802.1x for secure access to corporate network

802.1X is an IEEE standard and a method for authenticating the identity of a user before providing network access to the user. 802.1X provides an authentication mechanism to devices that need to attach to a wireless LAN or a wired LAN.

For fine-grained control, you can use attributes from multiple identity stores, such as Microsoft Active Directory, LDAP-compliant directory, ODBC-compliant SQL database, token servers, and internal databases across domains within a single policy.

What is achieved from the solution

  • 802.1x is used for secure network authentication. If you are an organization dealing with valuable and sensitive information, you need a secure method of transporting data. 802.1x is used so devices can communicate securely with access points or switches (enterprise-grade routers).
  • 802.1X provides greater visibility into the network because the authentication process provides a way to link a username with an IP address, MAC address, switch, and port. This visibility is useful for security audits, network forensics, network use statistics, and troubleshooting.
  • Attributes returned from an authentication server can be used to place users into roles.

Workflow

Solution Explained

  • Employee connects to the wireless network from laptop and an 802.1X EAP-PEAP authentication process begins automatically.
  • EAP-PEAP (Protected Extensible Authentication Protocol) is the protocol used to communicate between the client and the network device
  • The client’s authentication request is sent to the network device.
  • When the network device receives the authentication request, it sends a RADIUS access-request packet to the ClearPass Policy Manager server with the encrypted user name and password.
  • RADIUS is the protocol that network access device (NAD) authenticators use to communicate with the ClearPass server in order to look up the information in the RADIUS database, which in this example is Active Directory.
  • The ClearPass Policy Manager server checks the Active Directory database for a matching user name and password.
  • If there is not a match, the ClearPass server sends an access-reject message to the network device. Employee access is denied to network
  • If there is a match, the ClearPass server sends an access-accept message to the network device, and employee is granted access to the network.

 

BYOD- Bring your own device

ClearPass Onboard automatically provisions and configures personally-owned mobile devices – Windows, Mac OS X, iOS and Android 2.2 and above – enabling them to securely connect to the network in support of BYOD initiatives.

Employees, contractors and partners are automatically given permission to self-configure their own devices. The ClearPass Onboard portal dynamically detects a device’s operating system and guides the user through the appropriate steps.

What is achieved from the solution

  • Enables users to self-register and securely onboard multiple devices
  • Sponsor-based onboarding allows for custom workflows
  • Active Directory and social login credential authentication supported
  • Automates the configuration of network settings for wired and wireless endpoints
  • Unique provisioning and revocation of device-specific credentials and certificates
  • Contains built-in certificate authority specifically for BYOD
  • Uses profiling to identify device type, manufacturer and model
  • Provides BYOD visibility and centralized policy management capabilities

Workflow

 

Solution explained

A centrally-managed administrator portal allows IT to configure device certificates and trust details, network access, VPN, and health check settings, and authentication protocols for wireless and wired networks.

  • The user connects to the SSID/network device and user devices redirected to the portal
  • User will enter the Credentials on the portal page and will be redirected to the onboard provisioning page to download and run quick connect.
  • Once the user run the Quick Connect file, it will install the certificate and network profile on the device
  • Post provisioning user will be placed on the proper network segment.

 

ClearPass Device Profiler Overview

The ClearPass Device Profiler is a ClearPass Policy Manager module that automatically classifies endpoints using attributes obtained from software components called Collectors. Device profiling allows you to gather device type and operating system information by inspecting packets that are sent by these devices in the network.

 

What is achieved from the solution

  • Real-time tracking of devices
  • Device visibility per classification
  • Detailed session information

Solution Explained

A device profile is a hierarchical model consisting of 3 elements – Device Category, Device Family, and Device Name derived by Profile from endpoint attributes. Once devices are classified, you can use them in policies to control access in your network.

Device Category – This is the broadest classification of a device. It denotes the type of the device. Example: Computer, Smart device, Printer, Access Point, etc

Device Family – This element classifies devices into a category; this is organized based on the type of OS or type of vendor. Example: Windows, Linux, Mac OS X are some of the families when category is Computer. Apple, Android are examples of Device Family when category is Smart device.

Device Name – Devices in a family are further organized based on more granular details such as version.

This hierarchical model provides a structured view of all endpoints accessing the network. Apart from these, Profile also collects and stores

  • IP Address
  • Hostname
  • MAC Vendor
  • Timestamp when device was first discovered
  • Timestamp when device was last seen

 

ClearPass Posture Check

ClearPass OnGuard agents perform advanced endpoint posture assessments, on leading computer operating systems to ensure compliance is met before devices connect. Running on the Aruba ClearPass Policy Manager platform, the advanced network access control (NAC) framework in ClearPass OnGuard offers exceptional safeguards against vulnerabilities.

