HP Aruba 2014 _ Access Management With Aruba ClearPass

7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass

http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 1/55

CONFIDENTIAL

© Copyright 2014. Aruba Networks, Inc. All rights

reserved

Access Management with Aruba ClearPass

Seth Fiermonti

June 2014



CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Agenda

• Introductions & Expectations

• What is ClearPass

• ClearPass – Policy Model

• Authorization – What and Why

• Profile – How does it work

• Clustering & Deployment

• Q & A



ClearPass Overview




Evolving IT Landscape

USER CENTRIC, SELF SERVICEIT CENTRIC

Windows

FixedEnvironment

WiredNetwork

IT Managed

SlowRefresh

Multiple Platforms

Work fromanywhere

Wired, Wi-Fi,Cellular

Selection ofdevices & apps

User Timeframes




The ClearPass Solution

Comprehensive Solutions Architecture

WORKFLOW POLICYVISIBILITY

Role-basedEnforcement

Health/Posture

Checks

Device and App

Device Profiling

Troubleshooting

Per SessionTracking

Onboarding,Registration

GuestManagement

MDMIntegration




The ClearPass Access Security Platform

CONFIDENTIAL

© Copyright 2013. Aruba Networks, Inc.

All rights reserved6 @arubanetworks

Policy Services

IdentityStores

3rd PartyMDM

AppServers

DIFFERENTIATEDACCESS

UNIFIEDPOLICIES

DEVICEVISIBILITY

GUEST EMPLOYEE

POLICY SERVICES

ENTERPRISE-CLASS AAA

RADIUS, TACACS+

VPN

OnGuardPosture &

Health Checks

OnboardDevice

Provisioning

GuestVisitor Management

MultivendorNetworks

ClearPass Policy Manager

AAA Services ONE IDPolicy Engine




Context-Based Access Control

• Differentiated Access

– Role, device type, access method

• Policy-based AAA Services

– Support for 802.1X, MAC, Web (HTTPS) authentication

– Communicate to network devices via RADIUS, RADIUS CoA,

TACACS+, SNMP

– Ability to read from multiple identity stores (AD, LDAP, SQL,

Kerberos, Token Server, Etc.)

– Enforcement Options – Allow/Deny, VLAN, ACL, dACL, urlredirects, SNMP

• Contextual Policy Elements

– Time, location, group, OS version, project

VPN




Platform Features – Out of the box

Multivendor DNA• Wired, WLAN, VPN

Core Authentication

• AAA, LDAP, AD, Kerberos, Token, SQL, MAC,

802.1x, TACACS+, HTTPS, SSO (SAML, Okta)

Integrated Profiling

• Device profiling across wired & wireless

• Use directly in authorization policy




ClearPass Core Services

MDM Integration• Leverage information gained

from MDM vendors for profile &

to influence policy

TACACS+ Server

• Replace legacy ACS solutions

Context Aware Authorization

• Device type, User, Time, Location, Posture

• Layer multiple conditions for policy derivation




Platform Features – Out of the box

Scale with Clustering

• Supports 1 million endpoints per cluster

• Centralized or distributed architecture

Flexible Licensing• Perpetual licenses

• Subscription licenses

• 25 free endpoint Enterprise license included

Physical or Virtual Appliances

• Sized for variety of customer needs

• Virtual Appliance relies upon VMWare




What’s in ClearPass 6.3

INTEGRATIONINTEROPERABILITY

Auto Sign-On for Apps

• Simple Network authentication for App login

• Opens doors for mobile device SSO opportunities

Guest Advertising Included

• Customizable for gender, season, location

• Larger story in retail, healthcare, entertainment

Enhanced Certificate Distribution

• 3rd Party MDM solutions can now use Onboard CA

• You are the alternative for internal PKI integration




INTEGRATIONINTEROPERABILITY

Remote Support• Setup secure TAC session with a simple click

• Customer support because you asked for it

SPAN Port Profiling

• Any device addressed via DHCP gets profiled

• You get the big picture faster, from one port

Exchange• Built-in tools for integration of third-party systems

• Data exchange with MDM, helpdesk, SIEM apps

made easy

What’s in ClearPass 6.3




ClearPass Auto Sign-On

Only Aruba lets you sign-in once & you’re good to go

• One login for all web/mobile apps

– Uses valid network login

• NO App logins• IBM, Okta, Ping

• ClearPass as Provider (IdP)

– Uses SAML, not RADIUS




ClearPass Exchange

Two-way Third-Party Integration

Syslog Messages / RESTful APIs

Jail-broken

device

detected

Helpdesk

ticket auto

generated

Message to

device auto

generated

1.

