Upload
airheads-community
View
560
Download
8
Embed Size (px)
DESCRIPTION
Workshop on ClearPass from our Airheads Local events.
Citation preview
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Advanced ClearPass - Workshop
Ashwath Murthy
June 2014
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Agenda
• Discover Monitor Secure• Network Security with ClearPass• Deploying NAC with OnGuard – Wired & Wireless NAC
– NAC – Best Practices
• TACACS+ for Network Device Security• BYOD with Onboard• Monitoring & Troubleshooting
Network Security with ClearPass
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Discover Monitor Secure
• Discover– Discover via profiling• DHCP
• Non-DHCP
• Monitor– Enable policies in “Monitor” Mode
• Secure– Secure Wireless, Wired and VPNs
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Network Security – Wired & Wireless
• Strong Security with 802.1X– Enterprise Users
– Need for strong, session-driven security
• Captive Portals for Guest Access– Transient users such as Guests, Contractors
– Limited network access zones
– Weaker security settings
• BYOD with unique credentials– Employee BYO Devices
– Non-IT assets
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Network Security – Wired & Wireless
• Authenticate & Authorize– Certificates
– UserID/Password
– Tokens/OTP
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Network Security – Wired
• Enable 802.1X on access ports• Allow fall-back to less secure modes of access– Limit network access
• Segregate responsibilities– Aruba Roles
– VLANs
– ACLs/dACLs
– Upstream enforcement with L3-L7 firewalls such as Palo Alto
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Network Security – Wired
• But I have older switches that do not support 802.1X!
• Use SNMP to enforce port status– Set VLANs and Session-Timeout values
– “Bounce” a port
– Send LinkUp/LinkDown and MAC Notification Traps to ClearPass
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Network Security – Wired
• How will ClearPass set VLANs using SNMP?– Using the standard If-MIB
• SNMP VLANs and MAC Authentication? What!?– Redirect the user to a captive portal after MAB
– Authenticate & Authorize with the captive portal
Wireless Access Security
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Wireless – Enterprise
• Enable 802.1X – WPA/WPA2 Enterprise– Session-based keys for secure connectivity
– Terminate EAP on ClearPass – infrastructure is EAP-agnostic
– Consistent user experience and security practice across deployments
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Wireless – Guest
• Enable Guest Access/MAC Authentication– This can be combined with a WPA/WPA2 Passphrase
– Networks are inherently open unless secured!
– Strong access restrictions• Tunneled VLANs
• Stateful ACLs
• DPI/Application Monitoring
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Wireless – BYOD
• What about BYO Devices?• BYO Devices on the enterprise network– Deliver certificates to BYO Devices using Onboard
– Segregate responsibilities by identifying BYO Devices
– Control device life cycle
• BYO Devices on the guest network– Devices use a segregated guest network
– Limited network access
– Challenges with device life cycle
NAC is Back, Baby!!!
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
NAC
• Agent Types – Persistent/Dissolvable• Posture Assessment – Windows, Mac, Linux– Agent Types
– Health Check Options
• Enforcement Options– Role-based
– Application-based
– To remediate, or not to remediate?
• Wired NAC vs. Wireless NAC• NAC for VPN• Best Practices, Thoughts
TACACS+ for Network Devices
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
TACACS+
• TACACS+ Authentication– Console, Shell, UI Login
• TACACS+ Authorization– Command Authorization
– Command Levels
• TACACS+ Accounting– Accounting & Audit Trails
– Authorization vs. Accounting
• Vendor Specifics– TACACS+ Dictionaries
BYOD with Onboard
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
BYOD with Onboard
• CA Settings– Stand-alone CA
– Intermediate CA
– ADCS
• Configuration Payloads– iOS & Mac OS X
– Microsoft Windows
– Android
• Provisioning Settings– TLS? PEAP-MSCHAPv2?
– Security Settings
– Certificate Renewal
Monitoring & Troubleshooting
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Monitoring & Troubleshooting
• Monitoring on ClearPass– Access Tracker• Alerts Tab
• Accounting Tab
• “Show Logs”
– Analysis & Trending• Drill Down
– Policy Simulation
– Authentication Simulation
– Insight
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Monitoring & Troubleshooting
• External Monitoring– SIEM with Syslog/APIs
– SNMP
– SQL Access
#AirheadsLocal