Access Management with Aruba ClearPass · Access Management with Aruba ClearPass ... • %{Endpoint: ... •Using HTTP User-Agent: •Using Endpoint attributes:

#ATM15 |

Access Management with Aruba ClearPass Live Walkthrough of Config, Troubleshooting, and User Experience

March 2015

@ArubaNetworks

CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved

2 #ATM15 |

Agenda

• Review existing customer deployment

• Customer Challenges and Solutions

• Live Config, Authentication, and Troubleshooting Walkthrough

@ArubaNetworks

3 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved

#ATM15 |

Transition Content

Existing Customer Deployment

• Enterprise environment with: –  802.1X WLAN •  EAP-PEAP/MSCHAPv2 with Active Directory

–  User authentication

–  Corporate laptops •  No checks & balances for validation

@ArubaNetworks


#ATM15 |

Transition Content

Three new initiatives

@ArubaNetworks

1.  MDM Rollout –  Client Services Team deploying Mobile Iron –  Enrollment of all mobile devices

2.  Palo Alto Firewall Deployment –  Security Team chose Palo Alto as new

Internet Gateway platform

3.  Visitor Network with ClearPass Guest –  ClearPass Guest for Visitor Access


#ATM15 |

Transition Content

Next-Generation Solutions

@ArubaNetworks

Limit access to only: •  MDM-enrolled •  Corporate laptops

Granular user/device policies •  Only marketing folks permitted to social media sites

Prohibit corporate devices from Guest network •  Open HelpDesk incident for violators


#ATM15 |

Use ClearPass Exchange! Use Post_Authentication Enforcement Profiles!

Transition Content

How do I integrate with these solutions?

@ArubaNetworks


#ATM15 |

Transition Content

ClearPass Exchange Recipes

@ArubaNetworks

Recipe site and tech note available to help you with your integrations:

–  Site: •  http://community.arubanetworks.com/t5/ClearPass-Exchange-

Recipes/tkbc-p/clearpass-recipes

–  TechNote: •  http://support.arubanetworks.com/Documentation/tabid/77/

DMXModule/512/Command/Core_Download/Default.aspx?EntryId=15508

–  Not to be confused with Aruba Solution Exchange •  http://ase.arubanetworks.com •  (More on this at the end)


#ATM15 |

Lab Setup

@ArubaNetworks


#ATM15 |

Lab Workflow – 802.1X

@ArubaNetworks

SSID:CP-Atm-dot1x (PEAP-MSCHAPv2)

Corporate Device?

Redirect to information page

User? Full Internet (Including Social Media)

Marketing

Limited Internet (No Social Media)

Everyone Else

No

Yes


#ATM15 |

Enforcement

@ArubaNetworks

RADIUS REQUEST

Service Matching

Authentication

Authorization

Role Mapping

RADIUS RESPONSE

HTTP ENFORCEMENT

RADIUS Accounting New in CP 6.5

Target: Checkpoint, Fortinet, Websense, others via ACCT Proxy


#ATM15 |

802.1X Demo

• Audience • Use your personal SmartDevice • You will be redirected.

• Presenter • Connect with corporate SmartDevice •  mark is in Marketing. •  jsmith is not in Marketing.

@ArubaNetworks

SSID CP-Atm-dot1x Username jsmith or mark Password atm2015


#ATM15 |

Transition Content

Lab Workflow - Guest

@ArubaNetworks

SSID:CP-Atm-Guest (open)

Corporate Device?

•  AOS: Redirect to corporate security guidelines

•  ServiceNow: Open HelpDesk Incident

Guest Self-Reg Workflow

No

Yes


#ATM15 |

Transition Content

Three components to HTTP enforcement

@ArubaNetworks

1.  Endpoint Context Server –  Define the External Server •  (i.e. IP Address, credentials)

2.  Context Server Action –  Define the action to take place •  (i.e. Open a helpdesk ticket, send push notification)

3.  Enforcement Profile –  Joins the External Context Server with the Context

Server Action.


