insightscentos6.0
centos6.0 时间:2021-03-27 阅读:(
)
ClearPassIntegrationGuideClarotyClearPassandClaroty–IntegrationGuide2ChangeLogVersionDateModifiedByComments1.
0May2019ArpitBhattFirstPublishedVersion–Phase1CopyrightCopyright2019HewlettPackardEnterpriseDevelopmentLP.
OpenSourceCodeThisproductincludescodelicensedundertheGNUGeneralPublicLicense,theGNULesserGeneralPublicLicense,and/orcertainotheropensourcelicenses.
Acompletemachine-readablecopyofthesourcecodecorrespondingtosuchcodeisavailableuponrequest.
ThisofferisvalidtoanyoneinreceiptofthisinformationandshallexpirethreeyearsfollowingthedateofthefinaldistributionofthisproductversionbyHewlett-PackardCompany.
Toobtainsuchsourcecode,sendacheckormoneyorderintheamountofUS$10.
00to:Hewlett-PackardCompanyAttn:GeneralCounsel3000HanoverStreetPaloAlto,CA94304USAPleasespecifytheproductandversionforwhichyouarerequestingsourcecode.
YoumayalsorequestacopyofthissourcecodefreeofchargeatHPE-Aruba-gplquery@hpe.
com.
www.
arubanetworks.
com3333ScottBlvdSantaClara,CA95054Phone:1-800-WIFI-LAN(+800-943-4526)2019HewlettPackardEnterpriseDevelopmentLP.
AllRightsReserved.
Fax408.
227.
4550ClearPassandClaroty3ContentsIntroduction.
5SoftwareRequirements.
5InstallationandDeploymentGuide5PictorialviewoftheIntegration6Configuration.
7ClearPassConfiguration.
7CreateaClearPassUser.
7CreateanOperatorProfile.
7CreateanAPIClient.
9ClarotyConfiguration10IntegrationResults.
12Monitoring/ReviewingClearPassandClarotycommunications14ClearPassandClaroty–IntegrationGuide4FiguresFigure1:PictorialviewofClearPassPolicyManagerintegrationwithClaroty.
6Figure2:CreateanAPIlevelaccountinClearPass.
7Figure3:OperatorProfile-Accessrestrictions1.
8Figure4:OperatorProfile-Accessrestrictions2.
8Figure5:OperatorProfile-Accessrestrictions3.
9Figure6:CreateanAPIClient9Figure7:ClarotyConfigurationConsole.
10Figure8:EndpointDictionaryAttributescreatedbyClaroty.
12Figure9:ExampleofEndpointscreatedbyClaroty12Figure10:NormalizedEndpointdatacreatedbyClaroty.
13Figure11:CustomEndpointdatacreatedbyClaroty.
13Figure12:Reviewing'LastSync'timetoClearPass.
14Figure13:ExampleofAPIlogsbetweenClarotyandClearPass14ClearPassandClaroty–IntegrationGuide5IntroductionThisIntegrationGuidecoverstheconfigurationanduseoftheintegrationbetweenClarotyandClearPassPolicyManager(CPPM).
Claroty'sContinuousThreatDetectionproductprovidesextremevisibility,continuousthreatandvulnerabilitymonitoringanddeepinsightsintoIndustrialControlSystems(ICS)networks.
ThisinitialintegrationbetweenClarotyandClearPassPolicyManagerfocusesontheabilityofClarotytodetect,discoverandclassifyOT/ICSendpointsandsharethisclassificationdirectlywithClearPassviatheClearPassSecurityExchangeframeworkandtheopenAPIsweexpose.
ClarotywillautomaticallyupdatetheClearPassPolicyManagerendpointdatabasewithendpointclassificationdataandavarietyofcustomsecurityattributes.
ThisguideiswrittenbasedonPhase1ofourplannedintegrationwithClaroty,whichprovidescentralizedvisibilityofnetworkassetsandendpointsacrossITandOTinfrastructure.
