Locking Down Services

Cryptography

Aruba ClearPass uses cryptography as just one of several services, including HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection., SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. , and IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session.. ClearPass utilizes cryptography to keep network managed information secret and safe by transforming it in a manner that unintended recipients cannot understand.

AD over SSL

When using Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. as an authentication source with connection security “AD over SSL Secure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet.,” the following cipher suites are supported;

TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. _AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits._128_GCM_SHA256 (0x1301)

TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. _AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits._256_GCM_SHA384 (0x1302)

TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. _CHACHA20_POLY1305_SHA256 (0x1303)

TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. _ECDHE_ECDSA Elliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information._WITH_AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits._128_GCM_SHA256 (0xc02b)

TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. _ECDHE_RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet._WITH_AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits._128_GCM_SHA256 (0xc02f)

TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. _ECDHE_ECDSA Elliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information._WITH_AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits._256_GCM_SHA384 (0xc02c)

TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. _ECDHE_RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet._WITH_AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits._256_GCM_SHA384 (0xc030)

TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. _ECDHE_ECDSA Elliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information._WITH_CHACHA20_POLY1305_SHA256 (0xcca9)

TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. _ECDHE_RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet._WITH_CHACHA20_POLY1305_SHA256 (0xcca8)

TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. _ECDHE_RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet._WITH_AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits._128_CBC_SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. (0xc013)

TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. _ECDHE_RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet._WITH_AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits._256_CBC_SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. (0xc014)

TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. _RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet._WITH_AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits._128_GCM_SHA256 (0x009c)

TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. _RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet._WITH_AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits._256_GCM_SHA384 (0x009d)

TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. _RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet._WITH_AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits._128_CBC_SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. (0x002f)

TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. _RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet._WITH_AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits._256_CBC_SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. (0x0035)

TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. _RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet._WITH_AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits._128_CBC_SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. (0x002f)

TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. _RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet._WITH_AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits._256_CBC_SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. (0x0035)

Disk Encryption for Virtual Appliances

ClearPass supports Linux Unified Key Setup-on-disk-format (LUKS) disk encryption for both hardware and virtual appliances. LUKS is enabled by default on all ClearPass hardware appliances for disk encryption. For virtual appliances, ClearPass provides the administrator the option to choose to encrypt the disk partition while setting up a VM Virtual Machine. A VM is an emulation of a computer system. VMs are based on computer architectures and provide functionality of a physical computer. appliance.

If the administrator knows that the hypervisor or the hardware already has an underlying disk encryption, then no additional disk encryption for ClearPass is required. If you are not sure whether the hypervisor has underlying disk encryption or not, then it is recommended to choose the Do you wish to encrypt all local data? option for encryption, as shown in the following image of the VM Virtual Machine. A VM is an emulation of a computer system. VMs are based on computer architectures and provide functionality of a physical computer. setup process.

FIPS Mode

In FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. mode, all cryptographic services provide a minimum strength of 112 bits as mandated by FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. 140-2. Services which provide less than 112 bits of security (such as RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet.-1024, SHA1 for digital signatures, MD5 Message Digest 5. The MD5 algorithm is a widely used hash function producing a 128-bit hash value from the data input. , DES Data Encryption Standard. DES is a common standard for data encryption and a form of secret key cryptography, which uses only one key for encryption and decryption.) may not be configured. In non-FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. mode, there are no restrictions on minimum security strength. Algorithms such as DES Data Encryption Standard. DES is a common standard for data encryption and a form of secret key cryptography, which uses only one key for encryption and decryption. (56 bits of strength) and MD5 Message Digest 5. The MD5 algorithm is a widely used hash function producing a 128-bit hash value from the data input. (<64 bits of strength) are permitted, although this is not the default configuration.

Enabling FIPS


Review the following important points, before enabling FIPS mode in ClearPass Policy Manager:

The database is reset when FIPS mode is enabled. Ensure that a secure current back-up of the ClearPass database exists before enabling FIPS mode.

