• Share
  • Email
  • Embed
  • Like
  • Private Content
Breakout - Airheads Macau 2013 - ClearPass Access Management Basics
 

Breakout - Airheads Macau 2013 - ClearPass Access Management Basics

on

  • 552 views

Breakout - Airheads Macau 2013 - ClearPass Access Management Basics

Breakout - Airheads Macau 2013 - ClearPass Access Management Basics

Statistics

Views

Total Views
552
Views on SlideShare
552
Embed Views
0

Actions

Likes
0
Downloads
35
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Breakout - Airheads Macau 2013 - ClearPass Access Management Basics Breakout - Airheads Macau 2013 - ClearPass Access Management Basics Presentation Transcript

    • ClearPass Access Management Basics Carlos Gomez Gallego Ashwath Murthy CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved ! 1 ! #airheadsconf !
    • Agenda ClearPass Basics Controlling Access Advanced Features ! CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved ! 2 ! #airheadsconf !
    • Why ClearPass? ! CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved ! 3 ! #airheadsconf !
    • One size no longer fits all….! User Centric! IT Centric! Web! Apps! Personal
 devices! Mainly Windows! LAN/VPN! MS Enterprise! apps! Collaboration! services! Mobile! apps! CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved ! Multiple! platforms! #airheadsconf !
    • ClearPass Core Solution Components! •  Consolidation •  Troubleshooting Visibility •  Security •  Usage •  Automation •  Provisioning Workflow Policy CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved ! #airheadsconf !
    • ClearPass Enables New Workflows! •  Offload IT Services •  Guest access –  Sponsors, self-service portals. –  One time login –  IT controlled guest privileges. •  Secure device onboarding –  Automatic device identification. –  One time user registration –  Provisioning of 802.1X settings, certificates. •  Device/App management –  Centralized distribution and policies –  Automatic updates CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved ! #airheadsconf !
    • Device Visibility! –  Works across multi vendor networks –  Uses multiple active and passive techniques for high accuracy –  Device fingerprints updated automatically over the web –  Use device visibility to trigger a workflow, quarantine a device or grant network access CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved ! #airheadsconf !
    • Network Policies Based on Context Policy Example Use context from ClearPass & external sources to set network policy •  User/group membership •  Device Profile •  Location •  Time/Date •  OS version •  eg. in semester •  Trusted or •  Endpoint health untrusted •  Jailbreak status network •  Pincode/encryption CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 8 •  Application installed •  blacklisted #airheadsconf
    • Guest Access ! CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved ! 9 ! #airheadsconf !
    • ClearPass Basics! CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved ! 10 ! #airheadsconf !
    • ClearPass Basics! •  Guest Accounts •  Self generated access •  Sponsor controlled access •  Differentiated guest access Who is a Guest? CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved ! 11 ! #airheadsconf !
    • Automated Guest Onboarding ClearPass Policy Manager New Visitor Access Network 3. Sponsor Account enabled, visitor notified via screen, SMS, or email 1. Visitor Registers for access, email sent to sponsor CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 2. Sponsor prompted to confirm that guest is valid 12 Download AQ Mobile
    • Guest CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 13 Download AQ Mobile
    • Controlling Access ! CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved ! 14 ! #airheadsconf !
    • ClearPass Platform! Enterprise Grade RADIUS and TACACS CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved ! 15 ! #airheadsconf !
    • Controlling Access! Authentication and Authorization CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved ! 16 ! #airheadsconf !
    • What’s the flow? Authenticate Authorize Associate Context Enforce on NAS •  Valid Authentication •  Find Out What’s Allowed •  Device, Time, Location, Posture •  Roles, ACLs, VLANs CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 17 #airheadsconf
    • Service Flow – 802.1X Layer 2 RADIUS Request Layer 2 NAP Layer 3 OnGuard Layer 2 Authorization Layer 2 Authentication CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved Layer 2 Role Derivation 18 Layer 3 Profile Layer 2 RADIUS Enforcement #airheadsconf
    • Service Flow – Implications •  Layer 2 Authentications are completed first –  Full Authorization –  Role Derivation –  NAP (if enabled) –  Layer 2 Enforcement •  Layer 3 : Profile next –  DHCP Request, DHCP Offer –  RFC 3576 – Change of Authorization •  Another Layer 2 authentication! –  No RFC 3576 message if “fingerprint” does not change •  Layer 3 : Collect Posture last (OnGuard) –  Posture over HTTPS –  RFC 3576 based on policy •  Another Layer 2 authentication! CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 19 #airheadsconf
    • Controlling Access! A world of possibilities!! Time Based Access! Location Based Roles! Domain User Groups! Asset Tracking Database! MDM! Profile Information! Aruba Activate! Static Host List! LogDB! Endpoints Repository! CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved ! 20 ! #airheadsconf !
