Access Management with Aruba ClearPass

#ATM15 |

Access Management with Aruba ClearPassLive Walkthrough of Config, Troubleshooting, and User Experience

March 2015

@ArubaNetworks

Agenda

•Review existing customer deployment

•Customer Challenges and Solutions

•Live Config, Authentication, and Troubleshooting Walkthrough

@ArubaNetworks

Transition Content

Existing Customer Deployment

•Enterprise environment with:– 802.1X WLAN

• EAP-PEAP/MSCHAPv2 with Active Directory

– User authentication

– Corporate laptops• No checks & balances for validation

@ArubaNetworks

Transition Content

Three new initiatives

@ArubaNetworks

1. MDM Rollout– Client Services Team deploying Mobile Iron– Enrollment of all mobile devices

2. Palo Alto Firewall Deployment– Security Team chose Palo Alto as new

Internet Gateway platform

3. Visitor Network with ClearPass Guest– ClearPass Guest for Visitor Access

Transition Content

Next-Generation Solutions

@ArubaNetworks

Limit access to only: •MDM-enrolled•Corporate laptops

Granular user/device policies•Only marketing folks permitted to social media sites

Prohibit corporate devices from Guest network•Open HelpDesk incident for violators

Use ClearPass Exchange!

Use Post_Authentication Enforcement Profiles!

Transition Content

How do I integrate with these solutions?

@ArubaNetworks

Transition Content

ClearPass Exchange Recipes

@ArubaNetworks

Recipe site and tech note available to help you with your integrations:

– Site:• http://community.arubanetworks.com/t5/ClearPass-Exchange-Recipes/tkbc-p/clearpass-recipes

– TechNote:• http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=15508

– Not to be confused with Aruba Solution Exchange• http://ase.arubanetworks.com• (More on this at the end)

Lab Setup

@ArubaNetworks

Lab Workflow – 802.1X

@ArubaNetworks

SSID:CP-Atm-dot1x(PEAP-MSCHAPv2)

Corporate Device?

Redirect to information pageRedirect to information page

User?User?Full Internet(Including Social Media)

Full Internet(Including Social Media)

Marketing

Limited Internet(No Social Media)

Everyone Else

Enforcement

@ArubaNetworks

RADIUS REQUEST

RADIUS RESPONSE

HTTP ENFORCEMENT

RADIUS Accounting New in CP 6.5

Target: Checkpoint, Fortinet, Websense, others

via ACCT Proxy

802.1X Demo

•Audience•Use your personal SmartDevice•You will be redirected.

•Presenter•Connect with corporate SmartDevice•mark is in Marketing.•jsmith is not in Marketing.

@ArubaNetworks

Transition Content

Lab Workflow - Guest

@ArubaNetworks

SSID:CP-Atm-Guest(open)

Corporate Device?

• AOS: Redirect to corporate security guidelines

• ServiceNow: Open HelpDesk Incident

• AOS: Redirect to corporate security guidelines

• ServiceNow: Open HelpDesk Incident

Guest Self-Reg Workflow

Transition Content

Three components to HTTP enforcement

@ArubaNetworks

1. Endpoint Context Server– Define the External Server

• (i.e. IP Address, credentials)

1. Context Server Action– Define the action to take place

• (i.e. Open a helpdesk ticket, send push notification)

1. Enforcement Profile– Joins the External Context Server with the Context

Server Action.

Endpoint Context Server

@ArubaNetworks

1. Endpoint Context Server

Transition Content

Context Server Action

@ArubaNetworks

2. Context Server Action

Enforcement Profile

@ArubaNetworks

3. Enforcement Profile

Transition Content

Using Dynamic Variables in ClearPass

• Almost all of the “context” that is collected by ClearPass can be called up and used via dynamic “namespace” variables.

• For example:• %{Radius:Aruba:Aruba-Location-Id}• %{Connection:Client-Mac-Address-Colon}• %{Endpoint:AD_Name}

• These can be used in:• Service Matching• Role mapping• Enforcement profiles and policies• Auth source filters/queries• Context Server Actions

• When used, the value is replaced with information pertaining to that device or user dynamically

@ArubaNetworks

Context Examples

Transition Content

Using Dynamic Variable Examples

@ArubaNetworks

{"short_description":"Corporate Device on the Guest Network","priority":"3","description":"Offending Device:\n User: %{Endpoint:AD_Name}\n Mac Address: %{Connection:Client-Mac-Address-Colon}\n Location: %{Radius:Aruba:Aruba-Location-Id}","u_category":"71feaf0f8c00d100a4e1ee6a09f9bc72","u_subcategory":"02feaf0f8c00d100a4e1ee6a09f9bc29":"assigned_to":"mobileadmin"

Context Server Action – POST to ServiceNow.

