insightscentos6.0
centos6.0 时间:2021-03-27 阅读:(
)
ClearPassIntegrationGuideClarotyClearPassandClaroty–IntegrationGuide2ChangeLogVersionDateModifiedByComments1.
0May2019ArpitBhattFirstPublishedVersion–Phase1CopyrightCopyright2019HewlettPackardEnterpriseDevelopmentLP.
OpenSourceCodeThisproductincludescodelicensedundertheGNUGeneralPublicLicense,theGNULesserGeneralPublicLicense,and/orcertainotheropensourcelicenses.
Acompletemachine-readablecopyofthesourcecodecorrespondingtosuchcodeisavailableuponrequest.
ThisofferisvalidtoanyoneinreceiptofthisinformationandshallexpirethreeyearsfollowingthedateofthefinaldistributionofthisproductversionbyHewlett-PackardCompany.
Toobtainsuchsourcecode,sendacheckormoneyorderintheamountofUS$10.
00to:Hewlett-PackardCompanyAttn:GeneralCounsel3000HanoverStreetPaloAlto,CA94304USAPleasespecifytheproductandversionforwhichyouarerequestingsourcecode.
YoumayalsorequestacopyofthissourcecodefreeofchargeatHPE-Aruba-gplquery@hpe.
com.
www.
arubanetworks.
com3333ScottBlvdSantaClara,CA95054Phone:1-800-WIFI-LAN(+800-943-4526)2019HewlettPackardEnterpriseDevelopmentLP.
AllRightsReserved.
Fax408.
227.
4550ClearPassandClaroty3ContentsIntroduction.
5SoftwareRequirements.
5InstallationandDeploymentGuide5PictorialviewoftheIntegration6Configuration.
7ClearPassConfiguration.
7CreateaClearPassUser.
7CreateanOperatorProfile.
7CreateanAPIClient.
9ClarotyConfiguration10IntegrationResults.
12Monitoring/ReviewingClearPassandClarotycommunications14ClearPassandClaroty–IntegrationGuide4FiguresFigure1:PictorialviewofClearPassPolicyManagerintegrationwithClaroty.
6Figure2:CreateanAPIlevelaccountinClearPass.
7Figure3:OperatorProfile-Accessrestrictions1.
8Figure4:OperatorProfile-Accessrestrictions2.
8Figure5:OperatorProfile-Accessrestrictions3.
9Figure6:CreateanAPIClient9Figure7:ClarotyConfigurationConsole.
10Figure8:EndpointDictionaryAttributescreatedbyClaroty.
12Figure9:ExampleofEndpointscreatedbyClaroty12Figure10:NormalizedEndpointdatacreatedbyClaroty.
13Figure11:CustomEndpointdatacreatedbyClaroty.
13Figure12:Reviewing'LastSync'timetoClearPass.
14Figure13:ExampleofAPIlogsbetweenClarotyandClearPass14ClearPassandClaroty–IntegrationGuide5IntroductionThisIntegrationGuidecoverstheconfigurationanduseoftheintegrationbetweenClarotyandClearPassPolicyManager(CPPM).
Claroty'sContinuousThreatDetectionproductprovidesextremevisibility,continuousthreatandvulnerabilitymonitoringanddeepinsightsintoIndustrialControlSystems(ICS)networks.
ThisinitialintegrationbetweenClarotyandClearPassPolicyManagerfocusesontheabilityofClarotytodetect,discoverandclassifyOT/ICSendpointsandsharethisclassificationdirectlywithClearPassviatheClearPassSecurityExchangeframeworkandtheopenAPIsweexpose.
ClarotywillautomaticallyupdatetheClearPassPolicyManagerendpointdatabasewithendpointclassificationdataandavarietyofcustomsecurityattributes.
ThisguideiswrittenbasedonPhase1ofourplannedintegrationwithClaroty,whichprovidescentralizedvisibilityofnetworkassetsandendpointsacrossITandOTinfrastructure.
