Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass to Offload CPSEC Whitelist

This thread has been viewed 0 times

  • 1.  Clearpass to Offload CPSEC Whitelist

    Posted Oct 02, 2018 01:54 PM

    I am trying to offload cpsec for CAPs to Clearpass. I have been sucessful in getting APs to authenticate against Clearpass using Endpoint database but I am trying to figure out how this will scale. 

    The AP only appears to authenticate when it boots the first time, otherwise I see no authentication events in access tracker. 

    How do I setup cleaning so I don't remove endpoints in the endpoint db that are still in use? Is there a better option than endpoint database? I would like to have self cleaning functionality, say an AP is down for a month, I no longer want to keep it in the database. 



    I saw another method to accomplish what I'm doing using local users, this doesn't seem like it's overly scalable to my size since I have over 20k APs. 

    https://community.arubanetworks.com/t5/Security/Tutorial-Offload-RAP-WhitelistDB-to-Clearpass/td-p/225975



    This is a lab build currently where I have only 1 AP. I've seen with cleaning on it deletes the endpoint and the AP is no longer able to stay online.

    I have manually set an Endpoint with custom attributes to specify ap-name and ap-group. 

    Is there a better way? Is there a method that can be used to let the database self clean without destroying my active AP records? 

     



  • 2.  RE: Clearpass to Offload CPSEC Whitelist
    Best Answer

    EMPLOYEE
    Posted Oct 02, 2018 02:11 PM

    Only Remote APs and Instant APs connecting via IAP-VPN authenticate every time they come up.  Campus APs with CPSEC only check whether or not they have a certificate issued by the existing controller structure.  After that, they just use the certificate to secure their connection afterwords.  So ClearPass would only be practical for Remote APs and Instant APs using IAP-VPN.

     

    An alternate solution would be to synchronize ClearPass with Activate (it should have all of your access points that are purchased) to authorize any access points that are  added to your network:

    Screenshot 2018-10-02 at 13.08.33.png

     

    Again, this will only work for Remote APs, and new Campus APs.  You would have to make sure that all of the access points that you order already appear in Activate.  The main benefit of this would be if it is easier for you to manage all your access points in Activate and ClearPass, instead of in the controller's interface if you have multiple master/local "clusters".

     

    I don't know if that is the information you wanted..



  • 3.  RE: Clearpass to Offload CPSEC Whitelist

    EMPLOYEE
    Posted Oct 02, 2018 02:18 PM

    FYI: Please test this in a lab with a test ClearPass Cluster, so that you do not corrupt any of your existing production data while testing.



  • 4.  RE: Clearpass to Offload CPSEC Whitelist

    Posted Oct 02, 2018 02:26 PM

    That is helpful and explains what I am seeing! That makes sense. 

    Thank you for poining me in the correct direction. I don't know that we want to sync that way, but it changes the apporach I will take. 



  • 5.  RE: Clearpass to Offload CPSEC Whitelist

    Posted Oct 02, 2018 02:24 PM

    Here is some photos depicting my Clearpass setup.

    CPSEC Enforcement ProfileCPSEC Enforcement ProfileCPSEC ServiceCPSEC ServiceRADIUS ACCEPT OutputRADIUS ACCEPT Output