Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Network subnetting and Clearpass

This thread has been viewed 0 times

  • 1.  Network subnetting and Clearpass

    Posted Dec 29, 2015 05:10 AM

    We're currently working on a project to introduce subnetting/vlans (or network segmenting if you want) for enduser networks.   I would like to pick other people's brains for implementation scenario's...

     

    To put is in perspective, we currently use one vlan for company employees (wired and wireless is same network), and one vlan for guests.  We use Clearpass on the guests network for authentication.  An employee currently has a Symantec certificate which is authenticated against a Windows Network and Policy server.

     

    We would like to further segment the employee network.  Let's assume we want to segment this according  to the building you're in (works for wired networking, but for mobile users...).  And/or depending on who you are.  A manager for example would end up in vlan A, an employee in building A ends up in vlan B, an employee in building B in vlan C etc...

     

    Ofcourse, we do not want to go the way of creating multiple ssid's :-)

     

    802.1x might be an option here...

     

    Is it possible to create a scenario where an employee uses Clearpass as a gateway for authentication, and is pushed depending on the role he/she gets in a specific vlan?  The NPS server does not have a means to target a specific vlan.  So the decision of which user needs to end up where needs to come from Clearpass?  Which queries Active Directory for f.e. group membership?

     

    Anyone implemented such a setup and can provide some guidelines? 

     

     



  • 2.  RE: Network subnetting and Clearpass

    EMPLOYEE
    Posted Dec 29, 2015 06:24 AM

    Yes, this sort of thing is pretty standard to setup.  If you need different access depending on group membership, then it has to be dot1x.

    You could have them all with different roles with the respective vlan mapped to each role on the controller.

    Or you could return an 'aruba-user-vlan' attribute in the enforcement. 

     

    Create a role mapping similar to this.

    Snip20151229_1.png

    And then the enforcement similar to this.

    Snip20151229_2.png

     

    There are a few different ways to achieve what you want and the above is just one example, but hopefully you can see the logic.  Just change the values to suit your environment.



  • 3.  RE: Network subnetting and Clearpass

    EMPLOYEE
    Posted Dec 29, 2015 08:37 AM
    @pnobels wrote:

    We're currently working on a project to introduce subnetting/vlans (or network segmenting if you want) for enduser networks.   I would like to pick other people's brains for implementation scenario's...

     

    To put is in perspective, we currently use one vlan for company employees (wired and wireless is same network), and one vlan for guests.  We use Clearpass on the guests network for authentication.  An employee currently has a Symantec certificate which is authenticated against a Windows Network and Policy server.

     

    We would like to further segment the employee network.  Let's assume we want to segment this according  to the building you're in (works for wired networking, but for mobile users...).  And/or depending on who you are.  A manager for example would end up in vlan A, an employee in building A ends up in vlan B, an employee in building B in vlan C etc...

     

    Ofcourse, we do not want to go the way of creating multiple ssid's :-)

     

    802.1x might be an option here...

     

    Is it possible to create a scenario where an employee uses Clearpass as a gateway for authentication, and is pushed depending on the role he/she gets in a specific vlan?  The NPS server does not have a means to target a specific vlan.  So the decision of which user needs to end up where needs to come from Clearpass?  Which queries Active Directory for f.e. group membership?

     

    Anyone implemented such a setup and can provide some guidelines? 

     

     

    You definitely should have wired and wireless clients in different VLANs.  That way you can enforce separate policies for both, if necessary.  Also wired users generate alot of broadcast traffic that wireless users typically cannot tolerate, if broadcast filtering is not used.  If you ever had to turn off broadcast filtering for whatever reason, the wireless could become unusable if you have both wired and wireless users in the same LAN.

     

    You are correct:  You want as few SSIDs as possible.  You would typically  have an encrypted SSID  for employees, one Captive Portal SSID for guests and optionally one SSID for devices that can only use preshared keys.  Each SSID should only consume one VLAN at a campus.  You could use pooling if you want more ip address space.

     

    Creating different VLANs based on  who they are unnecessarily complicates things and wastes ip address space.  It also makes troubleshooting and expanding your network more difficult.   You would typically have a single VLAN for employees on a campus if possible; that way instead of using a whole /24 for a single building, that or a /23 can be shared between users in multiple buildings and more of the subnet would be utilized.

     

    802.1x is the most flexible mechanism because the user obtains the  ip address AFTER successful authentication.  That means your user is not stuck in the same VLAN like Captive Portal.  Like Michael_Clarke said, you can use ClearPass to return a different VLAN and Role when authentication is successful.  To be clear, you can also do this with NPS, but it is more difficult...

     

    Keep asking questions about your deployment and others on the forums here will give you real-world answers that will get you to where you need to go.

     

    Happy Holidays...