Upload
aruba-networks-an-hp-company
View
1.184
Download
2
Tags:
Embed Size (px)
Citation preview
Access Management with Aruba ClearPassJune 2014
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
2 #AirheadsConf
• Introductions & Expectations• What is ClearPass• ClearPass – Policy Model• Authorization – What and Why• Profile – How does it work• Clustering & Deployment• Q & A
Agenda
3CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
ClearPass Overview
4CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Evolving IT Landscape
USER CENTRIC, SELF SERVICEIT CENTRIC
Windows
Fixed Environment
Wired Network
IT Managed
Slow Refresh
Multiple Platforms
Work from anywhere
Wired, Wi-Fi, Cellular
Selection of devices & apps
User Timeframes
5CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
The ClearPass Solution
Comprehensive Solutions Architecture
WORKFLOW POLICYVISIBILITY
Role-basedEnforcement
Health/PostureChecks
Device and App
Device Profiling
Troubleshooting
Per Session Tracking
Onboarding, Registration
Guest Management
MDMIntegration
6CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
The ClearPass Access Security Platform
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 6 @arubanetworks
Policy Services
IdentityStores
3rd PartyMDM
App Servers
DIFFERENTIATEDACCESS
UNIFIEDPOLICIES
DEVICEVISIBILITY
GUEST EMPLOYEE
POLICY SERVICES
ENTERPRISE-CLASS AAARADIUS, TACACS+
VPN
OnGuardPosture &
Health Checks
OnboardDevice
Provisioning
GuestVisitor Management
Multivendor Networks
ClearPass Policy Manager
AAA Services ONE IDPolicy Engine
7CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Context-Based Access Control
• Differentiated Access– Role, device type, access method
• Policy-based AAA Services
– Support for 802.1X, MAC, Web (HTTPS) authentication
– Communicate to network devices via RADIUS, RADIUS CoA,
TACACS+, SNMP
– Ability to read from multiple identity stores (AD, LDAP, SQL,
Kerberos, Token Server, Etc.)
– Enforcement Options – Allow/Deny, VLAN, ACL, dACL, url redirects, SNMP
• Contextual Policy Elements– Time, location, group, OS version, project
VPN
*
8CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Platform Features – Out of the box
Multivendor DNAWired, WLAN, VPN
Core Authentication AAA, LDAP, AD, Kerberos, Token, SQL, MAC, 802.1x, TACACS+, HTTPS, SSO (SAML, Okta)
Integrated ProfilingDevice profiling across wired & wireless
Use directly in authorization policy
9CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
ClearPass Core Services
MDM IntegrationLeverage information gained from MDM vendors for profile & to influence policy
TACACS+ ServerReplace legacy ACS solutions
Context Aware AuthorizationDevice type, User, Time, Location, Posture
Layer multiple conditions for policy derivation
10CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Platform Features – Out of the box
Scale with ClusteringSupports 1 million endpoints per cluster
Centralized or distributed architecture
Flexible Licensing• Perpetual licenses
• Subscription licenses
• 25 free endpoint Enterprise license included
Physical or Virtual AppliancesSized for variety of customer needs
Virtual Appliance relies upon VMWare
11CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
What’s in ClearPass 6.3
INTEGRATIONINTEROPERABILITY
Auto Sign-On for Apps• Simple Network authentication for App login
• Opens doors for mobile device SSO opportunities
Guest Advertising Included • Customizable for gender, season, location
• Larger story in retail, healthcare, entertainment
Enhanced Certificate Distribution• 3rd Party MDM solutions can now use Onboard CA
• You are the alternative for internal PKI integration
12CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
INTEGRATIONINTEROPERABILITY
Remote Support• Setup secure TAC session with a simple click
• Customer support because you asked for it
SPAN Port Profiling• Any device addressed via DHCP gets profiled
• You get the big picture faster, from one port
Exchange• Built-in tools for integration of third-party systems
• Data exchange with MDM, helpdesk, SIEM apps made easy
What’s in ClearPass 6.3
13CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
ClearPass Auto Sign-On
Only Aruba lets you sign-in once & you’re good to go
• One login for all web/mobile apps
– Uses valid network login
• NO App logins
• IBM, Okta, Ping
• ClearPass as Provider (IdP)
– Uses SAML, not RADIUS
14CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
ClearPass Exchange
Two-way Third-Party Integration
Third-party Systems
Payment Management
Patient Check-in
Helpdesk Tickets
MDM Solutions
SIEM Systems
ClearPass
Syslog Messages / RESTful APIs
Jail-broken device
detected
Helpdesk ticket auto generated
Message to device auto generated
1.