ServiceNow Configuration & Demo

•Let’s configure ServiceNow• Use Case: Open HelpDesk Incident when corporate device

connects to Guest network

•Use your SmartDevice• Register for an account

@ArubaNetworks

Transition Content

Web Login Page Customization

• Many customization/personalization options exist in WebLogin pages

• (Different from your Skin)

• Built in capability to:• Leverage “FontAwesome” fonts• Insert other page links• Inject PHP code into header/footer• Leverage user/device/session variables

• For this, create a “dump” page to see what’s available

@ArubaNetworks

Transition Content

Variable Dump Page

@ArubaNetworks

https://10.0.0.25/guest/dump.php?mac=64:20:0c:3d:8f:d7

Transition Content

Variable use in WebLogin Pages

•Using HTTP User-Agent:

•Using Endpoint attributes:

@ArubaNetworks

<p align=center>You are attempting to Onboard your {$_wpl.browser.uaparser.os.family} device with {$_wpl.browser.uaparser.ua.family},

{if $_wpl.browser.uaparser.os.family == "Mac OS X"}please try again using the Safari browser.</p>

<p>Attention {$_endpoint.AD_Name}, This device is a corporate asset and therefore should not be accessing the visitor network. </p>

Guest – Weblogin customization

•Let’s explore weblogin customizations• How did we pull the Username onto the page?• Let’s see the ‘dump’ page.

@ArubaNetworks

Lab Setup

4th Gen Intel NUC D54250WYK– Core i5, 16GB RAM, 512GB SSD– ESXi 5.5 (custom install with Intel

ethernet driver net-e1000e)

Aruba 7005 Controller

IAP-205 (in CAP Mode)

@ArubaNetworks

Internet

99100100

9910010011

ESXiPA-VM

CP-VA-EVALWin2k8

ESXiPA-VM

CP-VA-EVALWin2k8

Transition Content

Aruba Solution Exchange

ase.arubanetworks.com

Configuration Made Simple

Undo Configs

AOS, Instant, MAS, ClearPass, Juniper, Cisco…

@ArubaNetworks

THANK YOU

27#ATM15 | @ArubaNetworks

Access Management with Aruba ClearPass

Technology

ARUBA AND CLEARPASS MAKE A PERFECT FIT

Advanced Aruba ClearPass Workshop

Aruba ClearPass Access Management System™docshare01.docshare.tips/files/23638/236389180.pdfaruba networks channel partner confidential – do not distribute page 5 clearpass access

ClearPass Policy manager Cisco Switch Setup with CPPMcommunity.arubanetworks.com/aruba/attachments/aruba... · This ClearPass Policy manager Cisco Switch Setup with CPPM is intended

THE CLEARPASS ACCESS MANAGEMENT SYSTEM · 2013-09-02 · The ClearPass Access Management System from Aruba Networks takes a fresh and innovative approach to solving the BYOD challenge

ArubA CleArPAss OnGuArd™ - GeminiComputer.com · Aruba ClearPass OnGuard Aruba Data Sheet ArubA CleArPAss OnGuArd™ Enterprise-class endpoint posture assessments and health checks

Aruba clearpass ebook_chpt1_final

ClearPass OnGuard - applesi.co.kr · Aruba ClearPass OnGuard Aruba Data Sheet Complete endpoint visibility To simplify troubleshooting, endpoint control and compliance reporting,

COMMON CRITERIA CONFIGURATION GUIDANCE ARUBA CLEARPASS …

Aruba ClearPass Policy Manager 6.0 User Guideh20628.. ConfiguretheAppliance Replacetheboldedplaceholderentriesinthefollowingillustrationwithyourlocalinformation: …

ClearPass Certificates 101 - Airheads Community · ClearPass(Version(6.x( ( Tech(Note:(ClearPass(Certificates(101–(V1(Aruba(Networks(6!Overview* Scope* Thefollowingguidehasbeenproducedto

ClearPass Policy manager Cisco Switch Setup with CPPMcommunity.arubanetworks.com/aruba/attachments/aruba/tkb@tkb/223/1... · Preface . Audience This ClearPass Policy manager Cisco

HP Aruba 2014 _ Access Management With Aruba ClearPass

SOLUTION OVERVIEW CLEARPASS EXCHANGE: SHARE RICH, … · 2016-09-02 · Aruba Networks® developed ClearPass Exchange, a baseline feature of the ClearPass Access Management System,

Access Management with Aruba ClearPass

ClearPass Welcome Home! - Airheads Communitycommunity.arubanetworks.com/aruba/attachments/aruba...ClearPass Exchange provides context-sharing and integration of ClearPass services

Aruba CPPM (Clearpass Policy Manager)

Aruba Networks Secure Mobility Access Aruba ClearPass kundetur til...The ClearPass Solution All Things Network, Device and App Management VISIBILITY WORKFLOW POLICY Role-based Enforcement

A ClearPass Policy Manager Application - NDM … · Aruba ClearPass Onboard Aruba Data Sheet ClearPass OnbOard A ClearPass Policy Manager Application ClearPass Onboard automatically

Aruba Wireless and ClearPass 6 Integration Guide v1.3community.arubanetworks.com/aruba/attachments/aruba/aaa-nac-gu… · Aruba Wireless and ClearPass 6| Integration Guide | 19! Figure!17!Select!thenewlycreatedCaptivePortal!Authentication!Profile!