advertisement
Summary Tab
The Summary tab summarizes the parameters configured in the Posture Server, Primary Server, and
Backup Server tabs. The following figure displays the Summary tab:
Figure 253: Posture Servers - Summary Tab
Configuring Audit Servers
The Policy Manager server contains built-in Nessus (version 2.X) and NMAP servers. For enterprises with existing audit server infrastructure, or with external audit servers, Policy Manager supports these servers externally.
For more information, see: l l l
Built-In Audit Servers on page 282
Custom Audit Servers on page 285
Audit Service Flow Control
Audit servers evaluate posture, role, or both for unmanaged or unmanageable clients. One example is clients that lack an adequate posture agent or an 802.1X supplicant. For example, printers, PDAs, or guest users might not be able to send posture credentials or identify themselves.
A Policy Manager Service can trigger an audit by sending a client ID to a pre-configured audit server, and the server returns attributes for role mapping and posture evaluation.
Audit servers are configured at a global level. Only one audit server can be associated with a service. The flowof-control of the audit process is shown in the figure.
For more information, see
Configuring Audit Servers on page 281 .
ClearPass Policy Manager 6.5 | User Guide Posture | 281
Figure 254: Flow of Control of Policy Manager Auditing
Built-In Audit Servers
When you configure an audit as part of a Policy Manager service, you can select the default Nessus (Nessus
Server) or NMAP (Nmap Audit) configuration.
Adding Auditing to a Policy Manager Service
1. Navigate to the Audit tab from one of the following locations: l
To configure an audit server for a new service (as part of the flow of the Add Service wizard), navigate to
Configuration > Services. Select the Add Services link in the top-right corner. In the Add Services form, select the Audit tab.
You must select the Audit End-hosts check box on the Services tab to display the Audit tab.
282 | Posture ClearPass Policy Manager 6.5 | User Guide
l
To modify an existing audit server, navigate to Configuration > Posture > Audit Servers, then select an audit server from the list.
2. Configure auditing and complete the fields in the Audit tab as described in
Figure 255: Audit Tab
ClearPass Policy Manager 6.5 | User Guide Posture | 283
Table 153: Audit tab
Parameter Description
Audit
Server
Select a built-in server profile from the list: l The [Nessus Server] performs vulnerability scanning and returns a
Healthy/Quarantine result.
l The [Nmap Audit] performs network port scans. The health evaluation always returns a Healthy result. The port scan gathers attributes that allow determination of role(s) through post-audit rules.
For Policy Manager to trigger an audit on an end-host, it needs to get the IP address of the end-host. The IP address of the end-host is not available at the time of initial authentication for 802.1X and MAC authentication requests. Policy Manager has a builtin DHCP snooping service that can examine DHCP request and response packets to derive the IP address of the end-host. For this to work, you need to use this service,
Policy Manager must be configured as a DHCP “IP Helper” on your router/switch in addition to your main DHCP server. Refer to your switch documentation for “IP Helper” configuration.
To audit devices that have a static IP address assigned, it is recommended to create a static binding between the MAC and IP address of the endpoint in your DHCP server.
Refer to your DHCP server documentation for configuring such static bindings.
NOTE: Policy Manager does not issue the IP address; it only examines the DHCP traffic to derive the IP address of the end-host.
Audit
Trigger
Conditions
Select from the following audit trigger conditions: l Always: Always perform an audit.
l l
When posture is not available: Perform audit only when posture credentials are not available in the request.
For MAC Authentication Request: If you select this option, then Policy Manager presents the following three additional settings: n n
For known end-hosts only: For example, select this option when you want to reject unknown end-hosts and to audit known clients. Known end-hosts are defined as clients that are found in the authentication source(s) associated with this service.
For unknown end-hosts only: For example, select this option when known endhosts are assumed to be healthy, but you want to establish the identity of unknown end-hosts and assign roles. Unknown end-hosts are end-hosts that are not found in any of the authentication sources associated with this service.
n For all end-hosts: For both known and unknown end-hosts.
Action after audit
Select an Action after audit. Performing audit on a client is an asynchronous task, which means the audit can be performed only after the MAC authentication request is completed and the client has acquired an IP address through DHCP. Once the audit results are available, there should be a way for Policy Manager to re-apply policies on the network device. This can be accomplished in one of the following ways: l
No Action: The audit will not apply policies on the network device after this audit.
l l
Do SNMP bounce: This option will bounce the switch port or force an 802.1X
reauthentication (both done using SNMP). Bouncing the port triggers a new
802.1X/MAC authentication request by the client. If the audit server already has the posture token and attributes associated with this client in its cache, it returns the token and the attributes to Policy Manager.
