Shanghai Breakout: Access Management with Aruba ClearPass

Access Management with Aruba ClearPass

Austin HawthorneDecember 12th, 2014

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

2 #AirheadsConf

Agenda

Defining Adaptive PoliciesContext CollectionLeveraging Context in NAC PoliciesEnhancing User Experience, Operations, and Security with Context

3CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

#AirheadsConf

Why Adaptive Policies?

THENPredictable Desk Access

NOWAccess from Anywhere


#AirheadsConf

Deciphering Context for Policy Decisions

Jailbrokenphone?

BYOD?

Guest?

Office?Device type?

Firewallenabled?

Employee?

Policies must adapt to conditions

Skimmilk?


#AirheadsConf

Common Security Questions

• Is this a corporate device or a personal device connecting to my wireless network with my employee’s account information?

• Is this a Printer or Computer connecting to my wired network without 802.1x?

• How do I keep corporate devices off the Guest SSID?

• I trust my corporate assets, but I need to be able to check the compliance of Contractor computers when they connect, and restrict them from using mobile devices, how?


#AirheadsConf

Adaptive Trust: Context Collection


#AirheadsConf

The Heart of an Adaptive Trust Decision

User & role

Ownership -IT or BYOD

Device & type

Usable Context

Device assessment

Location -Secure oropen access

Auth type - credentials or certificate

Session rules

Access type

Time-of-day / Day-of-Week

App traffic & behavior


#AirheadsConf

Sources of Usable Context

DeviceProfiling

• Samsung SM-G900• Android• “Jons-Galaxy”

EMM/MDM

• Personal owned• Registered• OS up-to-date

• Hansen, Jon [Sales]• MDM enabled = true• In-compliance = true

IdentityStores

EnforcementPoints

• Hansen, Jon [Sales]• Title – COO• Dept – Executive office• City – London

• Location – Bldg 10• Floor – 3• Bandwidth – 10Mbps


#AirheadsConf

Sources of Usable Context

DeviceProfiling

• Samsung SM-G900• Android• “Jons-Galaxy”

EMM/MDM

• Personal owned• Registered• OS up-to-date

• Hansen, Jon [Sales]• MDM enabled = true• In-compliance = true

IdentityStores

EnforcementPoints

• Hansen, Jon [Sales]• Title – COO• Dept – Executive office• City – London

• Location – Bldg 10• Floor – 3• Bandwidth – 10Mbps

Adaptive Trust Identity• Hansen, Jon [Sales]• COO, Executive Office• London• Personal Owned • Samsung SM-G900• Android 4.4, Knox

• MDM enabled = true• In-compliance = true• At Bldg 10, floor 3• 21:22GMT, 21/12/14


#AirheadsConf

Context Sources

• External:• Network Devices

• Radius/TACACS• AD/LDAP• SAML/OAUTH2/Okta• Radius• Kerberos• Token Servers• SQL Databases• MDM Systems• Aruba Activate• HTTP

• Internal:• Endpoint DB

• Profiling information from:• DHCP• HTTP• SNMP• IOS Device Sensor• ActiveSync• OnGuard• Onboard

• Insight DB• Session/State Information

• Guest User/Device DB• Date/Time• LocalUser DB


#AirheadsConf

Context Examples


#AirheadsConf

Adaptive Trust: Leverage Context in Policy Decisions


#AirheadsConf

Adaptive Policy Driven by Context

Corporate Tablet BYOD Tablet

Authentication EAP-TLS

SSID CORP-SECURE

Authentication EAP-TLS

SSID CORP-SECURE

Internet OnlyInternetand Corporate Apps


#AirheadsConf

ClearPass Policy Model – AuthN vs AuthZ

ClearPass Policy Manager

AD/LDAP

Guest

Insight

Endpoint

Onboard

Service Matching

SQL

MDM

HTTP

Authentication

Authorization

Role Mapping

Enforcement

Username = BobMac Address = XYZSSID = SecureLocation = Building 1Request = Radius

Response = Radius- Accept- Reject- Attributes

Added Context:MDM Enrolled = TrueDevice Type = iPadOwner = BobRequired Apps = TrueActive Sessions = 2AD Group = ExecCorp Asset = True


#AirheadsConf

Role-Mapping

• Role-Mapping used to filter collected contextual data into “tags” (roles) that can be used for enforcement conditions.

• “Select All” vs “Select First” condition matching• Careful of the “AND” “OR” conditons• Available Options:

• Radius/TACACS Attributes• Authentication Attributes• Authorization Attributes (from any source)• Certificate Attributes• Endpoint Attributes• Date/Time Attributes


#AirheadsConf

Sample Role MappingDevice Context

AuthContext

UserContext

Cert Context

MDMContext

Onboard Context


#AirheadsConf

Enforcement Policies

• Condition based rules to determine which enforcement profile(s) to use.• Can signal multiple actions, more on that later.

• Leverages “Roles” assigned during Role-Mapping.