What is achieved from the solution

  • Enhanced capabilities for endpoint compliance and control
  • Supports Microsoft, Apple, and Linux operating systems
  • Anti-virus, anti-spyware, firewall checks and more
  • Optional auto-remediation and quarantine capabilities
  • System-wide endpoint messaging, notifications and session control
  • Centrally view the online status of all devices from the ClearPass Policy Manager platform

 

 

Solution Explained

  • User connects to the network with limited access
  • The user is authenticated against the RADIUS server
  • If authentication is successful and PC health status is unknown or quarantine, client will obtain and IP from the quarantine VLAN with restricted access
  • PC will perform a health check against the Clearpass server
  • If the PC is found to be healthy and complies with the company security policy, the client will obtain an IP from the production VLAN
  • If the PC is found to be quarantine or does not have the Onguard agent installed, it stays in the quarantine VLAN with restricted access until remediation is performed

 

Aruba ClearPass Guest

ClearPass Guest lets you give customers, contractors and other visitors secure guest access to wireless and wired networks. Whether you have 25 or 25,000 guests, you’ll create a rich guest experience and easily manage visitor access privileges.

ClearPass Guest is a scalable, easy-to-use visitor management solution that delivers secure automated guest access workflows for visitors, contractors, partners, shoppers and fans on wireless and wired networks using any type of mobile device. Self-registration and sponsor involved options ensure credentials and pre-authorized access privileges are enforced for short-term and long-term guests, without putting a heavy burden on IT, receptionists and staff. Once registered, credentials can be delivered via SMS text, email, or printed badges. Accounts can be set to expire automatically after a specified number of hours or days.

What is achieved from the solution

  • Self-registration – highly customizable guest portal provides easy-to-use registration process that also deters unwanted users from requesting access
  • Customizable branding – logos, visual imagery and optional advertisements provide an opportunity to extend company messaging and promotional offers
  • Automated credential delivery – registration process can deliver SMS text, email or printed credentials depending on security requirements
  • Mobile device awareness – captive portal is automatically sized for smart phones, tablets and laptops
  • Social logins – functionality that enables retailers and public venues to gather valuable demographics about guests that opt-in to guest Wi-Fi using Facebook, Twitter credentials
  • Third-party integration – customizable workflows using rest-based API’s for delivering streamlined registration and payment system integration for hospitality and healthcare

 

Solution Explained

  • The device that is associating to the guest SSID/network device is assigned an initial role (guest-logon role in the example configuration). This initial role allows DHCP, so the user gets an IP address.
  • The user opens a browser and makes an HTTP (or HTTPS) request to some destination (for example, www.bbc.com).
  • The resolver in the device sends a DNS request to resolve the destination. The initial role (guest-logon role) permits DNS services, so the resolver can communicate with the DNS server.
  • The DNS server replies with the correct address.
  • The resolver tells the browser which IP address to use based on the DNS reply
  • The browser initiates a TCP connection to port 80 of the www.bbc.com address
  • The controller intercepts the connection and spoofs the initial TCP handshakes of the HTTP process. At this moment, the client browser thinks it is communicating with the bbc.com server
  • hen the browser sends the HTTP GET request for the web page, the controller replies saying that bbc.com has “temporarily moved” to https://securelogin.arubanetworks.com/[string that identifies client]
  • The browser closes the connection
  • The browser attempts to connect with <https://arubanetworks.com/[string that identifies client]>, but it first needs to send a DNS request for the address
  • The actual DNS server responds that it cannot resolve but the controllerintercepts that reply and changes the packet to say that securelogin.arubanetworks.com is at the IP address of the controller itself. Remember that it is critical that the DNS server sends back a reply to the query.  It is only then that the controller can spoof the reply back from the DNS server.  Sending a DNS request without receiving a reply is not sufficient, since without a reply the controller will never help the client resolve securelogin.arubanetworks.com.
  • The browser initiates an HTTPS connection to address of controller, which responds with the captive portal login page, where the guest authenticates
  • After successful authentication, the user is assigned the post authentication role (auth-guest role in the example configuration). This is the default role in the captive portal profile.

 

MAC Authentication for IOT devices

MAC address authentication is a method used for Network Admission Control (NAC). It controls user access rights based on access ports and user MAC addresses to protect security for enterprise networks.

MAC address authentication is applicable to dumb terminals such as printers or any headless devices.

What is achieved from the solution

  • Client does not support EAP protocol can be authenticated against ClearPass from MAC authentication.
  • Easy to manage devices from static host list.

