Security

I had a question that i just don't know the answer to.

 

Can the clearpass wired NAC shut a port on a switch due to a user/computer not being in AD or bad attempts?

 

If So where/what/how is this done?

It depends on the capabililty of the switch. You could potentially do this via an SNMP enforcement.

 

The more common way of enforcing this policy would be to put the user into a dead-end VLAN.

 

If you shut the port down and the user is connected behind a VoIP phone, for example, the phone would be disabled as well.

Thats what i was guessing when thinking about this but is there some policy for this or do you have to write a custom policy to do the shutdown? i just didn't know if it was possible. These are with some clearpass certified Dell N series switches...they were bought before Aruba cuddled up to HP :-p

Do you happen to have the SNMP guide for that series switch? I did a quick Google search and couldn't find one.

 

Also, keep in mind, the HP acquisiton does not impact the open nature of Aruba's products like ClearPass.

Dell N series

2000/3000/4000 are pretty much all the same functionality wise except 10gig ports and SFP+ etc...

 

http://www.dell.com/support/home/us/en/04/product-support/product/networking-n3000-series/manuals

 

no defintive yes or no, but on related switches it is possible to set a vlan

 

http://en.community.dell.com/support-forums/network-switches/f/866/t/19257012

 

so the trick it find the interface enabled oid and try to "set" it.

Just how would i set this up? Doing either putting them on a deadd vlan or shutting the port?

I am very new with clearpass and am just lost on setting something like this up.

 

Sorry i need so much help but i am lost.

do you have an aruba partner that you can ask for help? it might be useful to go through the whole product first with someone who has worked with it before. you will get some replies here most likely, but it is just small things and you might end up with a configuration that be enchanced a lot.

 

it might also be useful to just google and search here on some examples of clearpass policy examples to get an idea of the flow.

 

what do you already have working?

We have nothing installed.

Its a brand new install that they decided to go with clearpass since they just released the hyper-v version.

having to put in a complete network stack, some AP's and this clearpass policy server.

 

I have some install guides/administrator guides that i can follow but this isn't a standard case as far as i can see or searching can tell me.

who sold you the Aruba ClearPass? can they perhaps also help you with configuring it? what brand is the network switches?

 

looking back at your original question and if nothing has been configured yet. in principle if you build it correctly (the wired 802.1x template will get you there pretty much) then anyone not getting through authorization will just be denied access. there is no specific need to disable a switchport. why do you want that to happen beyond the user not getting access anyway?

This is one of those times where the director came in and basically said "here, put this in" and we didn't get any input. Someone up the ladder got sold on it and now we have to deal with it.

They said they wanted it to shut the port and to figure out how to do it.

I know you can do port based security with mac filtering which is what i was thinking about trying a policy with in clearpass, now just to figure out how to do it. P.s. i don't get a test environment. 

http://www.dell.com/support/article/us/en/6099/HOW10392/EN/

They are Dell N3048 switches.

 

P.S. as for who sold it, they are just a reseller and no engineers, and out management don't want to hire a consultant to do it, thats why i got stuck with this crap.

I'm not the best with networking either but i do know access management pretty well.

Godoff,

In that case, you should start very small. Wired authentication is an advanced topic. Shutting down ports when authentication fails is even more advanced. When authentication fails you have to then figure out how you deal with users who have problems or even new users who cannot get on.. It requires a lot of thought.

Check if that switch first can support Mac authentication and how it is configured...

as cjoseph mentions, start small. take one switch, if at all possible one which isn't used further and start on that. just do dot1x first, see if you can assign a VLAN. then look at mac auth for the devices that don't support dot1x. see how it works, what is possible, what isn't.

 

when you get all that working you can look at the failed auth scenario, but hopefully you understand it well enough to convince who ever that something like that isn't needed.

 

the cisco and cppm technote explains a lot of the things that are possible. yes the switch side config is of course cisco, but the general idea should help you a lot and provide pointers to the terms you can lookup for the dell switches.

 

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=10344

 

do think things through in advance, what happens where clearpass fails for example? will you allow your users access to some vlan or ...?

I have been away for a few days, doing some research with what you guys have said and being as persuasive as i could. I got the director to agree to scrap this idea.

Go with something simplier.

Just if some tries to authenticate and fails, then they get dumped on a dead vlan that doesn't route anywhere.

 

They still want this to be a wired policy as well but i think its a little simpler to pull off.

 

Any suggestions on this topic?

If they get dumped to a dead VLAN that will still generate a helpdesk ticket, unless you give foolproof instructions on how to get out of that VLAN to that user.  Wired authentication is difficult unless you have policy, a plan, and trained people to support it.

 

Which we don't but i just need to get this working for them and deal with the consequences later.  I am sure after the first 50 tickets they will have me back off on a few things but they almost threw a fit when i was trying to explain they their shutting port idea wasn't that great and very difficult to implement.

 

Anything i should look for while doing this?