Fromhereacentralizedendpointandedgesecuritypolicycanbedefinedandadministered.
Checkbackforupdatestothisintegrationframework.
SoftwareRequirementsAtthetimeofwriting,ClearPassPolicyManagerversion6.
8.
0isavailableandtherecommendedrelease.
CPPMrunsonhardwareapplianceswithpre-installedsoftwareorasaVirtualMachineunderthefollowinghypervisors.
HypervisorsthatrunonaclientcomputersuchasVMwarePlayerarenotsupported.
VMwareESXi6.
0,6.
5,6.
6orhigherMicrosoftHyper-VServer2012R2or2016R2Hyper-VonMicrosoftWindowsServer2012R2or2016R2KVMonCentOS7.
5orlater.
TheversionofClarotythatwasusedforwritingthisintegrationguideis3.
2.
2.
9734.
InstallationandDeploymentGuideThegenericClearPassinstallationanddeploymentguideislocatedhere:https://www.
arubanetworks.
com/techdocs/ClearPass/6.
7/Aruba_DeployGd_HTML/Default.
htm#About%20ClearPass/Intro_ClearPass.
htmClearPassandClaroty–IntegrationGuide6PictorialviewoftheIntegrationThediagrambelowshowsapictorialoverviewofthecomponentsandhowtheyinteractwitheachother.
Figure1:PictorialviewofClearPassPolicyManagerintegrationwithClarotyClearPassandClaroty–IntegrationGuide7ConfigurationClearPassConfigurationPriortocreatingandenablingtheintegrationinClarotyanumberofconfigurationelementsneedtobepre-createdinClearPassPolicyManager.
Followthebelowconfigurationstepscarefully,collectingdataashighlightedwhichwillbeneededinthefollowingsectionwhenconfiguringClarotytoestablishanintegrationwithCPPM.
CreateaClearPassUserAspartofthecommunicationschannelbetweenthetwoproducts,ClarotywilluseanumberofAPIs.
AccesstotheTIPSAPIisvalidatedviaUsername/Passwordcombinationcredentials.
Thisuserneedstohaveminimumlevelsofaccess,donotuseaSuperAdministratorprofile.
CreateauserfromAdministration->UsersandPrivileges->+ADD->{Createauser,ensurethatyouuseaprivilegelevelofAPIAdministrator}MakeanoteoftheUserIDandPasswordthatwasconfigured,ensurePrivilegelevelisAPIAdministratorFigure2:CreateanAPIlevelaccountinClearPassCreateanOperatorProfileTosecurelyaccesstheRESTAPIsfortheAPIClient,createarestrictedaccessOperatorProfile.
NavigatetoClearPassGuest>Administration>OperatorLogins>Profiles.
Clickon"Createanewoperatorprofile"onthetoprightcornerofthepageanddefineanoperatorprofileasshownbelow.
PickandchoosethenecessaryaccessforClarotytoupdateCPPMendpointdatabasewiththedevicecontext.
Insummaryalloptionsaresetas'NoAccess'exceptforthefollowing.
ForAPIServices,selectcustomandthengrantthefollowingaccessAllowAPIAccess=AllowAccessClearPassandClaroty–IntegrationGuide8ForPolicyManager,selectcustomandthengrantthefollowingaccessDictionary–Attributes=Read,Write,DeleteDictionary–Fingerprints=Read,Write,DeleteIdentity–Endpoints=Read,Write,DeleteFigure3:OperatorProfile-Accessrestrictions1Figure4:OperatorProfile-Accessrestrictions2ClearPassandClaroty–IntegrationGuide9Figure5:OperatorProfile-Accessrestrictions3CreateanAPIClientClarotyusestheRESTAPIsforthisintegration,RESTAPIsareauthenticatedunderanOAuth2framework.
CreateanAPIClientunderGuest>Administration>APIServices>APIClients>{CreateAPIClient}EnsuretheOperatorProfilepreviouslycreatedisusedheretorestrictthecapabilitiesoftheAPIClient.
