Security

last person joined: 21 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass Feature Query

This thread has been viewed 0 times

  • 1.  Clearpass Feature Query

    Posted Mar 23, 2017 06:06 PM

    Please advice ,
    which features can we use to secure 3com&hpe wired environment, according the next scenario :


    there are 2 vlans
    1.management vlan
    2.users vlan


    there is no L3 connection between those 2 vlans, we are not allowed to configue the clearpass server to use 2 defrent interfaces (mgmt&data..) , we can chose to work only in one segment .

    there is access to the dc only from the users vlan . 


    we being asked to supply solution for 2 main issues ,

    1. computer with 2 active network cards (wireless/wired)
    will be sent to quarantine vlan / switch port blocked 

    until the wireless conection will get disconected ..


    2.verify & enforce that only domain / corporate machines will be allowed to connect to the wired network .


    in the future there will be aruba wireless controller connected to the mgmt vlan (but untill then we need to find solution .. )

     

    according to the scenario limitations , which clearpass features we can use in order to achieve the above ?


    is llldp being used to collect information .. ?


    Best Regards ,
    Shay



  • 2.  RE: Clearpass Feature Query

    Posted Mar 24, 2017 10:29 AM

    Hi Shay,

     

    1. computer with 2 active network cards (wireless/wired) will be sent to quarantine vlan / switch port blocked until the wireless conection will get disconected ..

     

    ClearPass OnGuard can do this. See the image below where we are checking that a windows 10 devices only have a single wired network connection. If wirelss is enabled then the device can be quarantined. Also you can configure an remediation action where the wireless is automatically disabled or disconnected. 

    onguard.jpg

     

    2.verify & enforce that only domain / corporate machines will be allowed to connect to the wired network .

     

    There are many ways to do this. You can do 802.1x (EAP-PEAP or EAP-TLS) machine only authentication can configure a ClearPass service to support it. 

     

    according to the scenario limitations , which clearpass features we can use in order to achieve the above ?

     

    ClearPass Policy Manager & ClearPass Onguard. 

     

    is llldp being used to collect information .. ?

     

     

    No. 

     



  • 3.  RE: Clearpass Feature Query

    Posted Mar 24, 2017 12:53 PM

    Hi james ,

     

    1. I familiar with the onguard option .

    the client device and the clearpass server are in two deffrent vlans there is no Layer3 routing between them .. how exactly the clearpass will be able to collect information from the station agent in this method ..?

     

    2.  So except 802.1x that we can use only with local db (we cant connect the cppm to both users & mgmt vlan , DC is located in the users vlan) OR preconfigured endpoints db / mac mask,  what other methods can we use ? 

     

    -- About LLDP -- 

    SNMP Collector is using lldp,cdp,arp.. to collect information .

     

    Thanks, 

    Shay