Advanced Access Management with Aruba ClearPass #AirheadsConf Italy
 

Like this? Share it with your network

Share

Advanced Access Management with Aruba ClearPass #AirheadsConf Italy

on

  • 808 views

Advanced Access Management with Aruba ClearPass #AirheadsConf Italy

Advanced Access Management with Aruba ClearPass #AirheadsConf Italy

Statistics

Views

Total Views
808
Views on SlideShare
732
Embed Views
76

Actions

Likes
2
Downloads
85
Comments
0

3 Embeds 76

http://community.arubanetworks.com 74
https://www.linkedin.com 1
http://www.airheads.eu 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44

Advanced Access Management with Aruba ClearPass #AirheadsConf Italy Presentation Transcript

  • 1. Advanced Access Management with Aruba ClearPass June, 2014
  • 2. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 2 #AirheadsConf Agenda Single Sign-On and Auto Sign-On ClearPass Exchange HTTP Enforcement MDM Integration Post Authentication Engine What’s new in ClearPass?
  • 3. 3 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Single Sign-On and Auto Sign-On
  • 4. 4 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Identity Access Evolution Multiple Accounts Multiple Logins Multiple Identity Sources Multiple Logins Single Account Multiple Logins Single Identity Source Multiple Logins Single Account Single Login Single Identity Source Single Login
  • 5. 5 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Single Sign-On • Single source of identity information • Need to authenticate & authorize users across applications Security • Provide the best user experience • Highly mobile users • Smaller screens, virtual keyboards Usability • On-Premise and Off-Premise applications • Move to the cloud Mobility
  • 6. 6 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Single Sign-On • Security Assertion Markup Language (SAML) – Key technology behind SSO – ClearPass is compliant with SAML v2.0 • Key Roles within SAML – Principal – Typically a user who requests a service – Identity Provider (IdP) – Provides identity assertions by authenticating the user – Service Provider (SP) – Requests identity assertions from an IdP • OpenId (as SSO technology – out of scope)
  • 7. 7 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf SAML – Workflow Browser
  • 8. 8 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf ClearPass and SSO • ClearPass as a Service Provider (SP) – ClearPass’ captive portals can act as a Service Provider – ClearPass will request identity assertions from an IdP – ClearPass may need to register with the IdP • ClearPass as an Identity Provider (IdP) – ClearPass can act as an Identity Provider to supply identity assertions – Requesting applications (Service Providers) may need to register with ClearPass
  • 9. 9 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf ClearPass as SP • When and Why? – A SAML IdP exists on the network – Need for centralized authentication/authorization for web applications – Portal driven options for network access – Portal driven options for device registration – ClearPass examples with portals, use-cases such as reporting, guest sponsors, device reg
  • 10. 10 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf ClearPass as IdP • When and Why? – Need for centralized authentication/authorization for web applications – Multiple internal applications are driven off a web interface – ClearPass acts as an authentication/authorization engine for network transactions and application SSO – ClearPass can “chain” itself onto popular IDMs such as Ping Federate and Okta
  • 11. 11 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf ClearPass – IdP Works on multivendor LAN and WLAN Redirect to SSO Portal Open Application Sign in, use application SSO enabled for all apps
  • 12. 12 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Auto Sign-On • What is Auto Sign-On? – Reuse L2 network authentication information for SSO – Remove manual, repetitive application sign-on – Provide seamless identity transition from network  application • What do I need to enable this? – ClearPass 6.3 as the L2 RADIUS server – ClearPass 6.3 as a SAML IdP – AOS 6.4 on Aruba Mobility Controllers
  • 13. 13 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Auto Sign-On Successful network authentication validates the user for automatic access to SAML enabled web/work apps 1. 2. 3.
  • 14. 14 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Auto Sign-On – Benefits • No need to repeatedly key in application passwords on all devices! • Extend “TLS” derived credentials to applications! • Automate application sign-on • Reuse network credentials for SSO • Centralize identity and access management across L2 and L7 • UI Walkthrough
  • 15. 15 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf ClearPass Exchange
  • 16. 16 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf ClearPass Exchange AUTOMATE SECURITY Tickets, Notifications & Guest Login ENABLE USERS Enterprise, Guest, BYOD, Apps Users & Devices ClearPass Exchange (REST-based APIs) Payment Management Internet Security Mobile Device Management SIEM
  • 17. 17 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf ClearPass Exchange • Inbound APIs • Syslog/SQL Access • Outbound Messaging • Post-Authentication Controls
  • 18. 18 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf ClearPass APIs – Inbound • Inbound APIs for identity management – Create/Register new users & devices – Retrieve/Manage users & devices – Update/Delete users & devices • Inbound APIs for configuration management – Create/Retrieve/Update/Delete new policy elements – Includes Services, Authentication/Authorization Sources, Role Mappings, Enforcement, etc. • SQL Access to Insight & “Log” Databases – Read-Only access for supplemental data processing
  • 19. 19 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf ClearPass APIs – Inbound • Read – https://<server>/tipsapi/config/read/<Entity> • Write – https://<server>/tipsapi/config/write/<Entity> • Delete Confirm – https://<server>/tipsapi/config/deleteConfirm/<Entity> • Delete – https://<server>/tipsapi/config/delete/<Entity>
  • 20. 20 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf ClearPass Exchange – MDM Device Policies • Device restrictions • Remote Lock & Wipe • Install Application • Black list Apps • Firewall Policies • Redirect to enroll • Quarantine devices • Bandwidth Prioritization Network Policies Exchange endpoint context & trigger policies
  • 21. 21 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf MDM Interaction – Inbound Posture Manufacturer: Apple Model: iPad2 OS Version: iOS 6.1 UDID 1730235f564094186 Serial Number 79049XXXA4S IMEI 012416009780168 Phone Number 408-534-2819 Carrier Verizon MDM Id 130d0f992t34 Owner jhoward Display Name John Howard Ownership Employee Liable Inventory MDM Enabled Yes Compromised Not Jailbroken Encryption Enabled Yes Blacklisted Apps No Required Apps Yes Last Check in 01/30/2012 9:03am
