Security

I would like to know which are the minimum requirements of switches  if i would like to use the clearpass for example for 802.1x  and on guard

For example 

If i wanted to use it on a switch Dell that support 802.1x and i dont find that device on network devices what happens? what i put in there??? This mean clearpass does not support that switch or what does this means to me?

I have jus worked with HPE swiches and Cisco switches actually, i admit it.    We got a client tha has some small bussiness switches that would like to use clearpass but im not sure what happen in this case.

Other example would be netgear switches

Thanks

Thanks

The ClearPass Solution Guide for Wired Policy Enforcement has a section highlighting the protocols/features required for certain workflows.

it depends on your expectation clearpass can enforcement even with  snmp 

minimum as just authenticating with eap peap while they get new switches.

also i see for example that  in devices, the brand of the switches is not there on the list, guess i can add them with the radius dictionary? so it appears on the list?

Hi, 

For basic username/password authentication, you will need EAP-PEAP, you can also do EAP-TLS, since no extra configuration would be required on NAS (switches). 

For Onguard, Radius Change of Authorization is mandatory if you want to change the user's role or Vlan during post authentication. 

Then comes the requirement to install OnGuard on the client machines. In this case either you can manually do it (through AD GPO etc) or some other automation tool, if that is not possible and you want to redirect them to a web page and instructing them to download the onguard plugin, for this you need Captive Portal redirect. 

Can you tell me which dell switches you are currently working on? i think 15xx and above support web redirect and CoA (need to confirm though).

For netgear i am not sure since its SMB.

Hi, 

Regarding your second query about adding Radius Dictionary. You can add the dictionary so that you may pass on the VSA when configuring profiles. 

However if you go to add devices, the new device (for example, NetGear in my case)  wont show up just because its dictionary is added.

I have had cases where i integrated Clearpass with Unmanaged switches, such as TPLink, who don't even have a GUI.

Clearpass works session based, and usually Enforcing Profiles and such works in that concept.

In cases where you have switches which do not support 802.1x or MAC-Auth, Clearpass offers the possibility to do SNMP Enforcement.
https://www.arubanetworks.com/techdocs/ClearPass/Aruba_CPPMOnlineHelp/Content/CPPM_UserGuide/Enforce/EPSNMP_Based.htm

Also, if you have lots of unmanned switches, what you can do is place behind a Managed Switch and connect unmanned in cascade. Similar to a simple drawing i am posting on here.  I had those types of deployments and they work perfectly. Enforcement for connected users on the PC work perfectly, Profiling and dACL for Camera, Printers workers perfectly, etc.