Configuration backup files from Policy Manager in non-FIPS mode cannot be restored to Policy Manager in FIPS mode.

Configuration backup files from Policy Manager in FIPS mode can be restored to Policy Manager in the non- FIPS mode.

The server will be removed from the cluster when FIPS mode is enabled.

All nodes in a cluster must be either in FIPS or non-FIPS mode.

Legacy authentication methods such as EAP-MD5 and MD5 message digest algorithm are not supported in FIPS mode.

Certificates that are created with MD5 authentication cannot be imported to the Certificates Trust List (Administration > Certificates > Certificate Trust List).

The server reboots when FIPS mode is enabled.

HTTP Strict Transport Security

HSTS (HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. Strict Transport Security) lets Policy Manager inform browsers it should only be accessed using HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection., instead of using the less secure HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands..

This feature can be enabled as a server-wide setting on a ClearPass Server. To configure this feature, navigate to Administration > Server Manager > Server Configuration and select a server, then select the Service Parameters tab. In the Select Service drop-down menu, select ClearPass system services, then scroll down to the Web Server Configuration section. By default, the Enable HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. Strict Transport Security (HSTS) field is set to zero (0), which disables this feature. Set the timeout value to any value from 1-31536000 seconds (one year) to enable this feature and define the timeout value. Once the timeout value has elapsed, a browser is allowed to make another HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. request, then gets immediately re-directed to an HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. connection.

OCSP

Online Certificate Status Protocol (OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. ) can be used to obtain the revocation status of an X.509 X.509 is a standard for a public key infrastructure for managing digital certificates and public-key encryption. It is an essential part of the Transport Layer Security protocol used to secure web and email communication. digital certificate A digital certificate is an electronic document that uses a digital signature to bind a public key with an identity—information such as the name of a person or an organization, address, and so forth.. To configure OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. settings, navigate to Administration > Server Manager > Server Configuration and select a server, then select the Service Parameters tab. In the Select Service drop-down menu, select RadSec service.

Include Nonce in OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. request: A nonce is a cryptographic value used to protect against record and replay attacks. If the OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. server does not support the nonce, set this value to FALSE to avoid an EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. authentication failure.

Enable Signing for OSCP Requests. Enables ClearPass to sign the OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. request with the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server certificate. The default value for this parameter is set to FALSE to disable the signing process. Signing verifies the integrity of the data and the identity of the sender.

OCSP Server Fail-Open to CRL

For EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. authentication, If the OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. server is not accessible to perform certificate validation, ClearPass provides a means to validate against a CRL Certificate Revocation List. CRL is a list of revoked certificates maintained by a certification authority. instead (fallback).

To add or modify the EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. authentication method, navigate to Configuration > Authentication > Methods. Select an existing authentication method to modify it, or click the Add link to add a new authentication method.

Figure 1  Adding Authentication Method for OCSP server Fallback

OCSP validation check Intermediate Certificates

To enhance certificate security the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  service parameter, enable the Check the validity of intermediary certificates in the chain using OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. server configuration setting. Enabling this option validates the entire certificate chain, but will put greater load on the system and is not intended for all customer use cases. To modify this setting, navigate to Administration > Server Manager > Server Configuration, select a server from the Servers list, then click the Service Parameters tab.

Figure 2  Checking Certificates using OCSP

OCSP/CRL Status Messages

The Event Viewer at Monitoring > Event Viewer provides a notification when:

The connection to an OCSP server times out

No response is received from an OCSP server

CRL has expired

CRL download fails

NTP Authentication

If the Network Time Protocol is not authenticated, an attacker can introduce a rogue NTP Network Time Protocol. NTP is a protocol for synchronizing the clocks of computers over a network. server. This rogue server can then be used to send incorrect time information to otherwise secure network devices, which will make log timestamps inaccurate and affect scheduled actions. NTP Network Time Protocol. NTP is a protocol for synchronizing the clocks of computers over a network. authentication is used to prevent such tampering by authenticating the dedicated time resource.

