Defining Advanced AAA Policies for Access Networks

Advanced ClearPass – Beyond AAA

Ashwath Murthy

March, 2014

CONFIDENTIAL

© Copyright 2014. Aruba Networks, Inc.

All rights reserved2 #AirheadsConf

Agenda

Single Sign-On and Auto Sign-On

ClearPass Exchange

HTTP Enforcement

MDM Integration

Post Authentication Engine

What’s new in ClearPass?

3CONFIDENTIAL


All rights reserved#AirheadsConf

Single Sign-On and Auto Sign-On

4CONFIDENTIAL



Identity Access Evolution

Multiple Accounts

Multiple Logins

Multiple Identity Sources

Multiple Logins

Single Account

Multiple Logins

Single Identity Source

Multiple Logins

Single Account

Single Login

Single Identity Source

Single Login

5CONFIDENTIAL



Single Sign-On

• Single source of identity information

• Need to authenticate & authorize users across applications

Security

• Provide the best user experience

• Highly mobile users

• Smaller screens, virtual keyboardsUsability

• On-Premise and Off-Premise applications

• Move to the cloudMobility

6CONFIDENTIAL



Single Sign-On

• Security Assertion Markup Language (SAML)

– Key technology behind SSO

– ClearPass is compliant with SAML v2.0

• Key Roles within SAML

– Principal – Typically a user who requests a service

– Identity Provider (IdP) – Provides identity assertions by

authenticating the user

– Service Provider (SP) – Requests identity assertions from an

IdP

• OpenId (as SSO technology – out of scope)

7CONFIDENTIAL



SAML – Workflow

Browser

8CONFIDENTIAL



ClearPass and SSO

• ClearPass as a Service Provider (SP)

– ClearPass’ captive portals can act as a Service Provider

– ClearPass will request identity assertions from an IdP

– ClearPass may need to register with the IdP

• ClearPass as an Identity Provider (IdP)

– ClearPass can act as an Identity Provider to supply identity

assertions

– Requesting applications (Service Providers) may need to

register with ClearPass

9CONFIDENTIAL



ClearPass as SP

• When and Why?

– A SAML IdP exists on the network

– Need for centralized authentication/authorization for web

applications

– Portal driven options for network access

– Portal driven options for device registration

– ClearPass examples with portals, use-cases such as

reporting, guest sponsors, device reg

10CONFIDENTIAL



ClearPass as IdP

• When and Why?

– Need for centralized authentication/authorization for web

applications

– Multiple internal applications are driven off a web interface

– ClearPass acts as an authentication/authorization engine for

network transactions and application SSO

– ClearPass can “chain” itself onto popular IDMs such as Ping

Federate and Okta

11CONFIDENTIAL



ClearPass – IdP

Works on multivendor LAN and WLAN

Redirect to SSO Portal

Open Application

Sign in, use application

SSO enabled for all apps

12CONFIDENTIAL



Auto Sign-On

• What is Auto Sign-On?

– Reuse L2 network authentication information for SSO

– Remove manual, repetitive application sign-on

– Provide seamless identity transition from network application

• What do I need to enable this?

– ClearPass 6.3 as the L2 RADIUS server

– ClearPass 6.3 as a SAML IdP

– AOS 6.4 on Aruba Mobility Controllers

13CONFIDENTIAL



Auto Sign-On

Successful network authentication validates the user for

automatic access to SAML enabled web/work apps

1. 2. 3.

14CONFIDENTIAL



Auto Sign-On – Benefits

• No need to repeatedly key in application

passwords on all devices!

• Extend “TLS” derived credentials to applications!