Noticethehighlightedconfigurationoptionsneeded,andsetasappropriateOperatingMode=ClearPassRESTAPI–ClientwillbeusedforAPIcallstoClearPassOperatorProfile=UsetheOperatorProfilecreatedpreviouslyGrantType=Clientcredentials(grant_type=client_credentails)RecordtheClientSecretandtheACTUALAPIClientIDi.
e.
ClarOTyasbelowFigure6:CreateanAPIClientClearPassandClaroty–IntegrationGuide10AtthistimeallofthenecessaryconfighasbeencreatedinPolicyManager,ensureyouhavethebelowlistofinformationcollectedbeforeproceedingtothenextsection.
CPPMAPIAdministratorUserIDCPPMAPIAdministratorUserPasswordCPPMOAuth2APIClientNAMECPPMOAuth2APIClientSecretClarotyConfigurationForthisinitialintegrationbetweenthetwoproducts,thereislimitedconfigurationnecessaryonClaroty.
AftertheconfigurationiscompletetheClarotyplatformwillcontinuetoupdatetheClearPassPolicyManagerendpointdatabaseasitdiscoversnewendpointsataperiodicschedule.
Followthestepsbelowtoconfigureandenablethisintegration.
LoginasanadministratorintoCalrotyusingport5000(https://:5000).
FromtheClarotymainconsole,navigatetoConfiguration>Integrations>ArubaClearPass.
Afterclickingon'ArubaClearPass'thefollowingscreenisshown,allfieldsarerequiredfortheconfiguration.
UsethevaluescollectedduringClearPassPolicyManagerconfiguration.
Onceconfigured,clickonConnect.
Amessageisdisplayedatthebottomofthescreeninagreenboxsaying"AddedIntegrationConfiguration".
Thisiseasytomiss.
ThebuttonforConnectchangestoUpdatewhichindicatestheconfigurationissaved.
Figure7:ClarotyConfigurationConsoleClearPassandClaroty–IntegrationGuide11Belowtableexplainsthefieldsusedforconfigurationindetail.
FieldNameValue/NotesServerAddressThisshouldbetheClearPassPublisher'sIPaddressPortThisshouldbe443ClientIDOAuth2clientIDcreatedintheprevioussectionAPIAdminUsernameAPIAdministratorUserIDcreatedintheprevioussectionAPIAdminPasswordAPIAdministratorPasswordcreatedintheprevioussectionClientSecretOAuth2ClientSecretcopiedintheprevioussectionClearPassandClaroty–IntegrationGuide12IntegrationResultsAspartofenablingtheaboveintegration,ClarotywillcreateanumberofcustomEndpointDictionaryattributesusingtheClearPassRESTAPIs.
ThisisarecordoftheDictionaryAttributescreatedbyClaroty.
CheckunderAdministration>Dictionaries>DictionaryAttributes.
Figure8:EndpointDictionaryAttributescreatedbyClarotyTheEndpointdataissentbyClaroty,itcreatestheEndpoints,setstheendpointclassificationandalsoconfiguressomecustomendpointattributes.
Anexampleoftheendpointscreatedareshownbelow.
Figure9:ExampleofEndpointscreatedbyClarotyClearPassandClaroty–IntegrationGuide13Lookingcloserattheendpointdatawecanseeseveralimportantthings,themac-address,mac-vendor,andsomedeviceclassificationasdeterminedbyClaroty,othervaluabledatasuchasthedatetheendpointwasaddedandprofiled,saidanotherwaythetimeClarotyupdatedClearPasswiththedevicesdata.
Figure10:NormalizedEndpointdatacreatedbyClarotyInadditiontothestandarddata,Clarotyalsosuppliesothercustomattributes.
ClickontheAttributestabtoseethem.
AnyoftheseattributescouldbeusedinaPolicy.