    • Controlling Access! ?! Why does it matter CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved ! 21 ! #airheadsconf !
    • Authorization – What and Why? CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 22 #airheadsconf
    • Authorization – What and Why? •  Authentication vs. Authorization •  Authorization & ClearPass •  Use Cases CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 23 #airheadsconf
    • Authorization & ClearPass •  “Authorization” Sources in ClearPass –  Where do I find them? –  How do I use them? –  How often does ClearPass talk to an authorization source? –  What happens in case something goes wrong? CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 24 #airheadsconf
    • Authorization Sources – Where? •  An “Authentication Source” is an “Authorization Source” –  RADIUS Server vs. Policy Server CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 25 #airheadsconf
    • Authorization Sources – How? Authentication Sources are automatic Authorization Sources No Authorization unless used in Roles! Additional Authorization Sources enabled per Service CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 26 #airheadsconf
    • Authorization Sources – How? Rule Algorithm : Evaluate All Authorize with Active Directory Authorize with Profile Data CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 27 #airheadsconf
    • Use Cases – Mergers & Acquisitions Active Directory Domain – avendasys.com Active Directory Domain – arubanetworks.com CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 28 #airheadsconf
    • Use Cases – Certificates & TLS Authentication & Authorization Sources for TLS Enable Authorization – Source specified in the Service Compare Certificate – Source specified in the Service Certificate Details used for Authorization CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 29 #airheadsconf
    • Use Cases – Asset Databases •  LDAP/SQL Interface to Asset Databases –  Key : MAC Address –  Authorization Attributes •  Ownership – Corporate vs. Personal •  Compliance Status – In/Out of compliance –  Identify corporate-owned non-Windows devices CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 30 #airheadsconf
    • Profile – How does it work? CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 31 #airheadsconf
    • Profile – How does it work? •  Profile & Network Data •  Automatic Profile “upgrades” •  Using Profile data in policy •  Configuring Profile –  DHCP? HTTP? SNMP? •  Use Cases CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 32 #airheadsconf
    • Profile & Network Data •  What does ClearPass use to profile? –  MAC OUIs –  DHCP Request, DHCP Offer –  HTTP User-Agent –  MDM Fingerprints –  Device Interrogation –  SNMP/CDP/LLDP Data CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 33 #airheadsconf
    • Fingerprint Updates •  Subscribe to Fingerprint Updates –  Automatic reclassification –  Updated frequently •  Tell Aruba! –  Create policy exceptions –  Grab fingerprints from UI –  Send fingerprints to Aruba –  Crowd-sourced, community oriented CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 34 #airheadsconf
    • Using Profile data in policy •  Automatic 3-level categorization –  Device Category, OS Family, Device Name •  Using raw profile data –  DHCP Data, HTTP User-Agent, SNMP Data •  Role Mapping –  What should I use? •  Enforcement –  How do I enforce? –  What are the benefits? CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 35 #airheadsconf
    • Configuring Profile – Network Considerations •  DHCP Relay –  Where should I setup DHCP relays? •  Captive Portal Configuration –  Is there a knob for this? •  Reading SNMP Data –  CDP –  LLDP –  HR MIB –  SysDescr MIB CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 36 #airheadsconf
    • Use Cases •  Policy – CEOs & iPads •  Policy – “Headless” Devices •  Visibility – Demystifying BYODs CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 37 #airheadsconf
    • Use Cases – CEOs & iPads Assign Roles Enforce Access CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 38 #airheadsconf
    • Use Cases – Headless Devices Identify & Assign Roles To Headless Devices CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 39 #airheadsconf
    • Use Cases – Visibility CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 40 #airheadsconf
    • The ClearPass Solution All things Network, Device and App Management! Consolidated
 Visibility/Policy! Workflow! Automation! App
 Security!    Device  Profiling   Onboarding,   Registra0on      Profile-­‐based   App  Distribu0on      User,  Device   Role-­‐mapping   Guest   Management      Mobile  App       Management   Per  Session       Tracking   MDM   Integra0on      Encryp0on,  VPN   Services   CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 41 #airheadsconf
    • ClearPass Summary Complete Multivendor Solution on your existing network Designed to Support IT-Managed and BYOD Use Cases Highly flexible Self Service and Workflow automation portals CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 42 #airheadsconf
    • Q&A ! CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved ! 43 ! #airheadsconf !
    • Thank You! CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved ! 44 ! #airheadsconf !