Security

Hey Gang,

Currently we are in the beta stages of deploying  ClearPass. I have a wireless sandbox of sorts for testing. The goal is full access for employees to the production side of the network via secured wireless. To that end we have set up 802.1x PEAP with AES enterprise encryption (WPA2). We are not using self signed certs. We have installed a Comodo cert and got the full chain of trust finally conqured. (Big thanks to Dave Dipert from DNS for all the CPPM help)

Long story short, user connects, gets asked to accept the cert, user accepts and then is asked for AD credentials, user authenticates, all is good in the universe. (so far testing has been right on target)

I want to put this security to the test. We here at Cape Fear Community College have several CEH's (Certified Ethical Hackers) on the faculty (and they usually work for IT Services over the summer so they are essentially staff too) and they have agreed to break all of their demonic Wi-Fi breakers and put the thumbscrews to my Secure Wireless environment.

I realize the only real step up left on the actual network would be to move to EAP/TLS but we are not sure if we want to move to the added expense of provisioning for that. So the question is, is there anything else I can put in place that would help keep this secure from the diabolic CEH's? Any suggestion on WIPs settings? Any other tricks you may have picked up that could be used?

I do plan on formally reporting the results of the lab and can make a more generic version available to anyone interested in the final results. As always, any help and advice is greatly appreciated!

American McNeill,

----security conscious talk begin-------

I want to say that what will improve your security posture is always specific to you, your organization, or your users.  There is always a security regimen that cannot be adopted because X Vice President or Y Director cannot be bothered.  Or, users do not have enough training so that super secure supplicant that you wanted to use is too hard to implement.

While everyone can put strategies that you can use on a public forum here, people who hack, ethically or not, have access to the same information.  The best answer is to have a security consultant review what your organization is doing and suggest something that will work out for all of your users and your organization.

----security conscious talk end---------

With that being said, I would use the device registration capability within ClearPass to make everyone register the mac address of their device in the endpoint database before authenticating.  During the registration, the username would be associated with an endpoint, so that only users who have registered their devices can authenticate successfully with 802.1x, which will compare the mac address of a device that wants to authenticate with the username in the endpoint record.  If the mac address does is not in the endpoint database, a successful 802.1x authenticatin will earn them a trip to the mac registration page.  If the mac address exists in the endpoint database but username does not match in the endpoint database record, do not allow them to get on via 802.1x. 

----security conscious talk begin-------

Understood and thanks!

----security conscious talk end-------

Isn't device registration part of Onboarding? or is that a seperate deal-e-o?

It is not part of Onboarding.  Please take a look at the ClearPass Guest User Guide 6.3.x here: http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=8277  and search for