ClearPass supports authenticating its network time sources using SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. or SHA1. In FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. mode, only SHA1 is supported. The authentication users the Linux NTP Network Time Protocol. NTP is a protocol for synchronizing the clocks of computers over a network. service. In a cluster, the publisher is the time source for all subscribers and subscribers do not authenticate the publisher.

To set NTP Network Time Protocol. NTP is a protocol for synchronizing the clocks of computers over a network. Authentication settings:

1. Navigate to the Administration > Server Manager > Server Configuration page,

2. Select the Set Date & Time link.

3. Select the Synchronize time with NTP Network Time Protocol. NTP is a protocol for synchronizing the clocks of computers over a network. server option, then enter the values your server settings.

SMBv2/v3 support

ClearPass supports SMBv2/v3 for PEAPv0/EAP-MSCHAPv2 EAP Microsoft Challenge Handshake Authentication Protocol Version 2. and Microsoft Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. Domain Services. ClearPass will use the highest version available on the controller;

SMBv3 will be automatically used by default for AD joins and any requests that use PEAPv0/EAP-MSCHAPv2.

If SMBv3 is not enabled, ClearPass will then automatically failover to SMBv2.

If SMBv2 is also not enabled, ClearPass will then fail over to use SMBv1.

If higher SMB Server Message Block or Small and Medium Business. Server Message Block operates as an application-layer network protocol mainly used for providing shared access to files, printers, serial ports, and for miscellaneous communications between the nodes on a network. versions are later enabled on the client, ClearPass will then detect the changes and attempt to use the highest available SMB Server Message Block or Small and Medium Business. Server Message Block operates as an application-layer network protocol mainly used for providing shared access to files, printers, serial ports, and for miscellaneous communications between the nodes on a network. version automatically.

SNMP

The Simple Network Management Protocol is commonly used by network management systems to poll devices for information such as port configuration, status, and interface counters. SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  versions 1 and 2 provide very little security beyond the community string. If an attacker has network access to a device and can guess the community string, it may lead to disclosure of sensitive information. Aruba strongly recommends the use of SNMPv3 Simple Network Management Protocol version 3. SNMPv3 is an enhanced version of SNMP that includes security and remote configuration features., which includes much stronger security through authentication and encryption.

Navigate to Administration > Server Manager > Server Configuration, select a server then click the System Monitor tab to configure the SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  configuration parameters. This ensures that external Management Information Base (MIB Management Information Base. A hierarchical database used by SNMP to manage the devices being monitored.) browsers can browse the system level MIB Management Information Base. A hierarchical database used by SNMP to manage the devices being monitored. objects exposed by the Policy Manager appliance. The options in this page vary based on the SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  version selected.

Figure 3  SNMP Configuration Settings on the ClearPass Server

SNMP Traps

SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  Trap Receivers can be configured to receive traps for critical system events. Policy Manager sends SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  traps that expose the following server information:

System uptime. Conveys information about how long the system is running.

Network interface statistics [up/down]. Provides information if the network interface is up or down.

Process monitoring information. Check for the processes that should be running. Maximum and minimum number of allowed instances. Sends traps if there is a change in value of maximum and minimum numbers.

Disk usage. Check for disk space usage of a partition. The agent can check the amount of available disk space, and make sure it is above a set limit. The value can be in % as well. Sends traps if there is a change in the value.

CPU Central Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. load information. Check for unreasonable load average values. For example, if a 1 minute CPU Central Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. load average exceeds the configured value [in percentage], then the system would send the trap to the configured destination.

Memory usage. Report the memory usage of the system.

