ClearPass is extremely flexible and you have several options about how to move forward with the implementation.  Based on what you've shared, I'd highly recommend getting in touch with your Aruba sales team and discuss options for the ClearPass implementation.  You might benefit quite a bit from having a ClearPass specialist come in for a period of time to discuss your options and assist with some of the initial setup.

There should be no reason for ClearPass to not be able to directly replace or at least emulate what ISE is currently doing with VLAN assignment.  Service certificates, i.e., certificates added to the trust list and then specifically assigned to a service, provide options for handling authentications of devices that don't yet have the new PKI trusted or don't yet have a supplicant configuration that supports the new PKI.

Hello Airheads,

I'm and the company I work for is pretty new within the ClearPass world. We have started pulling up our ClearPass servers. So far everything is great as we are working on a green field, so we have plenty of opportunities to monitor the setup and slowly close down the ports.

Now, what I'm having a bit of trouble working out:

The company bought up another company where they had Cisco ISE. They used mainly Machine certificates issued by their certificate authority.  Because that system is already assigning VLAN tags to the switches there is no easy way to just disable it, as it would cost a lot of time to go back to manually assign VLANS and then roll out ClearPass on it.

We are also using Machine authentication as a 1st step, so there is no easy way to switch from their certificates to ours.

I would plan to create a new Radius certificate with Services using their certificate chain. But I'm not 100% sure if it's doable. It looks like I should be able to choose which certificates are being used for authentication. Because when I try to add a new service it allows the option to choose a server certificate. But currently, that option is empty.

Does anyone have an idea about this and what would be potentially a good solution?

Thank you,

Greg

Hi Carson,

Our initial integration to most of the locations was done through the ClearPass HTS team, but our contracted hours have run out. I still have a good connection with our Aruba account manager and sales team so they might be able to help us out.

My understanding was as well that it should be possible to import a 2nd set of radius certificates and spin it up for this service so we can import every setting from the ISE.

Most of our locations already have some kind of clear pass radius configuration deployed in Transparent mode (so no vlan assignment, no enforcement) to discover what are we missing.

ISE was only deployed in one location which now we have to take over and import into CPPM. My current idea is to import all the MAC addresses to ClearPass, as well as create a separate service for them. However, for dot1x they already have a supplicant configured. With that, I would think that the path of least resistance would probably be spinning up a 2nd radius server within CPPM to support that chain.

It looks perfectly do-able but haven't found the correct documentation for it yet. :)

Thanks,
Gergely

ClearPass is extremely flexible and you have several options about how to move forward with the implementation.  Based on what you've shared, I'd highly recommend getting in touch with your Aruba sales team and discuss options for the ClearPass implementation.  You might benefit quite a bit from having a ClearPass specialist come in for a period of time to discuss your options and assist with some of the initial setup.

There should be no reason for ClearPass to not be able to directly replace or at least emulate what ISE is currently doing with VLAN assignment.  Service certificates, i.e., certificates added to the trust list and then specifically assigned to a service, provide options for handling authentications of devices that don't yet have the new PKI trusted or don't yet have a supplicant configuration that supports the new PKI.

Hello Airheads,

I'm and the company I work for is pretty new within the ClearPass world. We have started pulling up our ClearPass servers. So far everything is great as we are working on a green field, so we have plenty of opportunities to monitor the setup and slowly close down the ports.

Now, what I'm having a bit of trouble working out:

The company bought up another company where they had Cisco ISE. They used mainly Machine certificates issued by their certificate authority.  Because that system is already assigning VLAN tags to the switches there is no easy way to just disable it, as it would cost a lot of time to go back to manually assign VLANS and then roll out ClearPass on it.

We are also using Machine authentication as a 1st step, so there is no easy way to switch from their certificates to ours.

I would plan to create a new Radius certificate with Services using their certificate chain. But I'm not 100% sure if it's doable. It looks like I should be able to choose which certificates are being used for authentication. Because when I try to add a new service it allows the option to choose a server certificate. But currently, that option is empty.

Does anyone have an idea about this and what would be potentially a good solution?

Thank you,

Greg