Security

Is anyone out there actively using ClearPass with Cisco switches?  I am interested to know if you have had any issues managing the Cisco gear versus using Aruba switch gear?  Is there any reason to be concerned in using Cisco switch gear versus Aruba?

The Aruba mobility access switch was purpose-built with role-based access and mobility at it's core.

 

Cisco switches can perform most of the same functions but configuration is much more complex because there is no context of a role and many features are dependent on code levels.

 

For example, we can simply return STAFF to an Aruba switch and the switch is configured to assign a certain VLAN, access controls, QoS settings, etc for users in that role.

 

On a Cisco switch, there aren't as many "dynamic" options for port configurations. Things like VLAN and ACLs can be changed, but on some  platforms, all other port configurations are static.

 

 

We have been successfully using CPPM with Cisco switches and Aruba controllers. If you properly follow the Cisco docsumentation, you should have no major issues. We also have Cisco wired phones and are authenticating most newer models with EAP-TLS using the fctory installed certificate on the phone. For older phones, we do mac authentication.

There is one interesting thing we do. All documentation I have seen has the RADIUS server return a vlan number to the switch as the vlan-id. The server can send the vlan name instead of the number. This permits you to have switches that have a Student vlan, for instance, but have different vlan numbers. We needed this for scalability in our network environment.

Bruce Osborne
Liberty University

Thanks Bruce.  I was aware of returning the VLAN name versus number and will likely use this feature.  Good to here you are doing Cisco phones and switches, as that is the environment we have as well.

Be careful if using the Cisco manufacturer-installed certificates. Some older models, such as 7970 support 802.1X, but the factory-installed certificates have expired. We moved our 7970 to mac authentication.

 

For the phones, we let the switch use CDP for the voice vlan. We use 802.1X to tag the client as "voice" & setup the switch port for multi-domain, which permite 1 voice & 1 data client per port.

 

Another caveat: mac address security is not compatible with 802.1X. In some places with both configured, there have been switch CPU loading issues. You do not need to use mac address security anyway if 802.1X is properly deployed.