Access Management with Aruba ClearPass

#ATM15 |

Access Management with Aruba ClearPassLive Walkthrough of Config, Troubleshooting, and User Experience

March 2015

@ArubaNetworks

CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved2#ATM15 |

Agenda

•Review existing customer deployment

•Customer Challenges and Solutions

•Live Config, Authentication, and Troubleshooting Walkthrough

@ArubaNetworks

3 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Transition Content

Existing Customer Deployment

•Enterprise environment with:– 802.1X WLAN

• EAP-PEAP/MSCHAPv2 with Active Directory

– User authentication

– Corporate laptops• No checks & balances for validation

@ArubaNetworks


Transition Content

Three new initiatives

@ArubaNetworks

1. MDM Rollout– Client Services Team deploying Mobile Iron– Enrollment of all mobile devices

2. Palo Alto Firewall Deployment– Security Team chose Palo Alto as new

Internet Gateway platform

3. Visitor Network with ClearPass Guest– ClearPass Guest for Visitor Access


Transition Content

Next-Generation Solutions

@ArubaNetworks

Limit access to only: •MDM-enrolled•Corporate laptops

Granular user/device policies•Only marketing folks permitted to social media sites

Prohibit corporate devices from Guest network•Open HelpDesk incident for violators


Use ClearPass Exchange!

Use Post_Authentication Enforcement Profiles!

Transition Content

How do I integrate with these solutions?

@ArubaNetworks


Transition Content

ClearPass Exchange Recipes

@ArubaNetworks

Recipe site and tech note available to help you with your integrations:

– Site:• http://community.arubanetworks.com/t5/ClearPass-Exchange-Recipes/tkbc-p/clearpass-recipes

– TechNote:• http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=15508

– Not to be confused with Aruba Solution Exchange• http://ase.arubanetworks.com• (More on this at the end)

http://community.arubanetworks.com/t5/ClearPass-Exchange-Recipes/tkbc-p/clearpass-recipes

http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=15508

http://ase.arubanetworks.com/


Lab Setup

@ArubaNetworks


Lab Workflow – 802.1X

@ArubaNetworks

SSID:CP-Atm-dot1x(PEAP-MSCHAPv2)

SSID:CP-Atm-dot1x(PEAP-MSCHAPv2)

Corporate Device?

Corporate Device?

Redirect to information pageRedirect to information page

User?User?Full Internet(Including Social Media)

Full Internet(Including Social Media)

Marketing

Limited Internet(No Social Media)

Limited Internet(No Social Media)

Everyone Else

No

Yes


Enforcement

@ArubaNetworks

RADIUS REQUEST

RADIUS RESPONSE

HTTP ENFORCEMENT

RADIUS Accounting New in CP 6.5

Target: Checkpoint, Fortinet, Websense, others

via ACCT Proxy


802.1X Demo

•Audience•Use your personal SmartDevice•You will be redirected.

•Presenter•Connect with corporate SmartDevice•mark is in Marketing.•jsmith is not in Marketing.

@ArubaNetworks


Transition Content

Lab Workflow - Guest

@ArubaNetworks

SSID:CP-Atm-Guest(open)

SSID:CP-Atm-Guest(open)

Corporate Device?

Corporate Device?

• AOS: Redirect to corporate security guidelines

• ServiceNow: Open HelpDesk Incident

• AOS: Redirect to corporate security guidelines

• ServiceNow: Open HelpDesk Incident

Guest Self-Reg Workflow

Guest Self-Reg Workflow

No

Yes


Transition Content

Three components to HTTP enforcement

@ArubaNetworks

1. Endpoint Context Server– Define the External Server

• (i.e. IP Address, credentials)

1. Context Server Action– Define the action to take place

• (i.e. Open a helpdesk ticket, send push notification)

1. Enforcement Profile– Joins the External Context Server with the Context

Server Action.


Endpoint Context Server

@ArubaNetworks

1. Endpoint Context Server


Transition Content

Context Server Action

@ArubaNetworks

2. Context Server Action


Enforcement Profile

@ArubaNetworks

3. Enforcement Profile


Transition Content

Using Dynamic Variables in ClearPass

• Almost all of the “context” that is collected by ClearPass can be called up and used via dynamic “namespace” variables.

• For example:• %{Radius:Aruba:Aruba-Location-Id}• %{Connection:Client-Mac-Address-Colon}• %{Endpoint:AD_Name}

• These can be used in:• Service Matching• Role mapping• Enforcement profiles and policies• Auth source filters/queries• Context Server Actions

• When used, the value is replaced with information pertaining to that device or user dynamically

@ArubaNetworks


Context Examples


Transition Content

Using Dynamic Variable Examples

@ArubaNetworks

{"short_description":"Corporate Device on the Guest Network","priority":"3","description":"Offending Device:\n User: %{Endpoint:AD_Name}\n Mac Address: %{Connection:Client-Mac-Address-Colon}\n Location: %{Radius:Aruba:Aruba-Location-Id}","u_category":"71feaf0f8c00d100a4e1ee6a09f9bc72","u_subcategory":"02feaf0f8c00d100a4e1ee6a09f9bc29":"assigned_to":"mobileadmin"

}

Context Server Action – POST to ServiceNow.


ServiceNow Configuration & Demo

•Let’s configure ServiceNow• Use Case: Open HelpDesk Incident when corporate device

connects to Guest network

•Use your SmartDevice• Register for an account

@ArubaNetworks


Transition Content

Web Login Page Customization

• Many customization/personalization options exist in WebLogin pages

• (Different from your Skin)

• Built in capability to:• Leverage “FontAwesome” fonts• Insert other page links• Inject PHP code into header/footer• Leverage user/device/session variables

• For this, create a “dump” page to see what’s available

@ArubaNetworks


Transition Content

Variable Dump Page

@ArubaNetworks

https://10.0.0.25/guest/dump.php?mac=64:20:0c:3d:8f:d7


Transition Content

Variable use in WebLogin Pages

•Using HTTP User-Agent:

•Using Endpoint attributes:

@ArubaNetworks

<p align=center>You are attempting to Onboard your {$_wpl.browser.uaparser.os.family} device with {$_wpl.browser.uaparser.ua.family},

{if $_wpl.browser.uaparser.os.family == "Mac OS X"}please try again using the Safari browser.</p>

<p>Attention {$_endpoint.AD_Name}, This device is a corporate asset and therefore should not be accessing the visitor network. </p>


Guest – Weblogin customization

•Let’s explore weblogin customizations• How did we pull the Username onto the page?• Let’s see the ‘dump’ page.

@ArubaNetworks


Lab Setup

4th Gen Intel NUC D54250WYK– Core i5, 16GB RAM, 512GB SSD– ESXi 5.5 (custom install with Intel

ethernet driver net-e1000e)

Aruba 7005 Controller

IAP-205 (in CAP Mode)

@ArubaNetworks

Internet

DHCP

Internet

DHCP

Con

trol

ler

NA

T

99

99

99

99

99

999

9

99100100

99

9910010011

ESXiPA-VM

CP-VA-EVALWin2k8

ESXiPA-VM

CP-VA-EVALWin2k8


Transition Content

Aruba Solution Exchange

ase.arubanetworks.com

Configuration Made Simple

Undo Configs

AOS, Instant, MAS, ClearPass, Juniper, Cisco…

@ArubaNetworks

THANK YOU

27#ATM15 | @ArubaNetworks

Technology

Access Management with Aruba ClearPass