Access Management with Aruba ClearPass #AirheadsConf Italy

Access Management with Aruba ClearPassJune 2014

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

2 #AirheadsConf

• Introductions & Expectations• What is ClearPass• ClearPass – Policy Model• Authorization – What and Why• Profile – How does it work• Clustering & Deployment• Q & A

Agenda

3CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

#AirheadsConf

ClearPass Overview


#AirheadsConf

Evolving IT Landscape

USER CENTRIC, SELF SERVICEIT CENTRIC

Windows

Fixed Environment

Wired Network

IT Managed

Slow Refresh

Multiple Platforms

Work from anywhere

Wired, Wi-Fi, Cellular

Selection of devices & apps

User Timeframes


#AirheadsConf

The ClearPass Solution

Comprehensive Solutions Architecture

WORKFLOW POLICYVISIBILITY

Role-basedEnforcement

Health/PostureChecks

Device and App

Device Profiling

Troubleshooting

Per Session Tracking

Onboarding, Registration

Guest Management

MDMIntegration


#AirheadsConf

The ClearPass Access Security Platform

CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 6 @arubanetworks

Policy Services

IdentityStores

3rd PartyMDM

App Servers

DIFFERENTIATEDACCESS

UNIFIEDPOLICIES

DEVICEVISIBILITY

GUEST EMPLOYEE

POLICY SERVICES

ENTERPRISE-CLASS AAARADIUS, TACACS+

VPN

OnGuardPosture &

Health Checks

OnboardDevice

Provisioning

GuestVisitor Management

Multivendor Networks

ClearPass Policy Manager

AAA Services ONE IDPolicy Engine


#AirheadsConf

Context-Based Access Control

• Differentiated Access– Role, device type, access method

• Policy-based AAA Services

– Support for 802.1X, MAC, Web (HTTPS) authentication

– Communicate to network devices via RADIUS, RADIUS CoA,

TACACS+, SNMP

– Ability to read from multiple identity stores (AD, LDAP, SQL,

Kerberos, Token Server, Etc.)

– Enforcement Options – Allow/Deny, VLAN, ACL, dACL, url redirects, SNMP

• Contextual Policy Elements– Time, location, group, OS version, project

VPN

*


#AirheadsConf

Platform Features – Out of the box

Multivendor DNAWired, WLAN, VPN

Core Authentication AAA, LDAP, AD, Kerberos, Token, SQL, MAC, 802.1x, TACACS+, HTTPS, SSO (SAML, Okta)

Integrated ProfilingDevice profiling across wired & wireless

Use directly in authorization policy


#AirheadsConf

ClearPass Core Services

MDM IntegrationLeverage information gained from MDM vendors for profile & to influence policy

TACACS+ ServerReplace legacy ACS solutions

Context Aware AuthorizationDevice type, User, Time, Location, Posture

Layer multiple conditions for policy derivation


#AirheadsConf

Platform Features – Out of the box

Scale with ClusteringSupports 1 million endpoints per cluster

Centralized or distributed architecture

Flexible Licensing• Perpetual licenses

• Subscription licenses

• 25 free endpoint Enterprise license included

Physical or Virtual AppliancesSized for variety of customer needs

Virtual Appliance relies upon VMWare


#AirheadsConf

What’s in ClearPass 6.3

INTEGRATIONINTEROPERABILITY

Auto Sign-On for Apps• Simple Network authentication for App login

• Opens doors for mobile device SSO opportunities

Guest Advertising Included • Customizable for gender, season, location

• Larger story in retail, healthcare, entertainment

Enhanced Certificate Distribution• 3rd Party MDM solutions can now use Onboard CA

• You are the alternative for internal PKI integration


#AirheadsConf

INTEGRATIONINTEROPERABILITY

Remote Support• Setup secure TAC session with a simple click

• Customer support because you asked for it

SPAN Port Profiling• Any device addressed via DHCP gets profiled

• You get the big picture faster, from one port

Exchange• Built-in tools for integration of third-party systems

• Data exchange with MDM, helpdesk, SIEM apps made easy

What’s in ClearPass 6.3


#AirheadsConf

ClearPass Auto Sign-On

Only Aruba lets you sign-in once & you’re good to go

• One login for all web/mobile apps

– Uses valid network login

• NO App logins

• IBM, Okta, Ping

• ClearPass as Provider (IdP)

– Uses SAML, not RADIUS


#AirheadsConf

ClearPass Exchange

Two-way Third-Party Integration

Third-party Systems

Payment Management

Patient Check-in

Helpdesk Tickets

MDM Solutions

SIEM Systems

ClearPass

Syslog Messages / RESTful APIs

Jail-broken device

detected

Helpdesk ticket auto generated

Message to device auto generated

1.