 

Solution Explained

  • IOT devices MAC address will be added on the Static host of ClearPass server.
  • Devices will connect to the MAC Auth SSID/MAC Auth enabled port.
  • Authorized devices will gain access to the network and unauthorized devices will be rejected.

 

ClearPass  Insight

ClearPass Insight is an application for use with ClearPass Policy Manager that is capable of aggregating data from multiple Policy Manager appliances that contain archived network access logs.

The Insight Search feature allows you to search for clients, users, ClearPass servers, and network access devices and Customized reports analyze authentication information, device profiling, client health, licensing and posture data, as well as guest and BYOD use cases

What is achieved from the solution

ClearPass Insight is an advanced application for use with the ClearPass Policy Manager platform to deliver enhanced analytics, in-depth reporting, and significant gains when addressing compliance and regulatory overhead. Custom report templates provide the ability to track detailed authentication records, audit trails, and systematic reports on network-access trends, and to generate reports that are compliant with regulatory and corporate requirements.

  • Consolidated Reporting

Insight is capable of aggregating data from multiple Policy Manager appliances, or external stores, containing archived network access logs. It presents a powerful combination of near real-time analytics, as well as the ability to look into the past to satisfy historical analysis and compliance needs.

  • In-depth Analytics

Insight uses a powerful analytics engine that mines network access logs in order to generate trending report on various parameters. Network managers can utilize these trends to get an overview of authentication and access activity, elaborate client access distribution, load-averages, and analyze authentication traffic flow through various network devices.

  • Alerts

Insight can generate near real-time alerts on anomalous network activity. Network managers can configure alerts based on a number of various parameters. Alerts can be delivered via SMS or e-mail notification to multiple recipients to prompt action.

 

ClearPass Onconnect

Configuring switch ports can be a real hassle, and with more and more devices moving to WiFi; why do we need to spend time manually configure the edge.  A network should be smart enough to see what is connecting and apply the policy required.  Using standards-based SNMP, wired switches can notify ClearPass when a new device has connected. Then using the native profiling capabilities of ClearPass, it can match the learned MAC address against profiled information to apply a policy using SNMP. OnConnect Enforcement can also use information from Windows Management Instrumentation (WMI) to identify the user in the case of a domain-joined computer in order to apply identity-aware enforcement policies.

What is achieved from the solution

ClearPass OnConnect Enforcement enables ClearPass to detect and apply enforcement to endpoints connected to wired switches without the need to enable AAA methods such as 802.1x or MAC Authentication. ClearPass OnConnect allows for non-AAA wired enforcement so that customers can start down the policy and access control path. All devices can be profiled with user based authorization, all with minimal configuration on the switching infrastructure.

 

Solution Explained

  • Connect the endpoint to the port configured for OnConnect Enforcement.
  • The switch will send an SNMP trap to ClearPass with the endpoint MAC details.
  • ClearPass will learn of the endpoint IP and device details through profiling (for example, DHCP).
  • Scans the endpoint to identify the logged-in user and other device-specific information.
  • Triggers a Web-based authentication (WebAuth) for the device.
  • Based upon the user information, the endpoint can be placed into an appropriate VLAN or have its port bounced to apply a different policy.

 

TACACS

TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server. The goal of TACACS+ is to provide a methodology for managing multiple network access points from a single management service.

What is achieved from the solution

TACACS+ is used for administrative login into network devices. Clearpass can be used as a TACACS+ server for logging into any network device like servers, switches, controllers and firewalls since new TACACS+ dictionaries can be imported on Clearpass and existing dictionaries can be edited per our needs.

The TACACS+ protocol provides detailed accounting information and flexible administrative control over the authentication, authorization, and accounting process. The protocol allows a TACACS+ client to request detailed access control and allows the TACACS + process to respond to each component of that request. TACACS+ uses Transmission Control Protocol (TCP) for its transport..

Solution Explained

TACACS+ allows effective communication of AAA information between NASs and a central server. The separation of the AAA functions is a fundamental feature of the TACACS+ design

Authentication—Determines who a user is, then determines whether that user should be granted access to the network. The primary purpose is to prevent intruders from entering your networks. Authentication uses a database of users and passwords.

Authorization—Determines what an authenticated user is allowed to do. Authorization gives the network manager the ability to limit network services to different users. Also, the network manager can limit the use of certain commands to various users. Authorization cannot occur without authentication.

Accounting—Tracks what a user did and when it was done. Accounting can be used for an audit trail or for billing for connection time or resources used. Accounting can occur independent of authentication and authorization.

Central management of AAA means that the information is in a single, centralized, secure database, which is much easier to administer than information distributed across numerous devices. Both RADIUS and TACACS+ protocols are client-server systems that allow effective communication of AAA information.