Trigger RADIUS CoA action: This option sends a RADIUS CoA command to the network device.
284 | Posture ClearPass Policy Manager 6.5 | User Guide
Modifying Built-In Audit Servers
To reconfigure a default Policy Manager audit servers:
1. Open the audit server profile. Navigate to Configuration > Posture > Audit Servers, then select an audit server from the list of available servers.
Figure 256: Audit Servers Listing
2. Modify the profile, plugins, and/or preferences.
l
In the Audit tab, you can modify the In Progress Posture Status and Default Posture Status.
l l
If you selected a NESSUS Server, then the Primary/Backup Server tabs allow you to specify a scan profile. In addition, when you add a new scan profile, you can select plugins and preferences for the profile. Refer to
Nessus Scan Profiles on page 287
for more information.
The built-in Policy Manager Nessus audit server ships with approximately 1000 most commonly used
Nessus plugins.
In the Rules tab, you can create post-audit rules for determining role based on identity attributes discovered by the audit. For more information on creating post-audit rules, see
.
Custom Audit Servers
For enterprises with existing audit server infrastructure or preferring custom audit servers, Policy Manager supports NESSUS (2.x and 3.x) and NMAP scans using the NMAP plug-in on these external Nessus servers.
To configure a custom audit server:
1. Open the Audit page.
l
To configure an audit server for a new service (as part of the flow of the Add Service wizard), navigate to
Configuration > Posture > Audit Servers, then click Add Audit Server.
l
To modify an existing audit server, navigate to Configuration > Posture > Audit Server, and select an audit server.
2. Add a custom audit server l
When you click Add Audit Server, Policy Manager displays the Add Audit Server page. Configuration settings vary depending on audit server type: n n
Nessus Audit Server on page 285
Nessus Audit Server
Policy Manager uses the Nessus audit server interface primarily to perform vulnerability scanning. It returns a
Healthy/Quarantine result. The Audit tab identifies the server and defines configuration details.
ClearPass Policy Manager 6.5 | User Guide Posture | 285
Figure 257: Nessus Audit Server - Audit Tab
Table 154: Nessus Audit Server - Audit Tab
Parameter Description
Name Specify the name of the audit server.
Description
Type
In-Progress
Posture Status
Default Posture
Status
Enter the description that provides additional information about the audit server.
Specify the type of audit server from NMAP or NESSUS.
Specifies the posture status during audit. Select the status from the drop-down list.
Specifies the posture status if evaluation does not return a condition/action match.
Select the status from the drop-down list.
The Primary Server and Backup Server tabs specify connection information for the NESSUS audit server.
286 | Posture ClearPass Policy Manager 6.5 | User Guide
Figure 258: Nessus Audit Server - Primary and Backup Tabs
Table 155: Nessus Audit Server - Primary and Backup Server Tabs
Parameter Description
Server Name and
Port/ Username/
Password
Scan Profile
Specifies the standard NESSUS server configuration fields.
NOTE: For the backup server to be invoked on primary server failover, check the
Enable to use backup when primary does not respond check box.
You can accept the default scan profile or select Add/Edit Scan Profile to create other profiles and add them to the scan profile list. Refer to
.
The Rules tab specifies rules for post-audit evaluation of the request to assign a role. For more information, refer to
.
Nessus Scan Profiles
A scan profile contains a set of scripts (plugins) that perform specific audit functions. To Add/Edit Scan Profiles, select Add/Edit Scan Profile (link) from the Primary Server tab of the Nessus Audit Server configuration.
The Nessus Scan Profile Configuration page displays.
ClearPass Policy Manager 6.5 | User Guide Posture | 287
Figure 259: Nessus Scan Profile Configuration Page
You can refresh the plugins list (after uploading plugins into Policy Manager, or after refreshing the plugins on your external Nessus server) by clicking Refresh Plugins List. The Nessus Scan Profile Configuration page provides three views for scan profile configuration: l
The Profile tab identifies the profile and provides a mechanism for selection of plugins: n
From the Filter plugins by family drop-down list, select a family to display all available member plugins in the list below. You may also enter the name of a plugin in Filter plugins by ID or name text box.
n n
Select one or more plugins by enabling their corresponding check boxes (at left). Policy Manager will remember selections as you select other plugins from other plugin families.
When finished, click the Selected Plugins tab.
288 | Posture ClearPass Policy Manager 6.5 | User Guide
Figure 260: Nessus Scan Profile Configuration - Profile Tab l
The Selected Plugins tab displays all selected plugins, plus any dependencies.
To display a synopsis of any listed plugin, click on its row.