2.3.

ClearPassdenies access

to device



ClearPass Policy Model





• What constitutes the policy model?

• How does it work?

• What are the interactions between various

components?• How does the policy model affect configuration

& deployment?





Policy

Identity

Health

Device

Conditions

• Role

• Department

• Group

• AV, AS, FW • Registry Keys

• Services…

• Device type,

status, health

• Address, O/S

• Corp. Owned

• Time

• Location

• Day of Week




What’s the flow?

Authenticate

• Valid Authentication

Authorize

• Find Out What’s Allowed

AssociateContext

• Device, Time, Location, Posture

Enforce onNAS

• Roles, ACLs, VLANs




What Are The Interactions?

RADIUS Server – Authenticate

Policy Server – Authorize

Policy Server – Associate Context

Policy Server – Decision Tree

RADIUS Server – Enforce




ClearPass Policy Enforcement

ClearPassUse external context todefine granular policies

• User / role • Device fingerprint• OS version• Health checks• Jailbreak status

• Location• Trusted or

untrustednetwork

• Time

• Date

• Wired, Wi-Fi, VPNenforcement




Service Flow – 802.1X

Layer 2

RADIUS

Request

Layer 2

Authentication

Layer 2

Authorization

Layer 2

Role

Derivation

Layer 2

RADIUS

Enforcement

Layer 3

Profile

Layer 2NAP

Layer 3

OnGuard




Service Flow – Implications

• Layer 2 Authentications are completed first

– Full Authorization

– Role Derivation

– NAP (if enabled)

– Layer 2 Enforcement

• Layer 3 : Profile next – DHCP Request, DHCP Offer

– RFC 3576 – Change of Authorization

• Another Layer 2 authentication!

– No RFC 3576 message if “fingerprint” does not change

• Layer 3 : Collect Posture last (OnGuard) – Posture over HTTPS

– RFC 3576 based on policy

– Another Layer 2 authentication!



Authorization – What and Why




Authorization – What and Why?

• Authentication vs. Authorization

• Authorization & ClearPass

• Use Cases




Authorization & ClearPass

• “Authorization” Sources in ClearPass – Where do I find them?

– How do I use them?

– How of ten does ClearPass talk to an authorization source?

– What happens in case something goes wrong?




Authorization Sources – Where?

• An “Authentication Source” is an “AuthorizationSource” – RADIUS Server vs. Policy Server




Authorization Sources – How?

Authentication Sourcesare automatic

Authorization Sources

Additional Authorization

Sources enabledper Service

No Authorization unlessused in Roles!




Authorization Sources – How?

Authorize withAct ive Directory

Authorize withProfi le Data

Rule Algorithm :

Evaluate All




Authorization – How?

• Ok, great. But will ClearPass flood my AD withauthorization requests? – Authorization data is cached per user

– New request made to fetch data once the cache expires

– Cache timers can be tuned

Cache Timeout

Default: 10 hours




Authorization – How?

• Got it

• But I just made a bunch of changes on my AD.

Should I need to wait 10 hours? – Tune the cache timers

– “Clear Cache” button on the Authentication Source – Wipes out cache for al l users

– “Save” button on the Authentication Source

• Wipes out cache for all users

– Restart Policy Server

• BAD IDEA!!!




Authorization – Uh-Oh!

• If an Authentication/Authorization Source is notreachable – Configure Backup Servers

– Configure Fail-Over Timeout

Fail-Over Timeout

Backup Servers




Use Cases – Mergers & Acquisitions

Active Directory

Domain –

avendasys.com

Active Directory

Domain –

arubanetworks.com




Authentication &

AuthorizationSources for TLS

Certificate Details

used for

Authorization

Enable Authorization –

Source specified in the

Service

Compare Certificate –

Source specified in the

Service

Use Cases – Certificates & TLS




Use Cases – Asset Databases

• LDAP/SQL Interface to Asset Databases

– Key : MAC Address

– Authorization Attributes

• Ownership – Corporate vs. Personal

• Compliance Status – In/Out of compliance

– Identify corporate-owned non-Windows devices



Profile – How Does It Work?




Profile – How does it work?

