Higher Education

last person joined: 28 days ago 

Got questions on how to enable mobility in education? Submit them here!
Back to discussions
Expand all | Collapse all

Clearpass on hardline?.?.?

This thread has been viewed 0 times

  • 1.  Clearpass on hardline?.?.?

    Posted Jan 30, 2016 12:25 PM

    As our wireless environment has grown and developed into what we have now, with ClearPass and all of its role based goodness, I have been thinking. (I know, that's a dangerous thing for me to do) Can ClearPass also do role based access for hardwired networks as well as wireless? I have heard that it can in conjunction with 802.1x security on switch ports along with dynamic VLAN assignment. So this leads me to a few questions;

     

    1 - Has anyone here done this and how did they do it?

    2 - Where are you putting your access rules for your roles? Are you just running hardwired traffic through your controller and in essence using your controller for your core router? Are you just placing traffic on VLANs at the edge and then having a separate router/firewall take care of access restrictions?

    3 - I know Bradford Networks has a NAC solution that essentially works like ClearPass but have heard from several of Bradfords customers that VLAN transition times can be upwards of 3 minutes per login (3 #$%^ing MINUTES!!) The ClearPass/Controller combo transitions VLAN very quickly for wireless clients, usually within 5 seconds or so, but would hardwiring this process slow it down too?

    4 - Why did Ben (Kylo) kill his Dad? I am so pissed!

    5 - Any other advice on the subject is welcome. This is something my team and I are beginning to discuss as an option as we are really not satisfied with our current NAC solution (Trustwave)

     

    Thanks gang!



  • 2.  RE: Clearpass on hardline?.?.?

    EMPLOYEE
    Posted Jan 30, 2016 12:32 PM
    Absolutely. A large number of customers deploy wireless then the wired side comes next. 

    Some customers just do authentication and update identity throughout the network, others do full policy at the edge using the switches various features. 

    Bradford is often deployed inline. ClearPass uses the standards based features of the switch. 

    I would recommend starting with authentication then as a phase 2, start applying policy. The wired side is much more complex often due to the large mix of very different clients, lots of older devices and many different use cases. 

    Sent from Nine


  • 3.  RE: Clearpass on hardline?.?.?

    Posted Jan 30, 2016 01:34 PM
    Hi

    We have been using clearpass with wired networks for 2 years and works very well

    Clearpass make use of standards so if your switchs are compliant you can go further without problems

    You must take care of the endpoints, pc, printers. Phones and their capabilities to create the roles and access rules

    I recommend to read the design references and go ahead

    Regards


    Andrés Mauricio Espinosa M.
    CESA Colegio de Estudios Superiores de Administración
    Casa Casa Lleras -  Calle 35 # 5A-38
    Pbx: (57 1) 339 53 00 


  • 4.  RE: Clearpass on hardline?.?.?

    Posted Feb 01, 2016 10:22 AM

    We started down this same road a bit back, but we've really put a hold on it for Students and/or any BYOD devices on the wired side. With wired connections neither the Mac or PC defaults with 802.1x on, so getting the students to turn on extra services (Windows) and do more tweaking to get on the wired, non-guest, was even more of a reason for them to just get on Wireless. We get enough complaints with students having to change Win7 defaults for dot1x wifi; that and many of the wired connections are gaming devices.



  • 5.  RE: Clearpass on hardline?.?.?

    MVP
    Posted Feb 01, 2016 10:51 AM

    1. At Liberty University, we do full 802,1X on Aruba wireless and on Cisco switches in the residence halls for several years. We do not currently use RADIUS CoA, but we need to look at that fuirther.

    A connected user first hits a captive web portal that has linke to either provision the client for 802.1X (currently using CloudPath XpressConnect) or registering the mac address for mac auth. We have separate VLans for Registration, Registered Devices (mac auth), Students, Staff, & IT Administrators. We assign VLANs by name so differenv=t access switches can have differing VLAN IDs for the same role. For our Cisco voice, we let CDP determine the VLAN? and use either the installed certicicate or mac auth on older phones, so ClearPass have the switch mark it as a voice device. We ise multi-domain authentication which only permits 1 voice & 1 data mac address per port.

     

    We use 802.1X & registration information to map username to ip address for Internet bandwidth management purposes.

     

    2. We are using RADIUS from the access switches to ClearPass.

     

    3. In the past we used Bradford NAC (Aruba ECS) and found it lacking when we looked at mocing to 802.1X in 2006.

     

    5. ClearPass is a very good standards-based solution, especially if you currently have Aruba wireless or wired equipmen

     


    t.