Upload
airheads-community
View
1.641
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 1 #airheadsconf #airheadsconf
ClearPass Policy Manager – Advanced Ashwath Murthy
03/15/2013
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 2 #airheadsconf
ClearPass – Policy Model Authorization – What and Why? Profile – How does it work? Clustering & Deployment Q & A
Agenda
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 3 #airheadsconf #airheadsconf 3
ClearPass Policy Model
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 4 #airheadsconf
• What constitutes the policy model? • How does it work? • What are the interactions between various
components? • How does the policy model affect configuration
& deployment?
ClearPass Policy Model
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 5 #airheadsconf
ClearPass Policy Model
Policy
Identity
Health
Device
Conditions
• Role • Department • Group
• AV, AS, FW • Registry Keys • Services…
• Device type, status, health • Address, O/S • Corp. Owned
• Time • Location • Day of Week
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 6 #airheadsconf
What’s the flow?
Authenticate • Valid Authentication
Authorize • Find Out What’s Allowed
Associate Context
• Device, Time, Location, Posture
Enforce on NAS
• Roles, ACLs, VLANs
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 7 #airheadsconf
What Are The Interactions?
RADIUS Server – Authenticate
Policy Server – Authorize
Policy Server – Associate Context
Policy Server – Decision Tree
RADIUS Server – Enforce
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 8 #airheadsconf
Service Flow – 802.1X
Layer 2 RADIUS Request
Layer 2 Authentication
Layer 2 Authorization
Layer 2 Role
Derivation
Layer 2 RADIUS
Enforcement
Layer 3 Profile
Layer 2 NAP
Layer 3 OnGuard
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 9 #airheadsconf
• Layer 2 Authentications are completed first – Full Authorization – Role Derivation – NAP (if enabled) – Layer 2 Enforcement
• Layer 3 : Profile next – DHCP Request, DHCP Offer – RFC 3576 – Change of Authorization • Another Layer 2 authentication!
– No RFC 3576 message if “fingerprint” does not change
• Layer 3 : Collect Posture last (OnGuard) – Posture over HTTPS – RFC 3576 based on policy • Another Layer 2 authentication!
Service Flow – Implications
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 10 #airheadsconf #airheadsconf 10
Authorization – What and Why?
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 11 #airheadsconf
• Authentication vs. Authorization • Authorization & ClearPass • Use Cases
Authorization – What and Why?
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 12 #airheadsconf
Authorization & ClearPass
• “Authorization” Sources in ClearPass – Where do I find them? – How do I use them? – How often does ClearPass talk to an authorization source? – What happens in case something goes wrong?
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 13 #airheadsconf
• An “Authentication Source” is an “Authorization Source” – RADIUS Server vs. Policy Server
Authorization Sources – Where?
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 14 #airheadsconf
Authorization Sources – How?
Authentication Sources are automatic Authorization Sources
Additional Authorization Sources enabled per Service
No Authorization unless used in Roles!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 15 #airheadsconf
Authorization Sources – How?
Authorize with Active Directory
Authorize with Profile Data
Rule Algorithm : Evaluate All
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 16 #airheadsconf
• Ok, great. But will ClearPass flood my AD with authorization requests? – Authorization data is cached per user – New request made to fetch data once the cache expires – Cache timers can be tuned
Authorization – How?
Cache Timeout Default: 10 hours
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 17 #airheadsconf
• Got it • But I just made a bunch of changes on my AD.
Should I need to wait 10 hours? – Tune the cache timers – “Clear Cache” button on the Authentication Source • Wipes out cache for all users
– “Save” button on the Authentication Source • Wipes out cache for all users
– Restart Policy Server • BAD IDEA!!!
Authorization – How?
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 18 #airheadsconf
• If an Authentication/Authorization Source is not reachable – Configure Backup Servers – Configure Fail-Over Timeout
Authorization – Uh-Oh!
Fail-Over Timeout
Backup Servers
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 19 #airheadsconf
Use Cases – Mergers & Acquisitions
Active Directory Domain – avendasys.com
Active Directory Domain – arubanetworks.com
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 20 #airheadsconf
Authentication & Authorization Sources for TLS
Certificate Details used for Authorization
Enable Authorization – Source specified in the Service
Compare Certificate – Source specified in the Service
Use Cases – Certificates & TLS
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 21 #airheadsconf
• LDAP/SQL Interface to Asset Databases – Key : MAC Address – Authorization Attributes • Ownership – Corporate vs. Personal • Compliance Status – In/Out of compliance
– Identify corporate-owned non-Windows devices
Use Cases – Asset Databases
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 22 #airheadsconf #airheadsconf 22
Profile – How does it work?
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 23 #airheadsconf
• Profile & Network Data • Automatic Profile “upgrades” • Using Profile data in policy • Configuring Profile – DHCP? HTTP? SNMP?