Figure11:CustomEndpointdatacreatedbyClarotyClaroty_Criticality,Claroty_Firmware,Claroty_Risk_Level,Claroty_CVE_Scorearesomeoftheveryusefulattributesthatcanbeusedwithintheenforcementpolicy.
Forexample,aknownvulnerableFirmwareforadevicecategorycanbeblocked.
IftheCriticalityisHigh,anendpointcanbequarantined.
ClearPassandClaroty–IntegrationGuide14Monitoring/ReviewingClearPassandClarotycommunicationsOncethesynchasstartedendpointdatawillbepopulateddirectedlyintothePolicyManagerendpointdatabase,viewthelastupdatetimefromtheintegrationconfigurationscreen,seebelowforanexample.
Figure12:Reviewing'LastUpdate'timetoClearPassIfthesyncisnotworkingorshowsanerrorthenit'slikelyyou'vemissedcapturingtheinformationcorrectly,recheckthedatarecorded,additionallyyoucanviewtheAPIcallsbetweenClarotyandClearPassfromClearPassGuest>Administration>Support>ApplicationLog.
BelowisanexampleoflogsfromClarotytoClearPass.
FilterusingtheIPaddressofClaroty.
Figure13:ExampleofAPIlogsbetweenClarotyandClearPassNoticethereareafewerrorlogs.
TheseerrorsindicatethatthemacaddressdidnotexisthenceanewonewascreatedbyClaroty.
Ifitexists,itwillbeupdatedifnecessaryandtheerrorswillnotbeseen.
819云互联是海外领先的互联网业务平台服务提供商。专注为用户提供低价高性能云计算产品,致力于云计算应用的易用性开发,并引导云计算在国内普及。目前平台研发以及运营云服务基础设施服务平台(IaaS),面向全球客户提供基于云计算的IT解决方案与客户服务,拥有丰富的海外资源、香港,日本,美国等各国优质的IDC资源。官方网站:https://www.819yun.com香港特价物理服务器:地区CPU内存带宽...
妮妮云的来历妮妮云是 789 陈总 张总 三方共同投资建立的网站 本着“良心 便宜 稳定”的初衷 为小白用户避免被坑妮妮云的市场定位妮妮云主要代理市场稳定速度的云服务器产品,避免新手购买云服务器的时候众多商家不知道如何选择,妮妮云就帮你选择好了产品,无需承担购买风险,不用担心出现被跑路 被诈骗的情况。妮妮云的售后保证妮妮云退款 通过于合作商的友好协商,云服务器提供2天内全额退款,超过2天不退款 物...
我们一般的站长或者企业服务器配置WEB环境会用到免费版本的宝塔面板。但是如果我们需要较多的付费插件扩展,或者是有需要企业功能应用的,短期来说我们可能选择按件按月付费的比较好,但是如果我们长期使用的话,有些网友认为选择宝塔面板企业版或者专业版是比较划算的。这样在年中大促618的时候,我们也可以看到宝塔面板也有发布促销活动。企业版年付899元,专业版永久授权1888元起步。对于有需要的网友来说,还是值...
centos6.0为你推荐
云爆发养兵千日用兵千日这个说法对不对12306崩溃12306是不是瘫痪了?硬盘工作原理硬盘的工作原理是什么?mathplayer比较word,TeX,MathML中的数学公式处理方式的异同点,尽量详细哦,分数不是问题,谢谢哈,会加分的。关键字关键字和一般标识符的区别月神谭求几个个性网名:seo优化工具SEO优化神器有什么比较好的?同一服务器网站同一服务器上的域名/网址无法访问郭泊雄郭佰雄最后一次出现是什么时候?www.gegeshe.comSHE个人资料
深圳域名注册 日本私人vps 域名备案收费吗 如何查询域名备案号 美国主机推荐 美国仿牌空间 英语简历模板word dux 稳定免费空间 福建铁通 789 监控服务器 qq金券 netvigator 重庆联通服务器托管 免 服务器是什么 低价 西安电信测速网 冰盾ddos防火墙 更多