View
1.715
Download
0
Category
Tags:
Preview:
Citation preview
#ATM15 |
Access Management with Aruba ClearPassLive Walkthrough of Config, Troubleshooting, and User Experience
March 2015
@ArubaNetworks
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved2#ATM15 |
Agenda
•Review existing customer deployment
•Customer Challenges and Solutions
•Live Config, Authentication, and Troubleshooting Walkthrough
@ArubaNetworks
3 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Transition Content
Existing Customer Deployment
•Enterprise environment with:– 802.1X WLAN
• EAP-PEAP/MSCHAPv2 with Active Directory
– User authentication
– Corporate laptops• No checks & balances for validation
@ArubaNetworks
4 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Transition Content
Three new initiatives
@ArubaNetworks
1. MDM Rollout– Client Services Team deploying Mobile Iron– Enrollment of all mobile devices
2. Palo Alto Firewall Deployment– Security Team chose Palo Alto as new
Internet Gateway platform
3. Visitor Network with ClearPass Guest– ClearPass Guest for Visitor Access
5 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Transition Content
Next-Generation Solutions
@ArubaNetworks
Limit access to only: •MDM-enrolled•Corporate laptops
Granular user/device policies•Only marketing folks permitted to social media sites
Prohibit corporate devices from Guest network•Open HelpDesk incident for violators
6 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Use ClearPass Exchange!
Use Post_Authentication Enforcement Profiles!
Transition Content
How do I integrate with these solutions?
@ArubaNetworks
7 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Transition Content
ClearPass Exchange Recipes
@ArubaNetworks
Recipe site and tech note available to help you with your integrations:
– Site:• http://community.arubanetworks.com/t5/ClearPass-Exchange-Recipes/tkbc-p/clearpass-recipes
– TechNote:• http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=15508
– Not to be confused with Aruba Solution Exchange• http://ase.arubanetworks.com• (More on this at the end)
8 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Lab Setup
@ArubaNetworks
9 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Lab Workflow – 802.1X
@ArubaNetworks
SSID:CP-Atm-dot1x(PEAP-MSCHAPv2)
SSID:CP-Atm-dot1x(PEAP-MSCHAPv2)
Corporate Device?
Corporate Device?
Redirect to information pageRedirect to information page
User?User?Full Internet(Including Social Media)
Full Internet(Including Social Media)
Marketing
Limited Internet(No Social Media)
Limited Internet(No Social Media)
Everyone Else
No
Yes
10 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Enforcement
@ArubaNetworks
RADIUS REQUEST
RADIUS RESPONSE
HTTP ENFORCEMENT
RADIUS Accounting New in CP 6.5
Target: Checkpoint, Fortinet, Websense, others
via ACCT Proxy
11 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
802.1X Demo
•Audience•Use your personal SmartDevice•You will be redirected.
•Presenter•Connect with corporate SmartDevice•mark is in Marketing.•jsmith is not in Marketing.
@ArubaNetworks
12 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Transition Content
Lab Workflow - Guest
@ArubaNetworks
SSID:CP-Atm-Guest(open)
SSID:CP-Atm-Guest(open)
Corporate Device?
Corporate Device?
• AOS: Redirect to corporate security guidelines
• ServiceNow: Open HelpDesk Incident
• AOS: Redirect to corporate security guidelines
• ServiceNow: Open HelpDesk Incident
Guest Self-Reg Workflow
Guest Self-Reg Workflow
No
Yes
13 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Transition Content
Three components to HTTP enforcement
@ArubaNetworks
1. Endpoint Context Server– Define the External Server
• (i.e. IP Address, credentials)
1. Context Server Action– Define the action to take place
• (i.e. Open a helpdesk ticket, send push notification)
1. Enforcement Profile– Joins the External Context Server with the Context
Server Action.
14 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Endpoint Context Server
@ArubaNetworks
1. Endpoint Context Server
15 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Transition Content
Context Server Action
@ArubaNetworks
2. Context Server Action
16 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Enforcement Profile
@ArubaNetworks
3. Enforcement Profile
17 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Transition Content
Using Dynamic Variables in ClearPass
• Almost all of the “context” that is collected by ClearPass can be called up and used via dynamic “namespace” variables.
• For example:• %{Radius:Aruba:Aruba-Location-Id}• %{Connection:Client-Mac-Address-Colon}• %{Endpoint:AD_Name}
• These can be used in:• Service Matching• Role mapping• Enforcement profiles and policies• Auth source filters/queries• Context Server Actions
• When used, the value is replaced with information pertaining to that device or user dynamically
@ArubaNetworks
18 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Context Examples
19 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Transition Content
Using Dynamic Variable Examples
@ArubaNetworks
{"short_description":"Corporate Device on the Guest Network","priority":"3","description":"Offending Device:\n User: %{Endpoint:AD_Name}\n Mac Address: %{Connection:Client-Mac-Address-Colon}\n Location: %{Radius:Aruba:Aruba-Location-Id}","u_category":"71feaf0f8c00d100a4e1ee6a09f9bc72","u_subcategory":"02feaf0f8c00d100a4e1ee6a09f9bc29":"assigned_to":"mobileadmin"
}
Context Server Action – POST to ServiceNow.
20 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
ServiceNow Configuration & Demo
•Let’s configure ServiceNow• Use Case: Open HelpDesk Incident when corporate device
connects to Guest network
•Use your SmartDevice• Register for an account
@ArubaNetworks
21 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Transition Content
Web Login Page Customization
• Many customization/personalization options exist in WebLogin pages
• (Different from your Skin)
• Built in capability to:• Leverage “FontAwesome” fonts• Insert other page links• Inject PHP code into header/footer• Leverage user/device/session variables
• For this, create a “dump” page to see what’s available
@ArubaNetworks
22 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Transition Content
Variable Dump Page
@ArubaNetworks
https://10.0.0.25/guest/dump.php?mac=64:20:0c:3d:8f:d7
23 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Transition Content
Variable use in WebLogin Pages
•Using HTTP User-Agent:
•Using Endpoint attributes:
@ArubaNetworks
<p align=center>You are attempting to Onboard your {$_wpl.browser.uaparser.os.family} device with {$_wpl.browser.uaparser.ua.family},
{if $_wpl.browser.uaparser.os.family == "Mac OS X"}please try again using the Safari browser.</p>
<p>Attention {$_endpoint.AD_Name}, This device is a corporate asset and therefore should not be accessing the visitor network. </p>
24 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Guest – Weblogin customization
•Let’s explore weblogin customizations• How did we pull the Username onto the page?• Let’s see the ‘dump’ page.
@ArubaNetworks
25 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Lab Setup
4th Gen Intel NUC D54250WYK– Core i5, 16GB RAM, 512GB SSD– ESXi 5.5 (custom install with Intel
ethernet driver net-e1000e)
Aruba 7005 Controller
IAP-205 (in CAP Mode)
@ArubaNetworks
Internet
DHCP
Internet
DHCP
Con
trol
ler
NA
T
99
99
99
99
99
999
9
99100100
99
9910010011
ESXiPA-VM
CP-VA-EVALWin2k8
ESXiPA-VM
CP-VA-EVALWin2k8
26 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Transition Content
Aruba Solution Exchange
ase.arubanetworks.com
Configuration Made Simple
Undo Configs
AOS, Instant, MAS, ClearPass, Juniper, Cisco…
@ArubaNetworks
THANK YOU
27#ATM15 | @ArubaNetworks
Recommended