Fromhereacentralizedendpointandedgesecuritypolicycanbedefinedandadministered.
Checkbackforupdatestothisintegrationframework.
SoftwareRequirementsAtthetimeofwriting,ClearPassPolicyManagerversion6.
8.
0isavailableandtherecommendedrelease.
CPPMrunsonhardwareapplianceswithpre-installedsoftwareorasaVirtualMachineunderthefollowinghypervisors.
HypervisorsthatrunonaclientcomputersuchasVMwarePlayerarenotsupported.
VMwareESXi6.
0,6.
5,6.
6orhigherMicrosoftHyper-VServer2012R2or2016R2Hyper-VonMicrosoftWindowsServer2012R2or2016R2KVMonCentOS7.
5orlater.
TheversionofClarotythatwasusedforwritingthisintegrationguideis3.
2.
2.
9734.
InstallationandDeploymentGuideThegenericClearPassinstallationanddeploymentguideislocatedhere:https://www.
arubanetworks.
com/techdocs/ClearPass/6.
7/Aruba_DeployGd_HTML/Default.
htm#About%20ClearPass/Intro_ClearPass.
htmClearPassandClaroty–IntegrationGuide6PictorialviewoftheIntegrationThediagrambelowshowsapictorialoverviewofthecomponentsandhowtheyinteractwitheachother.
Figure1:PictorialviewofClearPassPolicyManagerintegrationwithClarotyClearPassandClaroty–IntegrationGuide7ConfigurationClearPassConfigurationPriortocreatingandenablingtheintegrationinClarotyanumberofconfigurationelementsneedtobepre-createdinClearPassPolicyManager.
Followthebelowconfigurationstepscarefully,collectingdataashighlightedwhichwillbeneededinthefollowingsectionwhenconfiguringClarotytoestablishanintegrationwithCPPM.
CreateaClearPassUserAspartofthecommunicationschannelbetweenthetwoproducts,ClarotywilluseanumberofAPIs.
AccesstotheTIPSAPIisvalidatedviaUsername/Passwordcombinationcredentials.
Thisuserneedstohaveminimumlevelsofaccess,donotuseaSuperAdministratorprofile.
CreateauserfromAdministration->UsersandPrivileges->+ADD->{Createauser,ensurethatyouuseaprivilegelevelofAPIAdministrator}MakeanoteoftheUserIDandPasswordthatwasconfigured,ensurePrivilegelevelisAPIAdministratorFigure2:CreateanAPIlevelaccountinClearPassCreateanOperatorProfileTosecurelyaccesstheRESTAPIsfortheAPIClient,createarestrictedaccessOperatorProfile.
NavigatetoClearPassGuest>Administration>OperatorLogins>Profiles.
Clickon"Createanewoperatorprofile"onthetoprightcornerofthepageanddefineanoperatorprofileasshownbelow.
PickandchoosethenecessaryaccessforClarotytoupdateCPPMendpointdatabasewiththedevicecontext.
Insummaryalloptionsaresetas'NoAccess'exceptforthefollowing.
ForAPIServices,selectcustomandthengrantthefollowingaccessAllowAPIAccess=AllowAccessClearPassandClaroty–IntegrationGuide8ForPolicyManager,selectcustomandthengrantthefollowingaccessDictionary–Attributes=Read,Write,DeleteDictionary–Fingerprints=Read,Write,DeleteIdentity–Endpoints=Read,Write,DeleteFigure3:OperatorProfile-Accessrestrictions1Figure4:OperatorProfile-Accessrestrictions2ClearPassandClaroty–IntegrationGuide9Figure5:OperatorProfile-Accessrestrictions3CreateanAPIClientClarotyusestheRESTAPIsforthisintegration,RESTAPIsareauthenticatedunderanOAuth2framework.
CreateanAPIClientunderGuest>Administration>APIServices>APIClients>{CreateAPIClient}EnsuretheOperatorProfilepreviouslycreatedisusedheretorestrictthecapabilitiesoftheAPIClient.
