Advanced Access Management with Aruba ClearPass #AirheadsConf Italy

Advanced Access Management with Aruba ClearPass

June, 2014

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

2 #AirheadsConf

Agenda

Single Sign-On and Auto Sign-OnClearPass Exchange

HTTP EnforcementMDM IntegrationPost Authentication Engine

What’s new in ClearPass?

3CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

#AirheadsConf

Single Sign-On and Auto Sign-On


#AirheadsConf

Identity Access Evolution

Multiple Accounts

Multiple Logins

Multiple Identity Sources

Multiple Logins

Single Account

Multiple Logins

Single Identity Source

Multiple Logins

Single Account

Single Login

Single Identity Source

Single Login


#AirheadsConf

Single Sign-On

• Single source of identity information• Need to authenticate & authorize users

across applicationsSecurity

• Provide the best user experience• Highly mobile users• Smaller screens, virtual keyboards

Usability

• On-Premise and Off-Premise applications

• Move to the cloudMobility


#AirheadsConf

Single Sign-On

• Security Assertion Markup Language (SAML)– Key technology behind SSO

– ClearPass is compliant with SAML v2.0

• Key Roles within SAML– Principal – Typically a user who requests a service

– Identity Provider (IdP) – Provides identity assertions by authenticating the user

– Service Provider (SP) – Requests identity assertions from an IdP

• OpenId (as SSO technology – out of scope)


#AirheadsConf

SAML – Workflow

Browser


#AirheadsConf

ClearPass and SSO

• ClearPass as a Service Provider (SP)– ClearPass’ captive portals can act as a Service Provider

– ClearPass will request identity assertions from an IdP

– ClearPass may need to register with the IdP

• ClearPass as an Identity Provider (IdP)– ClearPass can act as an Identity Provider to supply identity

assertions

– Requesting applications (Service Providers) may need to register with ClearPass


#AirheadsConf

ClearPass as SP

• When and Why?– A SAML IdP exists on the network

– Need for centralized authentication/authorization for web applications

– Portal driven options for network access

– Portal driven options for device registration

– ClearPass examples with portals, use-cases such as reporting, guest sponsors, device reg


#AirheadsConf

ClearPass as IdP

• When and Why?– Need for centralized authentication/authorization for web

applications

– Multiple internal applications are driven off a web interface

– ClearPass acts as an authentication/authorization engine for network transactions and application SSO

– ClearPass can “chain” itself onto popular IDMs such as Ping Federate and Okta


#AirheadsConf

ClearPass – IdP

CPPM

CLOUD APPS

CLIENT DEVICE

AD/LDAP

HTTPS

Works on multivendor LAN and WLAN

Redirect to SSO Portal

Open Application

Sign in, use application

SSO enabled for all apps


#AirheadsConf

Auto Sign-On

• What is Auto Sign-On?– Reuse L2 network authentication information for SSO

– Remove manual, repetitive application sign-on

– Provide seamless identity transition from network application

• What do I need to enable this?– ClearPass 6.3 as the L2 RADIUS server

– ClearPass 6.3 as a SAML IdP

– AOS 6.4 on Aruba Mobility Controllers


#AirheadsConf

Auto Sign-On

Authenticate to Wi-Fi

Open a work app

Start working:No manual sign-in

ClearPass

Successful network authentication validates the user for automatic access to SAML enabled web/work apps

1. 2. 3.


#AirheadsConf

Auto Sign-On – Benefits

• No need to repeatedly key in application passwords on all devices!

• Extend “TLS” derived credentials to applications!• Automate application sign-on• Reuse network credentials for SSO• Centralize identity and access management across

L2 and L7

• UI Walkthrough


#AirheadsConf

ClearPass Exchange


#AirheadsConf

ClearPass Exchange

AUTOMATE SECURITYTickets, Notifications & Guest Login

ENABLE USERSEnterprise, Guest, BYOD, Apps

Users & Devices

ClearPass Exchange

(REST-based APIs)

Payment Management

Internet Security

Mobile Device Management

SIEM


#AirheadsConf

ClearPass Exchange

• Inbound APIs• Syslog/SQL Access• Outbound Messaging• Post-Authentication Controls


#AirheadsConf

ClearPass APIs – Inbound

• Inbound APIs for identity management– Create/Register new users & devices

– Retrieve/Manage users & devices

– Update/Delete users & devices

• Inbound APIs for configuration management– Create/Retrieve/Update/Delete new policy elements

– Includes Services, Authentication/Authorization Sources, Role Mappings, Enforcement, etc.

• SQL Access to Insight & “Log” Databases– Read-Only access for supplemental data processing


#AirheadsConf

ClearPass APIs – Inbound

• Read– https://<server>/tipsapi/config/read/<Entity>

• Write– https://<server>/tipsapi/config/write/<Entity>

• Delete Confirm– https://<server>/tipsapi/config/deleteConfirm/<Entity>

• Delete – https://<server>/tipsapi/config/delete/<Entity>


#AirheadsConf

ClearPass Exchange – MDM

Device Policies

• Device restrictions• Remote Lock & Wipe• Install Application• Black list Apps

• Firewall Policies• Redirect to enroll• Quarantine devices• Bandwidth Prioritization

Network Policies

Exchange endpoint context & trigger

policies


#AirheadsConf

MDM Interaction – Inbound

Po

stu

re

Manufacturer: AppleModel: iPad2OS Version: iOS 6.1UDID 1730235f564094186Serial Number 79049XXXA4SIMEI 012416009780168Phone Number 408-534-2819Carrier VerizonMDM Id 130d0f992t34Owner jhowardDisplay Name John HowardOwnership Employee Liable

