Security

last person joined: 22 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass -- Comparable Secure Group Access

This thread has been viewed 9 times

  • 1.  Clearpass -- Comparable Secure Group Access

    Posted Mar 31, 2014 02:56 PM

    During a discovery call, a customer asked if we supported a feature similar to Cisco’s ISE/SGA as copied below.  The way we proposed the Celarpass solution to the customer indicated that there was really little difference to what they were currently doing.  They are interested in deploying SGA/ISE because it provided the capability of something he (the customer) referred to as "secure labels" to uniquely identify the users and devices:

     

    Understanding the SGA Architecture

    The Cisco Security Group Access (SGA) solution establishes clouds of trusted network devices to build secure networks. Each device in the Cisco SGA cloud is authenticated by its neighbors (peers). Communication between the devices in the SGA cloud is secured with a combination of encryption, message integrity checks, and data-path replay protection mechanisms. The SGA solution uses the device and user identity information that it obtains during authentication to classify, or color, the packets as they enter the network. This packet classification is maintained by tagging packets when they enter the SGA network so that they can be properly identified for the purpose of applying security and other policy criteria along the data path. The tag, also called the security group tag (SGT), allows ISE to enforce access control policies by enabling the endpoint device to act upon the SGT to filter traffic.

    http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_sga_pol.html



  • 2.  RE: Clearpass -- Comparable Secure Group Access

    Posted Apr 01, 2014 07:31 AM

    I think the way to word this is Cisco's Security Group Tagging is their "comparable" solution to Aruba's role-based access controls.     If your customer wants "secure labels" to identify the users and devcies, explain to them what a role is and how powerful it can be to secure their devices.  

     

    Clearpass doesn't have a comparable solution itself, because ArubaOS (irrespective of ClearPass) has been doing this all along through role-based access controls.    ClearPass merely assists with the assignment of those roles through context of the user/device/connection/etc.

     

    Aruba's solution is to assign a role to every device at the time of connection; and apply firewall policies on the controller before its gets on the wire.    Aruba doesn't tag things through to every device in a group, because there is no need to; they are already allowed/restricted before they hit those other devices.   

     

    Also, this solution is Cisco proprietary....whereas role-based access controls will overlay to any infrastructure.



  • 3.  RE: Clearpass -- Comparable Secure Group Access

    Posted Apr 08, 2014 03:20 PM

    Thank you for this.

     

    Bill



  • 4.  RE: Clearpass -- Comparable Secure Group Access

    Posted Aug 14, 2015 12:57 PM

    In th emiddle of a PoC for Cisco ISE with trustsec and SGT.  For the most part ISE looks alot like CPPM with the exception that ISE can push SGT information to the Cisco switches.  Based on what I think I know :-) this allows the users packets to be tagged with a SGT # and as it exits each hop/device interface the SGT is checked and appropriate access given.

     

    I am stuggling to see why this is needed if access at the access layer is already enforced with 802.1x and maybe some downloadable ACLs from ISE or CPPM.  Can anyone help me understand how SGT is better?

     

    To the point in the post above Aruba roles are awesome but in a large campus with 40 Cisco 6509s with 10gig uplinks in  IDFs to the core how could we leverage Aruba roles?  My thought is Aruba roles are only of value if the traffic flows through a controlelr or MAS and the only way I can apply an Aruba security option is to use CPPM for NAC with downloadable ACLs.

     

    Any thoughts, comments or solutions appriciated.  I love my Aruba gear. 

     

     



  • 5.  RE: Clearpass -- Comparable Secure Group Access

    EMPLOYEE
    Posted Aug 14, 2015 01:02 PM
    Aruba can achieve this using APIs and things like RADIUS accounting to
    update other network devices upstream. That is the beauty of an open product
    like ClearPass vs a completely closed product like ISE.



    SGT is typical Cisco marketecture.


  • 6.  RE: Clearpass -- Comparable Secure Group Access

    Posted Aug 14, 2015 01:14 PM

    Tim,

    Thanks for the quick reply.  Could you please just expand a little on the API option so I can do some searching on this.  Would the APIs come from configuration in CPPM or an external server?  And what types of upstrean updates would be possible?

    I asked my local Aruba team about compariable options of SGT and they were not aware of any so I was going to take the approach of why is SGT so important if we already have access controller at the access layer.



  • 7.  RE: Clearpass -- Comparable Secure Group Access

    EMPLOYEE
    Posted Aug 14, 2015 01:17 PM
    Right. The access layer isn't the focus with SGT, it's the upstream network.
    ClearPass can send updates to almost any other network device that supports
    an API or RADIUS accounting. Individual capabilities will depend on the
    network device. So things like updating the user's identity, dACLs, etc.