Locking Down Administrative Access

A primary intrusion attack vector used against network devices is the device’s administrative console. The ClearPass Admin Web UI User Interface. and command line interface (CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.) should be made as secure as possible to minimize the chances of a successful compromise.

Management Access Control

Aruba recommends permitting administrative access only from authorized end systems. If the network design permits, separate management and user-facing services (data traffic) by creating a dedicated management network and attaching the ClearPass management interface to that network.

In this type of deployment, the ClearPass management interface provides WebUI and CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. access for server and cluster administration and configuration. The management interface also handles internal cluster (Publisher/Subscriber) communication.

The data interface provides point of contact for all user- facing services including authentication and authorization requests using RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. , TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  and Web authentication. Data port security is enhanced by restricting the SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. protocol. SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. is not permitted to the data port and is denied by default internal firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. rules.

To view management port settings for your Policy Manager server, navigate to Administration > Server manager > Server Configuration. Select a server from the Servers list, then click the System tab. A portion of the tab is shown below.

Figure 1  Server Config Reflecting Best Practices for Management Port Access

Allowed SSH Modes

A cluster-wide option to accept SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. connections only on the selected cipher mode is available on the General tab at Administration > Server Manager > Server Configuration > Cluster-Wide Parameters. The Allowed SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. Modes drop-down list includes options for AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-CBC (the default value), AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-CTR, AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-GCM, or All.

Figure 2  The Allowed SSH Modes Cluster-Wide Parameters

Restrict Concurrent Admin Logins

When the Allow Concurrent Admin Logins cluster-wide parameter is set to FALSE, and a new user logs in as an admin user, earlier sessions using the same credentials still active on other cluster appliances will automatically be logged out.

Figure 3  The Allow Concurrent Admin Logins Cluster-Wide Parameter

Content Security Policy (CSP) Option

When enabled, the Content Security Policy (CSP) option helps reduce the cross-site scripting (XSS) risks in browsers by declaring which dynamic resources can be loaded via an HTTP Header. This setting is disabled by default.

Administrators should be aware when this parameter is enabled, it can negatively affect any customized HTML code customers might have for skins, captive portals, and self-registration workflows in ClearPass Guest. If the configuration includes customized HTML code that references images, media, scripts, or other resources on servers outside ClearPass, the CSP parameter should not be enabled or a different approach for accessing these resources should be used.

Figure 4  The Content Security Policy (CSP) Cluster-Wide Parameter

IPsec Tunnel Support

ClearPass supports IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnels for the management and data interfaces. IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. provides encrypted tunnels that guarantee the confidentiality of the communications and the identity of the endpoints. This is critical in high security environments or when the communications path crosses a public network.

To create an IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel:

1. Navigate to the Administration > Server Manager > Server Configuration.

2. Select the Policy Manager server of interest.

3. From the Server Configuration page, select the Network tab.

4. Click Create IPsec Tunnel.

Figure 5  Creating an IPsec tunnel

Traffic selector rules can be used to control the IPSec tunnel traffic. Selector type options include Encrypt, Drop and Bypass.

Figure 6  Traffic Rule Options for IPsec Tunnels

Application Access Control

ClearPass provides application-level restrictions that can define networks / end systems and allow or deny them access to specific applications. Applications include; Policy Manager, OnGuard, Graphite, Guest Operator and Insight. To configure these restrictions, navigate to Administration > Server Manager > Server Configuration, click on the server, go to the Network tab and select the option Application access control. In a cluster, restrictions need to be configured on each server.

Figure 7  Restricting Application Access

In this example only the defined IP Addresses, 192.168.1.12 and 192.168.1.20, will be able to access ClearPass Policy Manager.

Smart card and Certificate Based Login

ClearPass supports smart card and TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. certificate-based login for all ClearPass applications; ClearPass Policy Manager, ClearPass Guest, ClearPass Onboard and ClearPass Insight.

The certificate can come from a smart card or certificate store

The certificate can be mandatory or optional

The certificate can be in addition to username/password or standalone

When the user attempts to log in to the ClearPass application they are prompted to select a certificate before moving to the login screen.

The login process may require both a valid certificate and a valid password.

Restricting Administrator Privileges

Admin users should be assigned privileges appropriate to their job responsibilities. By default, there are seven levels of Administrative privilege. The Administration > Users and Privileges > Admin Privileges page describes these administrator levels.

Figure 8  Administrator Privilege Levels

For API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. access, the API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. Administrator privilege level should be used. This privilege level allows programmatic access but prevents the user from logging in through the WebUI.

If necessary, admin access can be further restricted by creating custom privileges. These policies can be tailored to provide fine-grained control of access to ClearPass components and services. Admin privileges can be customized for both Policy Manager and Insight.

Figure 9  Editing Admin Privileges

Password Policy

Authentication with a username/password does not provide the strongest security, yet it is extremely common. To strengthen administrator access, both the Admin account username and password should be changed. Changing the Admin account username means an attacker would have to hack not only the password but also the username, increasing the complexity of the attack. The account name should not be too descriptive or easily guessed.

Apply the same strong password policy, mixed case, mixed alphanumeric characters and special characters for both the username and the password. Only the dash (–) and underscore (_) special characters are permitted in the username. To provide audit control, every administrator should have their own account and accounts should never be shared between users.

Figure 10  Admin Users list at Administration > Users and Privileges > Admin Users

The cluster (appadmin) password should also be changed to a strong value. To modify this password, navigate to Administration > Server Manager > Server Configuration and click Change Cluster Password.

Figure 11  Changing the Cluster Password


Password Policy Enforcement

The password policy enforcement feature llows administrators to set enforcement rules for Admin and Local user account passwords. Separate policies can be set for Admin and Local users, and can include:

Minimum password length

Password complexity

Additionalhecks

Passworde xpiration

History

Reminder (TACACS+ only)

Disable settings

To configure this feature, navigate to Administration > Users and Privileges > Admin Users, and click Password Policy.

Figure 12  Link to configure Password Policy Enforcement

Figure 13  Password Policy Configuration Settings

Accounts can be automatically disabled based on failed authentication attempts.

Figure 14  Configure Policy to Disable User Acounts

Additionally, when you access the Configuration > Identity > Local Users page to create a new local user, you can enable the Change Password option to require a password change upon that user's first login using TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  authentication.

Figure 15  Option Force a Password Change on Subsequent TACACS+ Logins

Centralized Authentication and Authorization

In an organization with multiple administrators, the use of centralized authentication helps to prevent insider attacks. With centralized authentication, ClearPass does not need multiple local administrative accounts. Instead, administrative users log in with credentials that are authenticated remotely by an Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. or LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server. The remote server should return both authentication and authorization information. After authenticating the user, attribute information such as group membership or primary security affiliation should be used to assign the correct administrative privilege level.

The following example enforcement policy assigns Super Admin access if the user authenticates successfully and is a member of the Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. group CP Admin. Enforcement Policies for services (such a TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  Enforcement Policy Manager admin network login service) are configured at Configuration > Services when you click the Add link or select a service in the Services table, then click the Enforcement tab on the Add Services or Edit Services page.

Figure 16  Policy Assigning Super Admin Access