• Automate application sign-on

• Reuse network credentials for SSO

• Centralize identity and access management across

L2 and L7

• UI Walkthrough

15CONFIDENTIAL



ClearPass Exchange

16CONFIDENTIAL



ClearPass Exchange

AUTOMATE SECURITYTickets, Notifications & Guest Login

ENABLE USERSEnterprise, Guest, BYOD, Apps

Users & Devices

ClearPass

Exchange(REST-based APIs)

Payment

Management

Internet

Security

Mobile Device

Management

SIEM

17CONFIDENTIAL



ClearPass Exchange

• Inbound APIs

• Syslog/SQL Access

• Outbound Messaging

• Post-Authentication Controls

18CONFIDENTIAL



ClearPass APIs – Inbound

• Inbound APIs for identity management

– Create/Register new users & devices

– Retrieve/Manage users & devices

– Update/Delete users & devices

• Inbound APIs for configuration management

– Create/Retrieve/Update/Delete new policy elements

– Includes Services, Authentication/Authorization

Sources, Role Mappings, Enforcement, etc.

• SQL Access to Insight & “Log” Databases

– Read-Only access for supplemental data processing

19CONFIDENTIAL



ClearPass APIs – Inbound

• Read

– https://<server>/tipsapi/config/read/<Entity>

• Write

– https://<server>/tipsapi/config/write/<Entity>

• Delete Confirm

– https://<server>/tipsapi/config/deleteConfirm/<Entity>

• Delete

– https://<server>/tipsapi/config/delete/<Entity>

20CONFIDENTIAL



ClearPass Exchange – MDM

Device

Policies

• Device restrictions

• Remote Lock & Wipe

• Install Application

• Black list Apps

• Firewall Policies

• Redirect to enroll

• Quarantine devices

• Bandwidth Prioritization

Network

Policies

Exchange endpoint

context & trigger

policies

21CONFIDENTIAL



MDM Interaction – Inbound

Po

stu

re

Manufacturer: Apple

Model: iPad2

OS Version: iOS 6.1

UDID 1730235f564094186

Serial Number 79049XXXA4S

IMEI 012416009780168

Phone Number 408-534-2819

Carrier Verizon

MDM Id 130d0f992t34

Owner jhoward

Display Name John Howard

Ownership Employee Liable

Inve

nto

ry

MDM Enabled Yes

Compromised Not Jailbroken

Encryption Enabled Yes

Blacklisted Apps No

Required Apps Yes

Last Check in 01/30/2012 9:03am

22CONFIDENTIAL



MDM Interaction – Outbound

Trigger MDM Action Using Device Information

ClearPass

Endpoint data replicated

to ClearPass cluster

ClearPass requests

MDM Action

ClearPass

Device type & posture polled

for policy decisions &

reporting

MDM

Device Checks in

with MDM

Device connects

over WiFi

23CONFIDENTIAL



Outbound HTTP Messaging

• Can now combine both RADIUS and HTTP

– Enforce on the network with RADIUS

– Enforce via HTTP using RESTful API’s

• Reverse action back to MDM server

• Create a helpdesk ticket, post to a web application

24CONFIDENTIAL



Outbound HTTP Messaging

• Typically used for create actions

– Most often used with HTTP POST method

• Select the Content-Type

– Options includes HTTP, JSON, XML, PLAIN and CUSTOM

• Support parameterized values

25CONFIDENTIAL




• Policy Control AFTER Authentication?

– Bandwidth Control

– Session Control

– Action chaining

– 3rd Party Integration

• Use Cases

– Restrict “Guests” to 500MB per day

– Allow only ONE BYOD per employee

– Update identity and forensic data

26CONFIDENTIAL




• ClearPass can take “actions” after network

authentications

• Why?

– Asynchronous event processing

– Interrupt-free authentication flows

– Allows ClearPass to undertake high-latency transactions

• Types of actions

– Restrict Sessions – Set Bandwidth/Time quotas

– Update ClearPass Entities

– Integrate with 3rd party systems using HTTP

• HelpDesk and Communication systems

• MDM, Payment Gateways, …

27CONFIDENTIAL



Session Restrictions

• Bandwidth Limits

• Session Limits

• Session Duration

• PANW Updates

• Agent Disconnect

28CONFIDENTIAL



Bandwidth Limits

• Enforce limits on the amount of bandwidth that

the user can use

• Date / Time based checks

• Disconnect and blacklist the user on exceeding

the bandwidth

29CONFIDENTIAL



Session Limits

• Limit the number of simultaneous sessions for

the user

• Fix a scenario to work with Guest MAC Caching

flow

• Disconnect the user on exceeding the max

sessions

30CONFIDENTIAL



Session Duration

• Enforce limits on the amount of time the user is

allowed to access the network.