• Use Cases
Profile – How does it work?
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 24 #airheadsconf
• What does ClearPass use to profile? – MAC OUIs – DHCP Request, DHCP Offer – HTTP User-Agent – MDM Fingerprints – Device Interrogation – SNMP/CDP/LLDP Data
Profile & Network Data
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 25 #airheadsconf
Fingerprint Updates
• Subscribe to Fingerprint Updates – Automatic reclassification – Updated frequently
• Tell Aruba! – Create policy exceptions – Grab fingerprints from UI – Send fingerprints to Aruba – Crowd-sourced, community oriented
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 26 #airheadsconf
• Automatic 3-level categorization – Device Category, OS Family, Device Name
• Using raw profile data – DHCP Data, HTTP User-Agent, SNMP Data
• Role Mapping – What should I use?
• Enforcement – How do I enforce? – What are the benefits?
Using Profile data in policy
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 27 #airheadsconf
• DHCP Relay – Where should I setup DHCP relays?
• Captive Portal Configuration – Is there a knob for this?
• Reading SNMP Data – CDP – LLDP – HR MIB – SysDescr MIB
Configuring Profile – Network Considerations
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 28 #airheadsconf
• Policy – CEOs & iPads • Policy – “Headless” Devices • Visibility – Demystifying BYODs
Use Cases
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 29 #airheadsconf
Use Cases – CEOs & iPads
Assign Roles
Enforce Access
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 30 #airheadsconf
Use Cases – Headless Devices
Identify & Assign Roles To Headless Devices
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 31 #airheadsconf
Use Cases – Visibility
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 32 #airheadsconf #airheadsconf 32
Clustering & Deployment
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 33 #airheadsconf
• Clustering Technology – What’s replicated? What’s not?
• Deploying ClearPass Clusters – Considerations
• Operations & Maintenance – What happens when a ClearPass node is down? – Events & Alerts – Rescue & Recovery
Clustering & Deployment
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 34 #airheadsconf
• What’s replicated? – All policy configuration elements – All Audit data – All identity store data • Guest Accounts, Endpoints, Profile data
– Runtime Information • Authorization status, Posture status, Roles • Connectivity Information, NAS Details
– Database replication on port# 5432 over SSL – Runtime replication on port# 443 over SSL
Clustering Technology
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 35 #airheadsconf
• What’s not replicated? – Log files – Authentication Records – Accounting Records – System Events – System Monitor Data
Clustering Technology
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 36 #airheadsconf
• How do they connect? – Requires IP connectivity (bi-directional) • Port # 5432 (Database over SSL) • Port# 80 (HTTP) • Port #443 (HTTPS) • Port #123 (NTP)
• How much data should we expect to see crossing the wire? – Only elements in the configuration database – First sync is a full database copy – Subsequent sync – Delta changes propagated
Clustering – Considerations
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 37 #airheadsconf
Clustering – Considerations
PUBLISHER
SUBSCRIBER 1
SUBSCRIBER 2
SUBSCRIBER 3
SUBSCRIBER 4
SUBSCRIBER 5
SUBSCRIBER 6
Hub & Spoke
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 38 #airheadsconf
Clustering – Considerations
CPPM – Publisher
DNS DHCP
Identity Stores
Main Data Center Mid-size Branch
Regional Office
DMZ
CPPM Subscriber VM
CP Guest CP Onboard
CPPM Subscriber
CPPM Subscriber
• Central / Distributed Admin Domains • Redundancy/Load Balancing
• Cluster wide licenses
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 39 #airheadsconf
• What happens when a node goes down? – Operations • If Deployed Right – Nothing • RADIUS Backup settings on the NAS
– If the Publisher goes down • No Database Writes Allowed!! • Promote a Subscriber to a Publisher
• Resume configuration updates
Operations & Maintenance
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 40 #airheadsconf
• How long before ClearPass figures out something’s wrong? – 24 hours before it automatically “drops” a node from the
cluster – Cluster Synchronization Warnings • 1 event every hour x 24 hours = 24 events
– CPU/Memory Usage Warnings Every 2 Minutes – Server Certificate Warnings Every 24 Hours – Service Alerts Immediate
• Email/SMS Alerts using Insight, Syslog & SNMP
Events & Alerts
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 41 #airheadsconf
• Rescue & Recovery – Establish cluster connectivity • Database sync will ensue. Watch for “Last Sync Time”
– Restore certificates • Server Certificates are not installed as a part of the sync
– Restore log entries (If necessary) • Caveat : High disk activity for an extended period of time
– Verify fail-back on the NAS • NAS fail-back timers should kick in
Operations & Maintenance
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 42 #airheadsconf #airheadsconf 42
Q & A
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 43 #airheadsconf #airheadsconf
Thank You
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 44 #airheadsconf #airheadsconf 44