To configure free disk and CPU Central Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. load thresholds:

1. Navigate to Administration >Server Manager > Server Configuration,

2. Select a server, then click the Service Parameters tab.

3. In the Select Service menu, select system monitor service.

Figure 4  Free Disk and CPU Load Threshold Configuration

System Cleanup Options

To prevent disk space exhaustion, ClearPass includes the Free disk space threshold value cluster-wide parameter setting used to trigger a disk cleanup when the threshold is exceeded. The default value is 30% free disk space, anything below which triggers a disk cleanup. To change this setting, navigate to Administration > Server Manager > Server Configuration, select a server then click the System Monitor tab.

Figure 5  Free Disk Space Threshold Value Cluster-Wide Parameter

Once an hour ClearPass checks the free disk space, if it’s below the defined threshold an alert is logged and an aggressive cleanup operation is run. The job cleans up any records older then one day from the following;

Log database records

Core files

System load monitor files

Application and system log files

Auto and manual backup files

Stored reports

Expired guest accounts

Audit records

SNMP Private Enterprise MIB

ClearPass includes a Private Enterprise MIB Management Information Base. A hierarchical database used by SNMP to manage the devices being monitored. that exposes over 70 OID Object Identifier. An OID is an identifier used to name an object. The OIDs represent nodes or managed objects in a MIB hierarchy. The OIDs are designated by text strings and integer sequences and are formally defined as per the ASN.1 standard.’s. Information and traps include

Performance counters

Authentication counters

Authorization counters

Request processing time/delays

Authorization time/delays

System statistics

Disk statistics (available, total, used)

Memory statistics (available, total, used)

CPU Central Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. load averages

Network traffic counters

Application name

Application port

Total network traffic in bytes

SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  Traps

Free disk space is lower than the configured threshold

Low system memory

High CPU Central Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. utilization

License expiration

Certificate expiration

Cluster node add

Cluster node promote

Cluster node delete

Cluster password change

Cl\uster license utilization

SNMP Trap Receivers

External trap receivers are added at: Administration > External Servers > SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  Trap Receivers.


External syslog

When a system is compromised, one of the first things an attacker will do is to remove evidence of the intrusion from the system logs. For this reason, it is important to send logs to a secure external system – preferably one with automated log analysis tools that can identify and flag unusual activity. ClearPass supports the syslog standards for log distribution. Log information can be sent to one or more syslog targets (servers).

To configure Syslog targets,  navigate to Administration > External servers > Syslog Targets, then click Add to create a new syslog target. Export filters are configured at Administration > External servers > Syslog Export Filters.

Figure 6  Adding a Syslog Target

Policy Manager uses Syslog to export session data from the access tracker, audit records from the audit viewer, event records from the event viewer and Insight logs. Syslog Export Filters are configured to tell Policy Manager where to send log information, and what information should be included in the logs sent to each Syslog target. If desired, different information can be uniquely sent to each Syslog target.

You can define Syslog export filters using the Audit Records, Insight Logs, Session Logs, or System Events export templates. If you use the Insight Logs export template, you have the option to select predefined groups of fields or to select individual fields. If you use the Session Logs export template, the Active Sessions filter adds the option for customized SQL Queries.

Figure 7  Syslog Export Filter Settings with the Audit Records Export Template

Figure 8  Syslog Export Filter Settings with the Session Logs Export Template

LEEF and CEF Format Syslog

ClearPass supports both the CEF Common Event Format. The CEF is a standard for the interoperability of event or log-generating devices and applications. The standard syntax for CEF includes a prefix and a variable extension formatted as key-value pairs. (Common Event Format) and LEEF Log Event Extended Format. LEEF is a type of customizable syslog event format. An extended log file contains a sequence of lines containing ASCII characters terminated by either the sequence LF or CRLF. (Log Event Extended Format) Syslog formats. To choose a syslog format for an export filter, navigate to Administration > External Servers > Syslog Export Filters and click Add, or select a existing filter from the Syslog Export Filters table.

Figure 9  Syslog Export Filter Settings