Advanced ClearPass Workshop
Download as PPTX, PDF0 likes3,313 views
The document outlines an agenda for an Aruba Networks workshop on advanced ClearPass network security. The agenda includes sections on using ClearPass for wired and wireless network access control (NAC), TACACS+ device authentication, and bringing your own device (BYOD) integration using Onboard for certificate provisioning. Monitoring and troubleshooting ClearPass deployments is also discussed.
Advanced ClearPass Workshop
- 1. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Advanced ClearPass - Workshop Ashwath Murthy June 2014
- 2. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Agenda • Discover Monitor Secure • Network Security with ClearPass • Deploying NAC with OnGuard – Wired & Wireless NAC – NAC – Best Practices • TACACS+ for Network Device Security • BYOD with Onboard • Monitoring & Troubleshooting
- 3. Network Security with ClearPass
- 4. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Discover Monitor Secure • Discover – Discover via profiling • DHCP • Non-DHCP • Monitor – Enable policies in “Monitor” Mode • Secure – Secure Wireless, Wired and VPNs
- 5. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Network Security – Wired & Wireless • Strong Security with 802.1X – Enterprise Users – Need for strong, session-driven security • Captive Portals for Guest Access – Transient users such as Guests, Contractors – Limited network access zones – Weaker security settings • BYOD with unique credentials – Employee BYO Devices – Non-IT assets
- 6. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Network Security – Wired & Wireless • Authenticate & Authorize – Certificates – UserID/Password – Tokens/OTP
- 7. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Network Security – Wired • Enable 802.1X on access ports • Allow fall-back to less secure modes of access – Limit network access • Segregate responsibilities – Aruba Roles – VLANs – ACLs/dACLs – Upstream enforcement with L3-L7 firewalls such as Palo Alto
- 8. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Network Security – Wired • But I have older switches that do not support 802.1X! • Use SNMP to enforce port status – Set VLANs and Session-Timeout values – “Bounce” a port – Send LinkUp/LinkDown and MAC Notification Traps to ClearPass
- 9. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Network Security – Wired • How will ClearPass set VLANs using SNMP? – Using the standard If-MIB • SNMP VLANs and MAC Authentication? What!? – Redirect the user to a captive portal after MAB – Authenticate & Authorize with the captive portal
- 11. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Wireless – Enterprise • Enable 802.1X – WPA/WPA2 Enterprise – Session-based keys for secure connectivity – Terminate EAP on ClearPass – infrastructure is EAP- agnostic – Consistent user experience and security practice across deployments
- 12. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Wireless – Guest • Enable Guest Access/MAC Authentication – This can be combined with a WPA/WPA2 Passphrase – Networks are inherently open unless secured! – Strong access restrictions • Tunneled VLANs • Stateful ACLs • DPI/Application Monitoring
- 13. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Wireless – BYOD • What about BYO Devices? • BYO Devices on the enterprise network – Deliver certificates to BYO Devices using Onboard – Segregate responsibilities by identifying BYO Devices – Control device life cycle • BYO Devices on the guest network – Devices use a segregated guest network – Limited network access – Challenges with device life cycle
- 14. NAC is Back, Baby!!!
- 15. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved NAC • Agent Types – Persistent/Dissolvable • Posture Assessment – Windows, Mac, Linux – Agent Types – Health Check Options • Enforcement Options – Role-based – Application-based – To remediate, or not to remediate? • Wired NAC vs. Wireless NAC • NAC for VPN • Best Practices, Thoughts
- 16. TACACS+ for Network Devices
- 17. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved TACACS+ • TACACS+ Authentication – Console, Shell, UI Login • TACACS+ Authorization – Command Authorization – Command Levels • TACACS+ Accounting – Accounting & Audit Trails – Authorization vs. Accounting • Vendor Specifics – TACACS+ Dictionaries
- 19. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved BYOD with Onboard • CA Settings – Stand-alone CA – Intermediate CA – ADCS • Configuration Payloads – iOS & Mac OS X – Microsoft Windows – Android • Provisioning Settings – TLS? PEAP-MSCHAPv2? – Security Settings – Certificate Renewal
- 21. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Monitoring & Troubleshooting • Monitoring on ClearPass – Access Tracker • Alerts Tab • Accounting Tab • “Show Logs” – Analysis & Trending • Drill Down – Policy Simulation – Authentication Simulation – Insight
- 22. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Monitoring & Troubleshooting • External Monitoring – SIEM with Syslog/APIs – SNMP – SQL Access
- 23. #AirheadsLocal