2.3.

ClearPass denies access

to device


#AirheadsConf

ClearPass Policy Model


#AirheadsConf


• What constitutes the policy model?

• How does it work?

• What are the interactions between various components?

• How does the policy model affect configuration & deployment?


#AirheadsConf


Policy

Identity

Health

Device

Conditions

• Role• Department• Group

• AV, AS, FW• Registry Keys• Services…

• Device type, status, health

• Address, O/S• Corp. Owned

• Time• Location• Day of Week


#AirheadsConf

What’s the flow?

Authenticate

• Valid Authentication

Authorize

• Find Out What’s Allowed

Associate Context

• Device, Time, Location, Posture

Enforce on

NAS

• Roles, ACLs, VLANs


#AirheadsConf

What Are The Interactions?

RADIUS Server – Authenticate

Policy Server – Authorize

Policy Server – Associate Context

Policy Server – Decision Tree

RADIUS Server – Enforce


#AirheadsConf

ClearPass Policy Enforcement

ClearPass Use external context to define granular policies

WHO

• User / role

WHAT WHEN

• Device fingerprint• OS version• Health checks• Jailbreak status

• Location• Trusted or

untrusted network

• Time• Date

?

• Wired, Wi-Fi, VPNenforcement

HOWWHERE

Per

mit

/Den

y

Whi

telis

t /

Bla

cklis

t

Rem

edia

te

Qua

rant

ine

Red

irect

Rol

e-ba

sed

Sec

urity

Ban

dwid

th

Mgm

t

Opt

imiz

ed

Mul

timed

ia


#AirheadsConf

Service Flow – 802.1X

Layer 2RADIUSRequest

Layer 2Authentication

Layer 2Authorization

Layer 2Role

Derivation

Layer 2RADIUS

Enforcement

Layer 3Profile

Layer 2NAP

Layer 3OnGuard


#AirheadsConf

Service Flow – Implications

• Layer 2 Authentications are completed first– Full Authorization– Role Derivation– NAP (if enabled)– Layer 2 Enforcement

• Layer 3 : Profile next– DHCP Request, DHCP Offer– RFC 3576 – Change of Authorization• Another Layer 2 authentication!

– No RFC 3576 message if “fingerprint” does not change

• Layer 3 : Collect Posture last (OnGuard)– Posture over HTTPS– RFC 3576 based on policy• Another Layer 2 authentication!


#AirheadsConf

Authorization – What and Why


#AirheadsConf

Authorization – What and Why?

• Authentication vs. Authorization

• Authorization & ClearPass

• Use Cases


#AirheadsConf

Authorization & ClearPass

“Authorization” Sources in ClearPass– Where do I find them?– How do I use them?– How often does ClearPass talk to an authorization source?– What happens in case something goes wrong?


#AirheadsConf

Authorization Sources – Where?

An “Authentication Source” is an “Authorization Source”– RADIUS Server vs. Policy Server


#AirheadsConf

Authorization Sources – How?

Authentication Sources are automatic Authorization Sources

Additional Authorization Sources enabled per Service

No Authorization unless used in Roles!


#AirheadsConf

Authorization Sources – How?

Authorize with Active Directory

Authorize withProfile Data

Rule Algorithm :Evaluate All


#AirheadsConf

Authorization – How?

Ok, great. But will ClearPass flood my AD with authorization requests?– Authorization data is cached per user– New request made to fetch data once the cache expires– Cache timers can be tuned

Cache TimeoutDefault: 10 hours


#AirheadsConf

Authorization – How?

Got it

But I just made a bunch of changes on my AD. Should I need to wait 10 hours?– Tune the cache timers– “Clear Cache” button on the Authentication Source• Wipes out cache for all users

– “Save” button on the Authentication Source• Wipes out cache for all users

– Restart Policy Server• BAD IDEA!!!


#AirheadsConf

Authorization – Uh-Oh!

If an Authentication/Authorization Source is not reachable– Configure Backup Servers– Configure Fail-Over Timeout

Fail-Over Timeout

Backup Servers


#AirheadsConf

Use Cases – Mergers & Acquisitions

Active Directory Domain – avendasys.com

Active Directory Domain – arubanetworks.com


#AirheadsConf

Authentication & Authorization Sources for TLS

Certificate Details used for Authorization

Enable Authorization –Source specified in the Service

Compare Certificate –Source specified in the Service

Use Cases – Certificates & TLS


#AirheadsConf

Use Cases – Asset Databases

LDAP/SQL Interface to Asset Databases– Key : MAC Address– Authorization Attributes• Ownership – Corporate vs. Personal• Compliance Status – In/Out of compliance

– Identify corporate-owned non-Windows devices


#AirheadsConf

Profile – How Does It Work?