Noticethehighlightedconfigurationoptionsneeded,andsetasappropriateOperatingMode=ClearPassRESTAPI–ClientwillbeusedforAPIcallstoClearPassOperatorProfile=UsetheOperatorProfilecreatedpreviouslyGrantType=Clientcredentials(grant_type=client_credentails)RecordtheClientSecretandtheACTUALAPIClientIDi.
e.
ClarOTyasbelowFigure6:CreateanAPIClientClearPassandClaroty–IntegrationGuide10AtthistimeallofthenecessaryconfighasbeencreatedinPolicyManager,ensureyouhavethebelowlistofinformationcollectedbeforeproceedingtothenextsection.
CPPMAPIAdministratorUserIDCPPMAPIAdministratorUserPasswordCPPMOAuth2APIClientNAMECPPMOAuth2APIClientSecretClarotyConfigurationForthisinitialintegrationbetweenthetwoproducts,thereislimitedconfigurationnecessaryonClaroty.
AftertheconfigurationiscompletetheClarotyplatformwillcontinuetoupdatetheClearPassPolicyManagerendpointdatabaseasitdiscoversnewendpointsataperiodicschedule.
Followthestepsbelowtoconfigureandenablethisintegration.
LoginasanadministratorintoCalrotyusingport5000(https://:5000).
FromtheClarotymainconsole,navigatetoConfiguration>Integrations>ArubaClearPass.
Afterclickingon'ArubaClearPass'thefollowingscreenisshown,allfieldsarerequiredfortheconfiguration.
UsethevaluescollectedduringClearPassPolicyManagerconfiguration.
Onceconfigured,clickonConnect.
Amessageisdisplayedatthebottomofthescreeninagreenboxsaying"AddedIntegrationConfiguration".
Thisiseasytomiss.
ThebuttonforConnectchangestoUpdatewhichindicatestheconfigurationissaved.
Figure7:ClarotyConfigurationConsoleClearPassandClaroty–IntegrationGuide11Belowtableexplainsthefieldsusedforconfigurationindetail.
FieldNameValue/NotesServerAddressThisshouldbetheClearPassPublisher'sIPaddressPortThisshouldbe443ClientIDOAuth2clientIDcreatedintheprevioussectionAPIAdminUsernameAPIAdministratorUserIDcreatedintheprevioussectionAPIAdminPasswordAPIAdministratorPasswordcreatedintheprevioussectionClientSecretOAuth2ClientSecretcopiedintheprevioussectionClearPassandClaroty–IntegrationGuide12IntegrationResultsAspartofenablingtheaboveintegration,ClarotywillcreateanumberofcustomEndpointDictionaryattributesusingtheClearPassRESTAPIs.
ThisisarecordoftheDictionaryAttributescreatedbyClaroty.
CheckunderAdministration>Dictionaries>DictionaryAttributes.
Figure8:EndpointDictionaryAttributescreatedbyClarotyTheEndpointdataissentbyClaroty,itcreatestheEndpoints,setstheendpointclassificationandalsoconfiguressomecustomendpointattributes.
Anexampleoftheendpointscreatedareshownbelow.
Figure9:ExampleofEndpointscreatedbyClarotyClearPassandClaroty–IntegrationGuide13Lookingcloserattheendpointdatawecanseeseveralimportantthings,themac-address,mac-vendor,andsomedeviceclassificationasdeterminedbyClaroty,othervaluabledatasuchasthedatetheendpointwasaddedandprofiled,saidanotherwaythetimeClarotyupdatedClearPasswiththedevicesdata.
Figure10:NormalizedEndpointdatacreatedbyClarotyInadditiontothestandarddata,Clarotyalsosuppliesothercustomattributes.
ClickontheAttributestabtoseethem.
AnyoftheseattributescouldbeusedinaPolicy.
