Security

Reply
Highlighted

Minimum requierements to use clearpass

I would like to know which are the minimum requirements of switches  if i would like to use the clearpass for example for 802.1x  and on guard

 

For example 

If i wanted to use it on a switch Dell that support 802.1x and i dont find that device on network devices what happens? what i put in there??? This mean clearpass does not support that switch or what does this means to me?

I have jus worked with HPE swiches and Cisco switches actually, i admit it.    We got a client tha has some small bussiness switches that would like to use clearpass but im not sure what happen in this case.

Other example would be netgear switches

 

Thanks

 

Thanks

 

----------------------------------------------------
Project engineer
Highlighted
Moderator

Re: Minimum requierements to use clearpass

The ClearPass Solution Guide for Wired Policy Enforcement has a section highlighting the protocols/features required for certain workflows.



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Occasional Contributor II

Re: Minimum requierements to use clearpass

it depends on your expectation clearpass can enforcement even with  snmp 

Highlighted
Occasional Contributor II

Re: Minimum requierements to use clearpass

Hello,

I'm still a novice, what expectation please ?

Highlighted

Re: Minimum requierements to use clearpass

minimum as just authenticating with eap peap while they get new switches.

 

also i see for example that  in devices, the brand of the switches is not there on the list, guess i can add them with the radius dictionary? so it appears on the list?

----------------------------------------------------
Project engineer
Highlighted

Re: Minimum requierements to use clearpass

Hi, 

 

For basic username/password authentication, you will need EAP-PEAP, you can also do EAP-TLS, since no extra configuration would be required on NAS (switches). 

 

For Onguard, Radius Change of Authorization is mandatory if you want to change the user's role or Vlan during post authentication. 

 

Then comes the requirement to install OnGuard on the client machines. In this case either you can manually do it (through AD GPO etc) or some other automation tool, if that is not possible and you want to redirect them to a web page and instructing them to download the onguard plugin, for this you need Captive Portal redirect. 

 

Can you tell me which dell switches you are currently working on? i think 15xx and above support web redirect and CoA (need to confirm though).

 

For netgear i am not sure since its SMB.




ACMP / ACSP / ACCP / ACEP / ACDX # 663
CCIE R/S - 37956
Highlighted

Re: Minimum requierements to use clearpass

Hi, 

 

Regarding your second query about adding Radius Dictionary. You can add the dictionary so that you may pass on the VSA when configuring profiles. 

 

However if you go to add devices, the new device (for example, NetGear in my case)  wont show up just because its dictionary is added.




ACMP / ACSP / ACCP / ACEP / ACDX # 663
CCIE R/S - 37956
Highlighted
Frequent Contributor I

Re: Minimum requierements to use clearpass

I have had cases where i integrated Clearpass with Unmanaged switches, such as TPLink, who don't even have a GUI.


Clearpass works session based, and usually Enforcing Profiles and such works in that concept.

 

In cases where you have switches which do not support 802.1x or MAC-Auth, Clearpass offers the possibility to do SNMP Enforcement.
https://www.arubanetworks.com/techdocs/ClearPass/Aruba_CPPMOnlineHelp/Content/CPPM_UserGuide/Enforce/EPSNMP_Based.htm

 

Also, if you have lots of unmanned switches, what you can do is place behind a Managed Switch and connect unmanned in cascade. Similar to a simple drawing i am posting on here.  I had those types of deployments and they work perfectly. Enforcement for connected users on the PC work perfectly, Profiling and dACL for Camera, Printers workers perfectly, etc. 

 

IMG1.jpg

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: