Security

 View Only
  • 1.  Third party Switches for clearpass

    Posted Apr 15, 2013 07:57 PM

    We are thinking in buying 3rd party switches to show BYOD with those switches also

    There are the models we are thinking in buying for now...

     

    Here are 2 we were looking

    1. Cisco: WS-C2960PD-8TT-L
    2. HP: J9562A


    Are those swtiches okay to show all the BYOD stuff on those 2 brands?

     

    Or what swithces are recommended?

     

    Cheers

    Carlos



  • 2.  RE: Third party Switches for clearpass

    Posted Apr 17, 2013 06:18 PM

    When you say BYOD, what exactly are you going to try and demonstrate? Can you give a real example?

     

    I.e. we're going to plug "this thing" in and it will do "this" when demonstrated?

     



  • 3.  RE: Third party Switches for clearpass

    Posted Apr 17, 2013 09:31 PM

    Not really have an specific scenario in mind... im stil waiting for the courses of Policy manager to see everything i can do with it... but as far i know you can use BYOD on wired ports on third party switches....  Not sure at what level(i mean i suppose you can do a way more stuff if you got aruba swithces) but i want to know if it possible to do everything that can be done with wired 3rd party swithces with those switches.

     

    At least what kind of things you have done on wired 3rd party swithces with BYOD?

     

    Cheers

    Carlos



  • 4.  RE: Third party Switches for clearpass

    Posted Apr 18, 2013 10:56 AM

    I'm hoping to get more familiar with it at the partner conference myself. Having said that, the following is pretty handy...

     

    http://community.arubanetworks.com/aruba/attachments/aruba/amigopod/1301/1/

     

    I am expecting at a minimum, that you can do things similar to what I've been doing for a while with tools like Bradford Campus Manager and Packetfence.

     

    For example, the switch has a port configuration which validates the client (via mac or 802.1x auth). If that fails, the port goes into a "logon" or quarantine type VLAN. This VLAN is where users can enroll to achieve better access.

     

    I'm wondering if there's slicker ways, but in the most simple deployments you might have an Aruba controller or switch acting as the web re-direct engine, pointing you to Clearpass. When the user satisfies what Clearpass wants, Clearpass resets the user's port to another network.

     

    I'm not keen on the switches you've listed personally, but it's just a feeling. Nothing specific. They look like the sort of models with limitations. Especially that HP one.

     

    If I was you, I'd be looking to get something representative of what you'd see in a customer's real campus network. Like a larger Cisco 2960 or even 3750 (cheap on ebay). Then maybe a HP 2810? They do most stuff ok.

     



  • 5.  RE: Third party Switches for clearpass

    Posted Apr 18, 2013 09:24 PM

    Thanks for the document.

    Do you know if there is a supported switches brands or model  and firmwares for clearpass?

     

    Or any switch supporting  radius and x things will support having x things of clearpass?

     

    Cheers

    Carlos



  • 6.  RE: Third party Switches for clearpass

    Posted Apr 19, 2013 03:13 AM

    I'm not aware of a list of switches, but my theory would be if a switch supports these features...

     

    1. dot1x + radius

    2. SNMP (read AND write)

    3. telnet or preferably SSH (not just a web GUI)

    4. VLANs (in decent volumes)

     

    Then you should be able to do most things. Of course, no where near what you could do with an Aruba switch, but that's fair enough considering costs.

     

    Good luck!



  • 7.  RE: Third party Switches for clearpass

    Posted Apr 19, 2013 06:59 PM

    Well that sounds interesting but like you said its your theory  :)

    It would be nice if someone of aruba can confirm us that?

     

    AmigoDave are you there? :)



  • 8.  RE: Third party Switches for clearpass

    Posted Apr 25, 2013 11:32 AM

    A requirement to support BYOD probably means it has a good featureset for RADIUS support and good ACL implementation, unless you want to implement ACLs per VLAN at the nearest layer 3 hop instead of at the edge.  Some switches don't scale well when it comes to applying policies per user rather than per VLAN - have this issue with Avaya switches in our environment.  In that scenario you would want to apply policies per VLAN most likely and maybe not do it at the edge but upstream.

     

    Look for authenticating multiple hosts with multiple authenticated roles or VLANs per port.  For example, you want to be able to support both an IP phone and a guest / BYOD user plugged into the back of the phone on a single port if possible, and filter traffic according to your ACLs or dynamic VLAN assignments appropriately for each user/device on that port.

     

    I don't know how many vendors do this aside from Aruba, but having a switch built around user-roles is a big deal.  Aruba mobility access switches offer this in addition to or in lieu of VLAN based access management.  So instead of using dynamic VLAN assignment via RADIUS as the mechanism to separate guest / BYOD users from corporate users, you can have them coexist in the same VLAN but still assign different user roles and different ACLs.  The benefit is that users won't experience an IP release and renew since they don't get shuttled over to a different VLAN after authentication, which can cause problem W/R/T user experience.  I don't think these devices are truly quarantined from each other within that VLAN (there's a name for that but don't recall off the top of my head) where they can't talk to other devices within the same broadcast domain.  Maybe there's a way to replicate that with an ACL as a bit of hack but I don't know.

     

    Switches should support an initial role or VLAN for unauthenticated devices/users, a default role/VLAN for users that get authenticated but the role / VLAN isn't passed back as a RADIUS return value, and a fail-over role / VLAN when RADIUS goes down.

     

    Should support QOS measures that can be assigned as a RADIUS return value.

     

    Captive portal integration on the switch and/or proxying that to an external captive portal (a'la Clearpass Guest) would be a big deal.

     

    Downloadable ACL support would be good (ACL is defined centrally in Clearpass, and is pushed to the switch as a return value and applied to the user dynamically).

     

    Look at Aruba S2500 and S3500 as one of your options, btw, they're really built around supporting BYOD and integrate well with their wireless stuff and Clearpass.  We're deploying about 300 of them at 13 campuses and will probably continue beyond that in the future.