#ATM15 |

Endpoint Context Server

@ArubaNetworks

1.  Endpoint Context Server


#ATM15 |

Transition Content

Context Server Action

@ArubaNetworks

2.  Context Server Action


#ATM15 |

Enforcement Profile

@ArubaNetworks

3.  Enforcement Profile


#ATM15 |

Transition Content

Using Dynamic Variables in ClearPass

•  Almost all of the “context” that is collected by ClearPass can be called up and used via dynamic “namespace” variables.

•  For example: •  %{Radius:Aruba:Aruba-Location-Id} •  %{Connection:Client-Mac-Address-Colon} •  %{Endpoint:AD_Name}

•  These can be used in: •  Service Matching •  Role mapping •  Enforcement profiles and policies •  Auth source filters/queries •  Context Server Actions

•  When used, the value is replaced with information pertaining to that device or user dynamically

@ArubaNetworks


#ATM15 |

Context Examples


#ATM15 |

Transition Content

Using Dynamic Variable Examples

@ArubaNetworks

{"short_description":"Corporate Device on the Guest Network","priority":"3","description":"Offending Device:\n User: %{Endpoint:AD_Name}\n Mac Address: %{Connection:Client-Mac-Address-Colon}\n Location: %{Radius:Aruba:Aruba-Location-Id}","u_category":"71feaf0f8c00d100a4e1ee6a09f9bc72","u_subcategory":"02feaf0f8c00d100a4e1ee6a09f9bc29":"assigned_to":"mobileadmin"

}

Context Server Action – POST to ServiceNow.


#ATM15 |

ServiceNow Configuration & Demo

• Let’s configure ServiceNow •  Use Case: Open HelpDesk Incident when corporate device

connects to Guest network

• Use your SmartDevice •  Register for an account

@ArubaNetworks

SSID CP-Atm-Guest


#ATM15 |

Transition Content

Web Login Page Customization

•  Many customization/personalization options exist in WebLogin pages

•  (Different from your Skin)

•  Built in capability to: •  Leverage “FontAwesome” fonts •  Insert other page links •  Inject PHP code into header/footer •  Leverage user/device/session variables

•  For this, create a “dump” page to see what’s available

@ArubaNetworks


#ATM15 |

Transition Content

Variable Dump Page

@ArubaNetworks

https://10.0.0.25/guest/dump.php?mac=64:20:0c:3d:8f:d7


#ATM15 |

Transition Content

Variable use in WebLogin Pages

• Using HTTP User-Agent:

• Using Endpoint attributes:

@ArubaNetworks

<p align=center>You are attempting to Onboard your {$_wpl.browser.uaparser.os.family} device with {$_wpl.browser.uaparser.ua.family}, {if $_wpl.browser.uaparser.os.family == "Mac OS X"} please try again using the Safari browser.</p>

<p>Attention {$_endpoint.AD_Name}, This device is a corporate asset and therefore should not be accessing the visitor network. </p>


#ATM15 |

Guest – Weblogin customization

• Let’s explore weblogin customizations •  How did we pull the Username onto the page? •  Let’s see the ‘dump’ page.

@ArubaNetworks


#ATM15 |

Lab Setup

4th Gen Intel NUC D54250WYK –  Core i5, 16GB RAM, 512GB SSD –  ESXi 5.5 (custom install with Intel

ethernet driver net-e1000e)

Aruba 7005 Controller IAP-205 (in CAP Mode)

@ArubaNetworks

Internet DHCP

Con

trolle

r N

AT

99

99 99 99 100

99 100 1

ESXi PA-VM

CP-VA-EVAL Win2k8


#ATM15 |

Transition Content

Aruba Solution Exchange

ase.arubanetworks.com Configuration Made Simple Undo Configs AOS, Instant, MAS, ClearPass, Juniper, Cisco…

@ArubaNetworks

THANK YOU

27 #ATM15 | @ArubaNetworks

Documents

Access Management with Aruba ClearPass · Access Management with Aruba ClearPass ... • %{Endpoint: ... •Using HTTP User-Agent: •Using Endpoint attributes: