Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

VLAN Segmentation issues on Clearpass

This thread has been viewed 6 times

  • 1.  VLAN Segmentation issues on Clearpass

    Posted Mar 25, 2024 07:50 AM
    Vlans on the switch 
    Vlan 5( guest )
    Vlan 74( corporate)
    Vlan 225( employee)
    Vlan 226(quarantine)
     
    How its suppose to be , 
    1)when a user uses domain credentials or local credentials to authenticate if its a byod device it should stay on vlan 225
     
    If a user uses domain credentials to authenticate , if the user is authenticating with  a corporate laptop with agent on it and the agent reads healthy it should go to 74 
     
    If a user has the agent on the corporate laptop and it reads infected  it should go to quarantine vlan to remediate 
     
    Issue :
    When a user authenticates and the user get enforced into a certain vlan (eg employee valn) ( vlan 225 ) , if the now agent now  gets installed on the laptop the posture agent won't be able to communicate with the aruba on that vlan , when you now disconnect from that port and plug to a free port on 74 vlan the agent then communicates with the aruba and marks the system healthy,When the posture reads healthy and then you authenticate with the right vlan it keeps you on 74 , if you now fail a posture on purpose the aruba will.just alert you that you're failing the policy but won't move you to the other vlan  immediately,  you'll have to manually disconnect and reauthenicate before it puts you in the right vlan (quarantine)
     
     
    If you're now in quarantine vlan and then you remediate by turning on your firewall the posture won't show healthy cause it won't be able to communicate with the aruba , so it stays there hence not moving you back to 74 automatically 
     
     
    Issue 2 , if you use coa on the access tracker to block a device,  you'll have to go to endpoint and look for the device mac and then change an attribute before its unblocked ,
     
     
    Issue 3 
    When a user uses domain credentials and then passes all the policy , instead of the user to get 74 ip , recently it started getting 150
     
     
     
    Wireless issue 
     
    All ssids are attached to a certain vlan 
    74(main
    225(emp)
    5(guest)
     
    If a user uses guest ssid to connect it shows captive portal and  gives you 5 ip 
     
    If you use corp ssid with a user role that states employee or no posture available on that system it gives you emp ip 
     
    If your use corp ssid with no posture if gives you 225 ip 
     
    If you use corp ssid with posture available and healthy it gives you 74 ip
     
    These are the correct behaviour 
     
     
    Issue:
    1 if you install agent on the system and you use corp ssid and the system is healthy it gives you 74 , if you purposely fail it shows not healthy , but you'll have to disconnect and connect back to that ssid  before it gives you 225 or 226 ip 
     
    When you enter 225 you won't be able to communicate with the agent 
     
     
    2
    If you login in with employee role and you get sent to employee vlan and then the posture reads healthy , you will still have the emp vlan ip until you disconnect and reconnect before it gives you 74


  • 2.  RE: VLAN Segmentation issues on Clearpass

    EMPLOYEE
    Posted Mar 25, 2024 08:08 AM

    Some generic guidance, as you should work with your Aruba partner to get this properly designed and implemented.

    You probably should not use VLAN switching, better use role switching. Not all clients properly get an IP address in the new VLAN if you switch the VLAN from the network side, as the client may not know.

    Further, if you want to use posture status, make sure the OnGuard can communicate to ClearPass regardless the VLAN the client is in; if clients can be places in the guest VLAN (depending on the posture status), make sure the communication is possible. 

    If ClearPass currently does not respond to changes in Posture (like unknown -> healthy, or healthy -> unhealthy), that is something that can be resolved with the Enforcement policy on the Onguard Webauth service. A disconnect-user or port-bounce (wired) should trigger a new authentication where the new posture status is taken into account.

    The following videos may give you some more guidance on OnGuard deployment.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message