#AirheadsConf

Profile – How does it work?

• Profile & Network Data

• Automatic Profile “upgrades”

• Using Profile data in policy

• Configuring Profile– DHCP? HTTP? SNMP?

• Use Cases


#AirheadsConf

Profile & Network Data

What does ClearPass use to profile?– MAC OUIs– DHCP Request, DHCP Offer– HTTP User-Agent– MDM Fingerprints– Device Interrogation– SNMP/CDP/LLDP Data


#AirheadsConf

Fingerprint Updates

• Subscribe to Fingerprint Updates– Automatic reclassification – Updated frequently

• Tell Aruba!– Create policy exceptions– Grab fingerprints from UI– Send fingerprints to Aruba– Crowd-sourced, community oriented


#AirheadsConf

Using Profile data in policy

• Automatic 3-level categorization– Device Category, OS Family, Device Name

• Using raw profile data– DHCP Data, HTTP User-Agent, SNMP Data

• Role Mapping– What should I use?

• Enforcement– How do I enforce?– What are the benefits?


#AirheadsConf

Configuring Profile – Network Considerations

• DHCP Relay– Where should I setup DHCP relays?

• Captive Portal Configuration– Is there a knob for this?

• Reading SNMP Data– CDP– LLDP– HR MIB– SysDescr MIB


#AirheadsConf

Use Cases

• Policy – CEOs & iPads

• Policy – “Headless” Devices

• Visibility – Demystifying BYODs


#AirheadsConf

Use Cases – CEOs & iPads

Assign Roles

Enforce Access


#AirheadsConf

Use Cases – Headless Devices

Identify & Assign Roles To Headless Devices


#AirheadsConf

Use Cases – Visibility


#AirheadsConf

Clustering & Deployment


#AirheadsConf

Clustering & Deployment

• Clustering Technology– What’s replicated? What’s not?

• Deploying ClearPass Clusters– Considerations

• Operations & Maintenance– What happens when a ClearPass node is down?– Events & Alerts– Rescue & Recovery


#AirheadsConf

Clustering Technology

• What’s replicated?– All policy configuration elements– All Audit data– All identity store data• Guest Accounts, Endpoints, Profile data

– Runtime Information• Authorization status, Posture status, Roles• Connectivity Information, NAS Details

– Database replication on port# 5432 over SSL– Runtime replication on port# 443 over SSL


#AirheadsConf

Clustering Technology

• What’s not replicated?– Log files– Authentication Records– Accounting Records– System Events– System Monitor Data


#AirheadsConf

Clustering – Considerations

• How do they connect?– Requires IP connectivity (bi-directional)• Port # 5432 (Database over SSL)• Port# 80 (HTTP)• Port #443 (HTTPS)• Port #123 (NTP)

• How much data should we expect to see crossing the wire?– Only elements in the configuration database– First sync is a full database copy– Subsequent sync – Delta changes propagated


#AirheadsConf


Hub & SpokePUBLISHER

SUBSCRIBER 1

SUBSCRIBER 2

SUBSCRIBER 3

SUBSCRIBER 4

SUBSCRIBER 5

SUBSCRIBER 6


#AirheadsConf


Central / Distributed Admin Domains

Redundancy/Load Balancing

Cluster wide licensesCPPM – Publisher

DNSDHCP

IdentityStores

Main Data CenterMid-size Branch

Regional Office

DMZ

CPPMSubscriberVM

CP GuestCP Onboard

CPPMSubscriber

CPPMSubscriber


#AirheadsConf

Operations & Maintenance

• What happens when a node goes down?– Operations• If Deployed Right – Nothing• RADIUS Backup settings on the NAS

– If the Publisher goes down• No Database Writes Allowed!!• Promote a Subscriber to a Publisher

• Resume configuration updates


#AirheadsConf

Events & Alerts

• How long before ClearPass figures out something’s wrong?– 24 hours before it automatically “drops” a node from the

cluster– Cluster Synchronization Warnings• 1 event every hour x 24 hours = 24 events

– CPU/Memory Usage Warnings Every 2 Minutes– Server Certificate Warnings Every 24 Hours– Service Alerts Immediate

• Email/SMS Alerts using Insight, Syslog & SNMP


#AirheadsConf

Operations & Maintenance

• Rescue & Recovery– Establish cluster connectivity• Database sync will ensue. Watch for “Last Sync Time”

– Restore certificates• Server Certificates are not installed as a part of the sync

– Restore log entries (If necessary)• Caveat : High disk activity for an extended period of time

– Verify fail-back on the NAS• NAS fail-back timers should kick in


#AirheadsConf


#AirheadsConf

Q & A


Thank You

#AirheadsConf