• Leverages “Posture” token assigned during posture check.

• Typically a top down, “First Match” rule matching algorithm.


#AirheadsConf

Sample Enforcement Policy

Using Roles for User and Device

Using Roles and Posture

Enforcement Policy


#AirheadsConf

Enforcement Profiles

• Profiles are essentially the enforcement “actions” you want to signal based on the set conditions.

• Multiple Types of Enforcement Profiles:• Radius• Radius CoA• SNMP• CLI• HTTP• Entity Update• OnGuard Agent• TACACS


#AirheadsConf

Adaptive Trust: Security, Operational, and User Experience Advantages


#AirheadsConf

Security Disconnect

Who: BobGroup: FacultyDevice: Personal iPadLocation: Room 104Time: 9am, MondayCompliance: Healthy

VPN

AAA/NAC

DHCP/DNS

AD/LDAP

Network Applications

Ticketing System

Proxy/Filter

Network Mgmt

FW

? Accept, Policy = Faculty-BYOD

?

?

?

?


#AirheadsConf

User and Operational Disconnect

VPN

AAA/NAC

DHCP/DNS

AD/LDAP


Ticketing System

Proxy/Filter

Network Mgmt

FW

XX

• User can’t connect to the network

• User application access is slow or disconnects

• Where does the problem exist?

• When do you know about the problem?

• Where do you start?

???????

?

??

?


#AirheadsConf

Perimeter Defense

IDS/IPS

Firewalls

Mobility Defense

Firewalls

IDS/IPS/AV Enforcement Points

EMM/MDM

Physical

Webgateways

A/V

Time for a New Perimeter Defense Model

Policy needed for central point of control

Access Policy Management


#AirheadsConf

Security and Usability Coordination

VPN

ClearPass

DHCP/DNS

AD/LDAP


Ticketing System

Proxy/Filter

Network Mgmt

FW

Who: BobGroup: FacultyDevice: Personal iPadLocation: Room 104Time: 9am, MondayCompliance: HealthyMac Address: XIP Address: YAirgroup Permissions

What if when the user connects:- Update the FW- Update the IPAM- Update the Proxy- Logon the application- Update the WLAN


#AirheadsConf

User Self Service

VPN

ClearPass

DHCP/DNS

AD/LDAP


Ticketing System

Proxy/Filter

Network Mgmt

FW

Self Service:- BYOD Portal- Device/Guest Registration- Device Access Management- Auto-Remediation- Notification Pages


#AirheadsConf

Operational Integration

VPN

ClearPass

DHCP/DNS

AD/LDAP


Ticketing System

Proxy/Filter

Network Mgmt

FW

- Auto Open Help Desk Ticket

- Notify User - Integration into Network

Management


#AirheadsConf

Integration Options

• “Built In” Integration• MDM Actions• Palo Alto HIP Updates• Syslog

• Splunk App• CEF/LEEF Support (Future)

• Radius Proxy (future)• Inbound API• Web Pages:

• OnGuard DA, OnBoard, Device/User Registration, Notification/Warning

• “Build your own” Integration• ClearPass Exchange

• REST/XML Based API


#AirheadsConf

ClearPass Exchange

Mitigating Risks using 3rd Party Integration

Third-party Systems

Payment Management

Patient Check-in

Helpdesk Tickets

EMMSolutions

SIEM Systems

Jail-broken device

detected

Helpdesk ticket auto generated

Message to device auto generated

1.

2.3.

ClearPass denies access

to device

RESTful APIs

Syslog Messages

Adaptive TrustIdentity

Jailbreak example


#AirheadsConf

Enforcement Example

Radius Action to force notification page

Send user SMS notification

Update Palo Alto Firewall

Open Help Desk Ticket

Sound the alarm!

Send Email to security team


#AirheadsConf

Dynamic Content based on Context

• Device, User, and Posture context can be pulled into actions and web pages.

• Leverages “NameSpace” variables in enforcement actions and web login pages.


#AirheadsConf

NameSpaces in ClearPass

• Almost all of the “context” that is collected by ClearPass can be called up and used via dynamic “namespace” variables.

• For example:• %{Endpoint:Model}• %{Radius:Aruba:Aruba-Location-Id}• %{Authentication:Full-Username}

• These can be used in role mapping, enforcement profiles and policies, auth source filters/queries, etc in place of static variables.

• When used, the value is replaced with information pertaining to that device or user dynamically


#AirheadsConf

Conclusion


#AirheadsConf

NameSpaces in ClearPass

• Context is the foundation of ClearPass• More contextual sources than any other

vendor!• Ability to share context with more vendors

than our competitors!• Context provides for greater security, visibility,

and flexibility to support ever-changing #GenMobile environment.

• Please check out the “Secure Air” booth during your break for a demonstration of these principles in action!

34

Thank You

#AirheadsConfCONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Technology

Shanghai Breakout: Access Management with Aruba ClearPass