• Date / Time based checks

• Disconnect and blacklist the user on exceeding

the total session duration.

• Allow flexibility to reset the session duration by

specifying start/stop date/time.

31CONFIDENTIAL



Update Palo Alto Networks Firewall

• Send userId and registration updates to Palo

Alto device

• Integration with NetWatch framework for faster

updates

• Ability to send full usernames in userId updates

[with domain prefix/suffix]

• HIP support

• Extended support for MAC Caching flow

32CONFIDENTIAL



Entity Updates

• Endpoint Updates

• Guest Updates [User + Devices]

33CONFIDENTIAL



Example – ServiceNow

34CONFIDENTIAL



Example – SendGrid

35CONFIDENTIAL



What’s new in ClearPass?

36CONFIDENTIAL



ClearPass 6.3Key Additions

• Single Sign On

– Streamline login to cloud/web applications

– Aruba Auto Sign On

• BYOD and Guest Features

– Improved integration with MDM vendors

– AirGroup time and group sharing

• NAC Enhancements

– Integration with Patch Management solutions

– Improved dissolvable agent workflows

• Platform Features

– Real time outbound HTTP enforcement

– FIPS 140-2, New performance monitoring framework

37CONFIDENTIAL



ClearPass 6.3BYOD & MDM

– CPPM as the Certificate Authority for leading MDM

providers (via SCEP or EST)

– Trigger MDM actions from CPPM via HTTP enforcement

– Provision full iOS 7.0 feature set through Onboard

38CONFIDENTIAL



ClearPass 6.3Profiling and Enforcement

• New Profile Options

– Profile DHCP via SPAN port

– Profile from Cisco network equipment (requires IOS 15SE1)

– Update Device Fingerprint

• New Enforcement Options

– Use Active Directory expiration date

– Custom outbound HTTP actions (JSON, XML, HTTP, PUT, GET)

39CONFIDENTIAL



ClearPass 6.3Server Certificates

• Dual Certificates for Web Logins and 802.1x

– One for RADIUS/802.1X, One for HTTPS/SSL

40CONFIDENTIAL



ClearPass 6.3BYOD Certificates

41CONFIDENTIAL



ClearPass 6.3AirGroup

• Group Sharing

– Admin defines groups

– Users allowed to access/share

based on groups

– New or removed

groups/devices enforced

automatically

• Time Sharing

– Schedule every Tuesday at

4pm for 1 hour with Class A

– Only allow access when

schedule permits the group

attribute *requires AOS 6.4

42CONFIDENTIAL



ClearPass 6.3OnGuard

• User Experience

– Localization framework for persistent agent

– Dissolvable agent on CP Guest, all new workflow

– Inline update of persistent agent

• New Health Classes

– Installed Applications (Windows, OSX)

– Patch Management Solutions (Windows/OSX)

• Enforcement

– Per-Application health checks

– Configurable health check period (persistent)

– Monitor mode support for health classes

43CONFIDENTIAL



ClearPass 6.3Open in AirWave

44CONFIDENTIAL



ClearPass 6.3Performance Monitoring

45CONFIDENTIAL



ClearPass 6.3Authentication Simulation

46CONFIDENTIAL



Summary

47CONFIDENTIAL



Summary

WORKFLOW POLICYVISIBILITY

Role-basedEnforcement

Health/Posture

Checks

Device Context

Device Profiling

Troubleshooting

Per Session Tracking

Onboarding, Registration

Guest Management

MDMIntegration

48CONFIDENTIAL



Q&A

49CONFIDENTIAL


All rights reserved

Thank You

#AirheadsConf

50

Technology

Defining Advanced AAA Policies for Access Networks