Security

last person joined: 8 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass - monitor mode with Cisco 3560 switch

This thread has been viewed 3 times

  • 1.  Clearpass - monitor mode with Cisco 3560 switch

    Posted Oct 16, 2017 12:43 PM

    I have configured Clearpass to do MAC auth in monitor mode and a 3560  switch following

    https://community.arubanetworks.com/aruba/attachments/aruba/tkb@tkb/223/1/Cisco%20Switch%20Setup%20with%20CPPM-v1.2.pdf

     

    A windows pc is allowed access (MAC authentication ACCEPT) only if the device is set to known (via Access Tracker), otherwise the pc (unknown) is  MAC authentication REJECT.

     

    How to configure CP and the switch such that we can do MAC authentication in monitor mode (without having to set "authentication open" on the switch)? We don't want to change the switch everytime we need to change from monitor mode to enforce mode, we would like to change from monitor to enforce mode on Clearpass (without changing the switch), if possible.


    Please help.

    Thanks,

    Yl



  • 2.  RE: Clearpass - monitor mode with Cisco 3560 switch

    EMPLOYEE
    Posted Oct 17, 2017 09:22 AM

    There are several options here. I would not use monitor mode...begin with enforce mode on ClearPass and then just have a statement in line 1 of your enforcement policy to "allow access". Then when you are ready, you can gradually move this line down the list until you capture all your use cases. Alternatively, you can group devices and write services with or without enforcement options and move your switches from a "test" group to a "production" group mapping to two different services.



  • 3.  RE: Clearpass - monitor mode with Cisco 3560 switch

    MVP
    Posted Feb 15, 2019 09:37 AM

    We are doing this same process, we cannot use monitor mode because we have to return multiple VLAN names in the RADIUS responses, not just a RADIUS accept. 

     

    We created two MAC auth services and two seperate Network Device Groups. The first service is our "Open" Policy, meaning the Role Mapping is exactly the same, but the enforcement has no Deny conditions. The second service is our "Strict" Policy, meaning we do start enforcing NAC more aggressively through the Enforcement policy. All I do is take a device out of the "Open" policy group and add it to the "Strict" policy group when I want to cut it over. 

     

    The only thing I can say is make sure if your doing 802.1X authentication too, that you make sure the end-user devices are setup properly. We ran into a bunch that did not validate the RADIUS server certificate properly, so even though my policy didn't reject them, the device failed authentication. To get around this, we started using the "auth-fail VLAN" condition on the switch ports to still allow it to bounce into production VLAN. When did the Strict enforcement, we would just change that from production to quarantine using the interface range command.