Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass and AD

This thread has been viewed 2 times

  • 1.  Clearpass and AD

    Posted Sep 26, 2013 06:44 AM

    Hi all,

     

    We are in the process of implementing clearpass policy manager and clearpass Guest.

     

    I have some initial doughts:

     

    1. Clearpass is going to integrate with AD. that is done using data port correct?

    Clearpass only queries Ad correct?

     

    2. implement 802.1x on corporate access. ( users login with ad credencials and then depending on the device they are using a policy is applied. is this the best way and more secure 802.1.x? what do I need ?

    For know we are using wpa2 on aruba

     

    3. clearpass guest will delivered guest access to users ( http https) SSid already created on aruba controller.

     

    Thanks

     

    Regards



  • 2.  RE: Clearpass and AD

    Posted Sep 26, 2013 09:32 AM

    Hey,

     

    1.

    Yes the AD should communicate with your ClearPass over the data port. From what I have observed ClearPass only queries.

     

    2.

    802.1X is secure. It is recommened over wpa2-psk, at least in a corporate environment.

    In order to do what you want you can use your AD groups with some role mappings to identify the users and devices and place them into the correct User Role and VLAN. You can also look at Onboarding as well.

    We have made it so that smart phones and tablets go into their own VLAN with their own User Role and authenticated computers go into another. CPPM can pretty much do whatever you want you just have to know what that is.

    Aruba_Role_Mappings_0001.png

     

    3. Not sure if this is a question or just a statement. You can also use the CPPM to handle your guests though if you have the licensing for ClearPass Guest. I would recommend maybe using this so that everything can be managed through the CPPM.

     

    Cheers



  • 3.  RE: Clearpass and AD

    Posted Sep 27, 2013 06:09 AM

    Hi,

     

    Thanks for the info and help.

     

    Do you have onguard module on clearpass? We only have Policy manager and guest.

     

    We will have the need to distinguish between iphones, androids ipad´s and corporate computers. But that is done with policy manager correct?

     

    And another thing? IS it possible on access tracker to see what devices are connected and what tcp or udp ports are they using ? BEcause we have a  firewall but it only states the aruba source IP address and not the clients IP. That is because of the NAT.

     

    Regards



  • 4.  RE: Clearpass and AD

    EMPLOYEE
    Posted Sep 27, 2013 08:08 AM

    You can distinguish between corporate devices and other devices in three ways:

     

    - Maintain a database of corporate device MAC addresses (not very secure, but works)

    - Use TLS and issue computer certificates to corporate owned machines

    - Use machine authentication

     

     

    In terms of access tracker, it is only concerned with authentication requests. You will not be able to display session based information as that all happens post-authentication.



  • 5.  RE: Clearpass and AD

    Posted Sep 27, 2013 08:19 AM

    To add to what @cappalli suggested.

     

    You could also use the Endpoints database to manage your  Apple iPhones/Tablets and Android phones/tablets.

    Once there is an Endpoint profile exists for your device you could add a custom attribute to the device to identify it as a company owned device.

     

    You could then design your rules to look for the device type + this custom attribute. It is a little bit of work in the beginning but once it's done it should be fairly easy to maintain.

     

    And for coporate computers, if you can't issue certificates, just use EAP-PEAP and the [Machine Authenticated] TIPS Role.

     

    As for the visibility for the TCP UDP ports, you could use the following command on the controller: show datapath session table <A.B.C.D>


    This will show you all the active connects of the clients.

     

    Cheers



  • 6.  RE: Clearpass and AD

    EMPLOYEE
    Posted Sep 27, 2013 08:34 AM
      |   view attached

    You could also automate the attribute process a little bit.


    For example:

     

    You could create a ClearPass Entity Update Enforcement profile that says if machine authenticated, then update endpoint database attribute "Corporate Asset" to true. Then when you have all of the data you need, you can use the endpoint database as your authoritative source.

     

    endpoint-corporate.PNG

     

    endpoint-tipsmachine.PNG

     

     

    We used this method before we went live with the endpoint database to help build up the data.

     

     

     



  • 7.  RE: Clearpass and AD

    Posted Sep 27, 2013 08:38 AM

    @cappalli

     

    Very cool. I didn't know you could do this! Thank you for sharing!!

     

    Cheers



  • 8.  RE: Clearpass and AD

    EMPLOYEE
    Posted Sep 27, 2013 08:42 AM

    In terms of the firewall visibility, if you are using mobility controllers, you can use the new firewall visbility feature in 6.3.

     

    You can view the data in the controller itself or inside of AirWave. It will autoclassify certain web traffic such as dropbox, facebook, etc.

     

    Here's an example. This is for my phone (these things aren't so quiet when they're in your pocket!). You can get very granular and view by application, destinations, devices, WLANs, users, and roles.

     

    firewall-applications.PNG

     

    firewall-destinations.PNG