Inve

nto

ry

MDM Enabled YesCompromised Not JailbrokenEncryption Enabled YesBlacklisted Apps NoRequired Apps YesLast Check in 01/30/2012 9:03am


#AirheadsConf

MDM Interaction – Outbound

Trigger MDM Action Using Device Information

ClearPass

Endpoint data replicated to ClearPass cluster

ClearPass requests MDM Action

ClearPass

Device type & posture polled for policy decisions &

reporting

MDM

Device Checks in with MDM

Device connects over WiFi


#AirheadsConf

Outbound HTTP Messaging

• Can now combine both RADIUS and HTTP – Enforce on the network with RADIUS

– Enforce via HTTP using RESTful API’s• Reverse action back to MDM server

• Create a helpdesk ticket, post to a web application


#AirheadsConf

Outbound HTTP Messaging

• Typically used for create actions– Most often used with HTTP POST method

• Select the Content-Type– Options includes HTTP, JSON, XML, PLAIN and CUSTOM

• Support parameterized values


#AirheadsConf

Post Authentication Engine

• Policy Control AFTER Authentication?– Bandwidth Control

– Session Control

– Action chaining

– 3rd Party Integration

• Use Cases– Restrict “Guests” to 500MB per day

– Allow only ONE BYOD per employee

– Update identity and forensic data


#AirheadsConf

Post Authentication Engine

• ClearPass can take “actions” after network authentications

• Why?– Asynchronous event processing

– Interrupt-free authentication flows

– Allows ClearPass to undertake high-latency transactions

• Types of actions– Restrict Sessions – Set Bandwidth/Time quotas

– Update ClearPass Entities

– Integrate with 3rd party systems using HTTP• HelpDesk and Communication systems

• MDM, Payment Gateways, …


#AirheadsConf

Session Restrictions

• Bandwidth Limits• Session Limits• Session Duration• PANW Updates• Agent Disconnect


#AirheadsConf

Bandwidth Limits

• Enforce limits on the amount of bandwidth that the user can use

• Date / Time based checks • Disconnect and blacklist the user on exceeding

the bandwidth


#AirheadsConf

Session Limits

• Limit the number of simultaneous sessions for the user

• Fix a scenario to work with Guest MAC Caching flow

• Disconnect the user on exceeding the max sessions


#AirheadsConf

Session Duration

• Enforce limits on the amount of time the user is allowed to access the network.

• Date / Time based checks • Disconnect and blacklist the user on exceeding

the total session duration.• Allow flexibility to reset the session duration by

specifying start/stop date/time.


#AirheadsConf

Update Palo Alto Networks Firewall

• Send userId and registration updates to Palo Alto device

• Integration with NetWatch framework for faster updates

• Ability to send full usernames in userId updates [with domain prefix/suffix]

• HIP support• Extended support for MAC Caching flow


#AirheadsConf

Entity Updates

• Endpoint Updates• Guest Updates [User + Devices]


#AirheadsConf

Example – ServiceNow


#AirheadsConf

Example – SendGrid


#AirheadsConf

What’s new in ClearPass?


#AirheadsConf

ClearPass 6.3Key Additions

• Single Sign On– Streamline login to cloud/web applications

– Aruba Auto Sign On

• BYOD and Guest Features– Improved integration with MDM vendors

– AirGroup time and group sharing

• NAC Enhancements– Integration with Patch Management solutions

– Improved dissolvable agent workflows

• Platform Features– Real time outbound HTTP enforcement

– FIPS 140-2, New performance monitoring framework


#AirheadsConf

ClearPass 6.3BYOD & MDM

– CPPM as the Certificate Authority for leading MDM providers (via SCEP or EST)

– Trigger MDM actions from CPPM via HTTP enforcement– Provision full iOS 7.0 feature set through Onboard

CPPM


#AirheadsConf

ClearPass 6.3Profiling and Enforcement

• New Profile Options– Profile DHCP via SPAN port

– Profile from Cisco network equipment (requires IOS 15SE1)

– Update Device Fingerprint

• New Enforcement Options– Use Active Directory expiration date

– Custom outbound HTTP actions (JSON, XML, HTTP, PUT, GET)


#AirheadsConf

ClearPass 6.3Server Certificates

• Dual Certificates for Web Logins and 802.1x– One for RADIUS/802.1X, One for HTTPS/SSL


#AirheadsConf

ClearPass 6.3BYOD Certificates


#AirheadsConf

ClearPass 6.3AirGroup

• Group Sharing– Admin defines groups

– Users allowed to access/share based on groups

– New or removed groups/devices enforced automatically

• Time Sharing– Schedule every Tuesday at

4pm for 1 hour with Class A

– Only allow access when schedule permits the group attribute *requires AOS 6.4


#AirheadsConf

ClearPass 6.3OnGuard

• User Experience– Localization framework for persistent agent

– Dissolvable agent on CP Guest, all new workflow

– Inline update of persistent agent

• New Health Classes– Installed Applications (Windows, OSX)

– Patch Management Solutions (Windows/OSX)

• Enforcement– Per-Application health checks

– Configurable health check period (persistent)

– Monitor mode support for health classes


#AirheadsConf

ClearPass 6.3Open in AirWave


#AirheadsConf

ClearPass 6.3Performance Monitoring


#AirheadsConf

ClearPass 6.3Authentication Simulation


#AirheadsConf

Summary


#AirheadsConf

Summary

WORKFLOW POLICYVISIBILITY

Role-basedEnforcement

Health/PostureChecks

Device Context

Device Profiling

Troubleshooting

Per Session Tracking

Onboarding, Registration

Guest Management

MDMIntegration


#AirheadsConf

Q&A


#AirheadsConf


Thank You

#AirheadsConf

Technology

Advanced Access Management with Aruba ClearPass #AirheadsConf Italy