ClearPass Policy Manager 6.5 | User Guide Posture | 289
Figure 261: Nessus Scan Profile Configuration Profile Tab - Plugin Synopsis
Of special interest is the section of the synopsis entitled Risks. To delete any listed plugin, click on its corresponding trashcan icon. To change the vulnerability level of any listed plugin, click on the link to change the level to one of
HOLE, WARN, or INFO. This action tells Policy Manager the vulnerability level that is considered to be assigned
QUARANTINE status.
Figure 262: Nessus Scan Profile Configuration - Selected Plugins Tab
Figure 263: Nessus Scan Profile Configuration Selected Plugins Tab - Vulnerability Level
For each selected plugin, the Preferences tab contains a list of fields that require entries.
In many cases, these fields will be pre-populated. In other cases, you must provide information required for the operation of the plugin.
290 | Posture ClearPass Policy Manager 6.5 | User Guide
By way of example of how plugins use this information, consider a plugin that must access a particular service, in order to determine some aspect of the client’s status; in such cases, login information might be among the preference fields.
Figure 264: Nessus Scan Profile Configuration - Preferences Tab
After saving the profile, plugin, and preference information for your new (or modified) plugin, you can go to the
Primary/Backup Servers tabs and select it from the Scan Profile drop-down list.
NMAP Audit Server
To create an NMAP audit server, Navigate to Configuration > Posture > Audit Servers page and click Add.
From the Audit tab, select the NMAP radio button in the Type field. Policy Manager uses the NMAP audit server interface exclusively for network port scans. The health evaluation always returns the Healthy status.
The port scan gathers attributes that allow determination of role(s) through post-audit rules. The NMAP audit server has the following tabs: l l l l
Audit
NMAP Options
Rules
Summary
Audit Tab
You can use the Audit tab to identify the server and define configuration details.
shows an example of the Audit tab:
ClearPass Policy Manager 6.5 | User Guide Posture | 291
Figure 265: Audit Tab - NMAP Audit Server
The following table describes the parameters configured in the Audit tab:
Table 156: Audit Tab Parameters
Parameter
Name
Description
Description
Enter the name of the NMAP audit server.
Enter the description of the NMAP audit server that provides some additional information.
Type
In Progress
Posture Status
Default Posture
Status
Specify the type of an NMAP audit server. In this context, select NMAP.
Posture status during audit. Select a status from the drop-down list.
Select the posture status if evaluation does not return a condition/action match.
Select a status from the drop-down list.
NMAP Options Tab
You can use the NMAP Options tab to specify scan configuration.
292 | Posture ClearPass Policy Manager 6.5 | User Guide
Figure 266: NMAP Options Tab
Table 157: NMAP Options Tab
Parameter Description
TCP Scan To specify a TCP scan, select from the TCP Scan drop-down list. Refer to
NMAP documentation for more information on these options. NMAP option -scanflags.
UDP Scan
Service Scan
Detect Host
Operating System
To enable, check the UDP Scan check box. NMAP option -sU.
To enable, check the Service Scan check box. NMAP option -sV.
To enable, check the Detect Host Operating System check box. NMAP option -A.
Port Range/ Host
Timeout/ In Progress
Timeout l l l
Port Range - Range of ports to scan. NMAP option -p.
Host Timeout - Give up on target host after this long. NMAP option --hosttimeout
In Progress Timeout - How long to wait before polling for NMAP results.
The Rules tab provides specifies rules for post-audit evaluation of the request to assign a role. Refer to
.
Post-Audit Rules
The Rules tab specifies rules for post-audit evaluation of the request to assign a role.
ClearPass Policy Manager 6.5 | User Guide Posture | 293
Figure 267: All Audit Server Configurations - Rules Tab
Table 158: All Audit Server Configurations - Rules Tab
Parameter Description
Rules Evaluation
Algorithm
Select first matched rule and return the role or Select all matched rules and return a set of roles.
Add Rule
Move Up/Down
Edit Rule
Remove Rule
Add a rule. Brings up the rules editor. See below.
Reorder the rules.
Brings up the selected rule in edit mode.
Remove the selected rule.
Figure 268: All Audit Server Configurations - Rules Editor
294 | Posture ClearPass Policy Manager 6.5 | User Guide
Table 159: All Audit Server Configurations - Rules Editor
Parameter Description
Conditions
Actions
The Conditions list includes five dictionaries: Audit-Status, Device-Type, Output-Msgs,
Mac-Vendor, Network-Apps, Open-Ports, and OS-Info. Refer to
The Actions list includes the names of the roles configured in Policy Manager.
Save To commit a Condition/Action pairing, click Save.
ClearPass Policy Manager 6.5 | User Guide Posture | 295
296 | Posture ClearPass Policy Manager 6.5 | User Guide
advertisement
Related manuals
advertisement