• Profile & Network Data

• Automatic Profile “upgrades”

• Using Profile data in policy

• Configuring Profile

– DHCP? HTTP? SNMP?

• Use Cases




Profile & Network Data

What does ClearPass use to profile? – MAC OUIs

– DHCP Request, DHCP Offer

– HTTP User-Agent

– MDM Fingerprints – Device Interrogation

– SNMP/CDP/LLDP Data




Fingerprint Updates

• Subscribe to Fingerprint Updates – Automatic reclassification

– Updated frequently

• Tell Aruba!

– Create policy exceptions

– Grab fingerprints from UI

– Send fingerprints to Aruba

– Crowd-sourced, community oriented




Using Profile data in policy

• Automatic 3-level categorization – Device Category, OS Family, Device Name

• Using raw profile data

– DHCP Data, HTTP User-Agent, SNMP Data

• Role Mapping

– What should I use?

• Enforcement

– How do I enforce?

– What are the benefits?




Configuring Profile – Network Considerations

• DHCP Relay – Where should I setup DHCP relays?

• Captive Portal Configuration

– Is there a knob for this?

• Reading SNMP Data

– CDP

– LLDP

– HR MIB

– SysDescr MIB




Use Cases

• Policy – CEOs & iPads

• Policy – “Headless” Devices

• Visibility – Demystifying BYODs




Use Cases – CEOs & iPads

Assign Roles

Enforce Access




Use Cases – Headless Devices

Identify & Assign

Roles To Headless

Devices




Use Cases – Visibility



Clustering & Deployment




Clustering & Deployment

• Clustering Technology – What’s replicated? What’s not?

• Deploying ClearPass Clusters

– Considerations

• Operations & Maintenance

– What happens when a ClearPass node is down?

– Events & Alerts

– Rescue & Recovery




Clustering Technology

• What’s replicated? – All policy configuration elements

– All Audit data

– All identity store data

• Guest Accounts, Endpoints, Profile data

– Runtime Information

• Authorization status, Posture status, Roles

• Connectivity Information, NAS Details

– Database replication on port# 5432 over SSL

– Runtime replication on port# 443 over SSL




Clustering Technology

• What’s not replicated?

– Log files

– Authentication Records

– Accounting Records

– System Events

– System Monitor Data

C C




Clustering – Considerations

• How do they connect? – Requires IP connectivity (bi-directional)

• Port # 5432 (Database over SSL)

• Port# 80 (HTTP)

•

Port #443 (HTTPS)• Port #123 (NTP)

• How much data should we expect to see

crossing the wire?

– Only elements in the configuration database

– First sync is a full database copy

– Subsequent sync – Delta changes propagated

Cl t i C id ti





Hub & Spoke PUBLISHER

SUBSCRIBER1

SUBSCRIBER2

SUBSCRIBER3

SUBSCRIBER4

SUBSCRIBER5

SUBSCRIBER6

Cl t i C id ti





• Central / Distributed Admin Domains

• Redundancy/Load Balancing

• Cluster wide licensesCPPM – Publisher

DNS

DHCP

IdentityStores

Main Data Center Mid-size Branch

Regional Office

DMZ

CPPMSubscriber

VMCP Guest

CP Onboard

CPPMSubscriber

CPPMSubscriber

O ti & M i t




Operations & Maintenance

• What happens when a node goes down?

– Operations

• If Deployed Right – Nothing

• RADIUS Backup settings on the NAS

– If the Publisher goes down

• No Database Writes Allowed!!

• Promote a Subscriber to a Publisher

•

Resume configuration updates

E t & Al t




Events & Alerts

• How long before ClearPass figures outsomething’s wrong?

– 24 hours before it automatically “drops” a node from the

cluster

– Cluster Synchronization Warnings• 1 event every hour x 24 hours = 24 events

– CPU/Memory Usage Warnings Every 2 Minutes

– Server Certificate Warnings Every 24 Hours

– Service Alerts Immediate

• Email/SMS Alerts using Insight, Syslog & SNMP

O ti & M i t




Operations & Maintenance

• Rescue & Recovery – Establish cluster connectivity

• Database sync will ensue. Watch for “Last Sync Time”

– Restore certificates

•

Server Certificates are not installed as a part of the sync – Restore log entries (If necessary)

• Caveat : High disk activity for an extended period of time

– Verify fail-back on the NAS

• NAS fail-back timers should kick in



Documents

HP Aruba 2014 _ Access Management With Aruba ClearPass