  • 22. 22 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf MDM Interaction – Outbound Trigger MDM Action Using Device Information ClearPass Endpoint data replicated to ClearPass cluster ClearPass requests MDM Action ClearPass Device type & posture polled for policy decisions & reporting MDM Device Checks in with MDM Device connects over WiFi
  • 23. 23 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Outbound HTTP Messaging • Can now combine both RADIUS and HTTP – Enforce on the network with RADIUS – Enforce via HTTP using RESTful API’s • Reverse action back to MDM server • Create a helpdesk ticket, post to a web application
  • 24. 24 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Outbound HTTP Messaging • Typically used for create actions – Most often used with HTTP POST method • Select the Content-Type – Options includes HTTP, JSON, XML, PLAIN and CUSTOM • Support parameterized values
  • 25. 25 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Post Authentication Engine • Policy Control AFTER Authentication? – Bandwidth Control – Session Control – Action chaining – 3rd Party Integration • Use Cases – Restrict “Guests” to 500MB per day – Allow only ONE BYOD per employee – Update identity and forensic data
  • 26. 26 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Post Authentication Engine • ClearPass can take “actions” after network authentications • Why? – Asynchronous event processing – Interrupt-free authentication flows – Allows ClearPass to undertake high-latency transactions • Types of actions – Restrict Sessions – Set Bandwidth/Time quotas – Update ClearPass Entities – Integrate with 3rd party systems using HTTP • HelpDesk and Communication systems • MDM, Payment Gateways, …
  • 27. 27 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Session Restrictions • Bandwidth Limits • Session Limits • Session Duration • PANW Updates • Agent Disconnect
  • 28. 28 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Bandwidth Limits • Enforce limits on the amount of bandwidth that the user can use • Date / Time based checks • Disconnect and blacklist the user on exceeding the bandwidth
  • 29. 29 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Session Limits • Limit the number of simultaneous sessions for the user • Fix a scenario to work with Guest MAC Caching flow • Disconnect the user on exceeding the max sessions
  • 30. 30 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Session Duration • Enforce limits on the amount of time the user is allowed to access the network. • Date / Time based checks • Disconnect and blacklist the user on exceeding the total session duration. • Allow flexibility to reset the session duration by specifying start/stop date/time.
  • 31. 31 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Update Palo Alto Networks Firewall • Send userId and registration updates to Palo Alto device • Integration with NetWatch framework for faster updates • Ability to send full usernames in userId updates [with domain prefix/suffix] • HIP support • Extended support for MAC Caching flow
  • 32. 32 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Entity Updates • Endpoint Updates • Guest Updates [User + Devices]
  • 33. 33 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Example – ServiceNow
  • 34. 34 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Example – SendGrid
  • 35. 35 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf What’s new in ClearPass?
  • 36. 36 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf ClearPass 6.3 Key Additions • Single Sign On – Streamline login to cloud/web applications – Aruba Auto Sign On • BYOD and Guest Features – Improved integration with MDM vendors – AirGroup time and group sharing • NAC Enhancements – Integration with Patch Management solutions – Improved dissolvable agent workflows • Platform Features – Real time outbound HTTP enforcement – FIPS 140-2, New performance monitoring framework
  • 37. 37 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf ClearPass 6.3 BYOD & MDM – CPPM as the Certificate Authority for leading MDM providers (via SCEP or EST) – Trigger MDM actions from CPPM via HTTP enforcement – Provision full iOS 7.0 feature set through Onboard
  • 38. 38 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf ClearPass 6.3 Profiling and Enforcement • New Profile Options – Profile DHCP via SPAN port – Profile from Cisco network equipment (requires IOS 15SE1) – Update Device Fingerprint • New Enforcement Options – Use Active Directory expiration date – Custom outbound HTTP actions (JSON, XML, HTTP, PUT, GET)
  • 39. 39 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf ClearPass 6.3 Server Certificates • Dual Certificates for Web Logins and 802.1x – One for RADIUS/802.1X, One for HTTPS/SSL
  • 40. 40 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf ClearPass 6.3 BYOD Certificates
  • 41. 41 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf ClearPass 6.3 AirGroup • Group Sharing – Admin defines groups – Users allowed to access/share based on groups – New or removed groups/devices enforced automatically • Time Sharing – Schedule every Tuesday at 4pm for 1 hour with Class A – Only allow access when schedule permits the group attribute *requires AOS 6.4
  • 42. 42 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf ClearPass 6.3 OnGuard • User Experience – Localization framework for persistent agent – Dissolvable agent on CP Guest, all new workflow – Inline update of persistent agent • New Health Classes – Installed Applications (Windows, OSX) – Patch Management Solutions (Windows/OSX) • Enforcement – Per-Application health checks – Configurable health check period (persistent) – Monitor mode support for health classes
  • 43. 43 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf ClearPass 6.3 Open in AirWave
  • 44. 44 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf ClearPass 6.3 Performance Monitoring
  • 45. 45 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf ClearPass 6.3 Authentication Simulation
  • 46. 46 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Summary
  • 47. 47 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Summary WORKFLOW POLICYVISIBILITY Role-based Enforcement Health/Posture Checks Device Context Device Profiling Troubleshooting Per Session Tracking Onboarding, Registration Guest Management MDM Integration
  • 48. 48 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Q&A
  • 49. 49 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf
  • 50. 50 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Thank You #AirheadsConf