2.3.
ClearPass denies access
to device
15CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
ClearPass Policy Model
16CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
ClearPass Policy Model
• What constitutes the policy model?
• How does it work?
• What are the interactions between various components?
• How does the policy model affect configuration & deployment?
17CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
ClearPass Policy Model
Policy
Identity
Health
Device
Conditions
• Role• Department• Group
• AV, AS, FW• Registry Keys• Services…
• Device type, status, health
• Address, O/S• Corp. Owned
• Time• Location• Day of Week
18CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
What’s the flow?
Authenticate
• Valid Authentication
Authorize
• Find Out What’s Allowed
Associate Context
• Device, Time, Location, Posture
Enforce on
NAS
• Roles, ACLs, VLANs
19CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
What Are The Interactions?
RADIUS Server – Authenticate
Policy Server – Authorize
Policy Server – Associate Context
Policy Server – Decision Tree
RADIUS Server – Enforce
20CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
ClearPass Policy Enforcement
ClearPass Use external context to define granular policies
WHO
• User / role
WHAT WHEN
• Device fingerprint• OS version• Health checks• Jailbreak status
• Location• Trusted or
untrusted network
• Time• Date
?
• Wired, Wi-Fi, VPNenforcement
HOWWHERE
Per
mit
/Den
y
Whi
telis
t /
Bla
cklis
t
Rem
edia
te
Qua
rant
ine
Red
irect
Rol
e-ba
sed
Sec
urity
Ban
dwid
th
Mgm
t
Opt
imiz
ed
Mul
timed
ia
21CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Service Flow – 802.1X
Layer 2RADIUSRequest
Layer 2Authentication
Layer 2Authorization
Layer 2Role
Derivation
Layer 2RADIUS
Enforcement
Layer 3Profile
Layer 2NAP
Layer 3OnGuard
22CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Service Flow – Implications
• Layer 2 Authentications are completed first– Full Authorization– Role Derivation– NAP (if enabled)– Layer 2 Enforcement
• Layer 3 : Profile next– DHCP Request, DHCP Offer– RFC 3576 – Change of Authorization• Another Layer 2 authentication!
– No RFC 3576 message if “fingerprint” does not change
• Layer 3 : Collect Posture last (OnGuard)– Posture over HTTPS– RFC 3576 based on policy• Another Layer 2 authentication!
23CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Authorization – What and Why
24CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Authorization – What and Why?
• Authentication vs. Authorization
• Authorization & ClearPass
• Use Cases
25CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Authorization & ClearPass
“Authorization” Sources in ClearPass– Where do I find them?– How do I use them?– How often does ClearPass talk to an authorization source?– What happens in case something goes wrong?
26CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Authorization Sources – Where?
An “Authentication Source” is an “Authorization Source”– RADIUS Server vs. Policy Server
27CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Authorization Sources – How?
Authentication Sources are automatic Authorization Sources
Additional Authorization Sources enabled per Service
No Authorization unless used in Roles!
28CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Authorization Sources – How?
Authorize with Active Directory
Authorize withProfile Data
Rule Algorithm :Evaluate All
29CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Authorization – How?
Ok, great. But will ClearPass flood my AD with authorization requests?– Authorization data is cached per user– New request made to fetch data once the cache expires– Cache timers can be tuned
Cache TimeoutDefault: 10 hours
30CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Authorization – How?
Got it
But I just made a bunch of changes on my AD. Should I need to wait 10 hours?– Tune the cache timers– “Clear Cache” button on the Authentication Source• Wipes out cache for all users
– “Save” button on the Authentication Source• Wipes out cache for all users
– Restart Policy Server• BAD IDEA!!!
31CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Authorization – Uh-Oh!
If an Authentication/Authorization Source is not reachable– Configure Backup Servers– Configure Fail-Over Timeout
Fail-Over Timeout
Backup Servers
32CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Use Cases – Mergers & Acquisitions
Active Directory Domain – avendasys.com
Active Directory Domain – arubanetworks.com
33CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Authentication & Authorization Sources for TLS
Certificate Details used for Authorization
Enable Authorization –Source specified in the Service
Compare Certificate –Source specified in the Service
Use Cases – Certificates & TLS
34CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Use Cases – Asset Databases
LDAP/SQL Interface to Asset Databases– Key : MAC Address– Authorization Attributes• Ownership – Corporate vs. Personal• Compliance Status – In/Out of compliance
– Identify corporate-owned non-Windows devices
35CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Profile – How Does It Work?
36CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Profile – How does it work?
• Profile & Network Data
• Automatic Profile “upgrades”
• Using Profile data in policy
• Configuring Profile– DHCP? HTTP? SNMP?
• Use Cases
37CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Profile & Network Data
What does ClearPass use to profile?– MAC OUIs– DHCP Request, DHCP Offer– HTTP User-Agent– MDM Fingerprints– Device Interrogation– SNMP/CDP/LLDP Data
38CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Fingerprint Updates
• Subscribe to Fingerprint Updates– Automatic reclassification – Updated frequently
• Tell Aruba!– Create policy exceptions– Grab fingerprints from UI– Send fingerprints to Aruba– Crowd-sourced, community oriented
39CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Using Profile data in policy
• Automatic 3-level categorization– Device Category, OS Family, Device Name
• Using raw profile data– DHCP Data, HTTP User-Agent, SNMP Data
• Role Mapping– What should I use?
• Enforcement– How do I enforce?– What are the benefits?
40CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Configuring Profile – Network Considerations
• DHCP Relay– Where should I setup DHCP relays?
• Captive Portal Configuration– Is there a knob for this?
• Reading SNMP Data– CDP– LLDP– HR MIB– SysDescr MIB
41CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Use Cases
• Policy – CEOs & iPads
• Policy – “Headless” Devices
• Visibility – Demystifying BYODs
42CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Use Cases – CEOs & iPads
Assign Roles
Enforce Access
43CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Use Cases – Headless Devices
Identify & Assign Roles To Headless Devices
44CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Use Cases – Visibility
45CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Clustering & Deployment
46CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Clustering & Deployment
• Clustering Technology– What’s replicated? What’s not?
• Deploying ClearPass Clusters– Considerations
• Operations & Maintenance– What happens when a ClearPass node is down?– Events & Alerts– Rescue & Recovery
47CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Clustering Technology
• What’s replicated?– All policy configuration elements– All Audit data– All identity store data• Guest Accounts, Endpoints, Profile data
– Runtime Information• Authorization status, Posture status, Roles• Connectivity Information, NAS Details
– Database replication on port# 5432 over SSL– Runtime replication on port# 443 over SSL
48CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Clustering Technology
• What’s not replicated?– Log files– Authentication Records– Accounting Records– System Events– System Monitor Data
49CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Clustering – Considerations
• How do they connect?– Requires IP connectivity (bi-directional)• Port # 5432 (Database over SSL)• Port# 80 (HTTP)• Port #443 (HTTPS)• Port #123 (NTP)
• How much data should we expect to see crossing the wire?– Only elements in the configuration database– First sync is a full database copy– Subsequent sync – Delta changes propagated
50CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Clustering – Considerations
Hub & SpokePUBLISHER
SUBSCRIBER 1
SUBSCRIBER 2
SUBSCRIBER 3
SUBSCRIBER 4
SUBSCRIBER 5
SUBSCRIBER 6
51CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Clustering – Considerations
Central / Distributed Admin Domains
Redundancy/Load Balancing
Cluster wide licensesCPPM – Publisher
DNSDHCP
IdentityStores
Main Data CenterMid-size Branch
Regional Office
DMZ
CPPMSubscriberVM
CP GuestCP Onboard
CPPMSubscriber
CPPMSubscriber
52CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Operations & Maintenance
• What happens when a node goes down?– Operations• If Deployed Right – Nothing• RADIUS Backup settings on the NAS
– If the Publisher goes down• No Database Writes Allowed!!• Promote a Subscriber to a Publisher
• Resume configuration updates
53CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Events & Alerts
• How long before ClearPass figures out something’s wrong?– 24 hours before it automatically “drops” a node from the
cluster– Cluster Synchronization Warnings• 1 event every hour x 24 hours = 24 events
– CPU/Memory Usage Warnings Every 2 Minutes– Server Certificate Warnings Every 24 Hours– Service Alerts Immediate
• Email/SMS Alerts using Insight, Syslog & SNMP
54CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Operations & Maintenance
• Rescue & Recovery– Establish cluster connectivity• Database sync will ensue. Watch for “Last Sync Time”
– Restore certificates• Server Certificates are not installed as a part of the sync
– Restore log entries (If necessary)• Caveat : High disk activity for an extended period of time
– Verify fail-back on the NAS• NAS fail-back timers should kick in
55CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
56CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Q & A
57CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Thank You
#AirheadsConf