Figure11:CustomEndpointdatacreatedbyClarotyClaroty_Criticality,Claroty_Firmware,Claroty_Risk_Level,Claroty_CVE_Scorearesomeoftheveryusefulattributesthatcanbeusedwithintheenforcementpolicy.
Forexample,aknownvulnerableFirmwareforadevicecategorycanbeblocked.
IftheCriticalityisHigh,anendpointcanbequarantined.
ClearPassandClaroty–IntegrationGuide14Monitoring/ReviewingClearPassandClarotycommunicationsOncethesynchasstartedendpointdatawillbepopulateddirectedlyintothePolicyManagerendpointdatabase,viewthelastupdatetimefromtheintegrationconfigurationscreen,seebelowforanexample.
Figure12:Reviewing'LastUpdate'timetoClearPassIfthesyncisnotworkingorshowsanerrorthenit'slikelyyou'vemissedcapturingtheinformationcorrectly,recheckthedatarecorded,additionallyyoucanviewtheAPIcallsbetweenClarotyandClearPassfromClearPassGuest>Administration>Support>ApplicationLog.
BelowisanexampleoflogsfromClarotytoClearPass.
FilterusingtheIPaddressofClaroty.
Figure13:ExampleofAPIlogsbetweenClarotyandClearPassNoticethereareafewerrorlogs.
TheseerrorsindicatethatthemacaddressdidnotexisthenceanewonewascreatedbyClaroty.
Ifitexists,itwillbeupdatedifnecessaryandtheerrorswillnotbeseen.
racknerd当前对美国犹他州数据中心的大硬盘服务器(存储服务器)进行低价促销,价格跌破眼镜啊。提供AMD和Intel两个选择,默认32G内存,120G SSD系统盘,12个16T HDD做数据盘,接入1Gbps带宽,每个月默认给100T流量,5个IPv4... 官方网站:https://www.racknerd.com 加密数字货币、信用卡、PayPal、支付宝、银联(卡),可以付款! ...
简介华圣云 HuaSaint是阿里云国际版一级分销商(诚招募二级代理),专业为全球企业客户与个人开发者提供阿里云国际版开户注册、认证、充值等服务,通过HuaSaint开通阿里云国际版只需要一个邮箱,不需要PayPal信用卡,不需要买海外电话卡,绝对的零门槛,零风险官方网站:www.huasaint.com企业名:huaSaint Tech Limited阿里云国际版都有什么优势?阿里云国际版的产品...
乐凝网络怎么样?乐凝网络是一家新兴的云服务器商家,目前主要提供香港CN2 GIA、美国CUVIP、美国CERA、日本东京CN2等云服务器及云挂机宝等服务。乐凝网络提供比同行更多的售后服务,让您在使用过程中更加省心,使用零云服务器,可免费享受超过50项运维服务,1分钟内极速响应,平均20分钟内解决运维问题,助您无忧上云。目前,香港HKBN/美国cera云服务器,低至9.88元/月起,支持24小时无理...
centos6.0为你推荐
www.kkk.com谁有免费的电影网站,越多越好?psbc.com邮政储蓄卡如何激活同一服务器网站同一服务器上可以存放多个网站吗?mole.61.com摩尔庄园的米米号和密码我都忘了 只记得注册的邮箱 怎么办-_-www.22zizi.com乐乐电影天堂 http://www.leleooo.com 这个网站怎么样?kb123.net连网方式:wap和net到底有什么不一样的33tutu.com33gan.com改成什么了555sss.com拜求:http://www.jjj555.com/这个网站是用的什么程序bk乐乐bk乐乐和CK是什么关系?龚如敏请问这张图片出自哪里?
上海域名注册 xenvps 免费注册网站域名 cn域名个人注册 132邮箱 新世界机房 主机 韩国空间 webhostingpad BWH 美国主机论坛 国外私服 淘宝双十一2018 debian6 网页背景图片 dropbox网盘 申请个人网站 四核服务器 申请网站 空间登入 更多