Byo dwith clearpass_cameron_esdaile
 

Byo dwith clearpass_cameron_esdaile

on

  • 821 views

 

Statistics

Views

Total Views
821
Views on SlideShare
711
Embed Views
110

Actions

Likes
1
Downloads
68
Comments
0

2 Embeds 110

http://community.arubanetworks.com 109
http://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Byo dwith clearpass_cameron_esdaile Byo dwith clearpass_cameron_esdaile Presentation Transcript

  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 1 #airheadsconf#airheadsconf Extending BYOD with ClearPass Aruba Network Services Team June2013
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 2 #airheadsconf The Big Picture Onboarding with ClearPass Technology Deployment Detecting BYOD Devices Device Management with ClearPass MDM Partners Native ClearPass App Management with ClearPass Q&A Agenda
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 3 #airheadsconf#airheadsconf3 The Big Picture
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 4 #airheadsconf BYOD Creating a New Set of Challenges How do I get personal devices provisioned? NAC? MDM? MAM? How do I keep corporate data safe? How do I protect my network? What if a mobile device is lost? How do I maintain user privacy?
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 5 #airheadsconf Policy Enforcement Options for BYOD NAC / AAA MDM MAM •  VLAN •  ACLs •  QoS •  Authentication •  Device Provisioning & Onboarding •  Device Policy •  Device Level Encryption •  Passcode •  Full Wipe •  App blacklist / whitelist •  Authentication •  App Passcode •  App Wipe •  App Policies •  App SSO •  App VPN
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 6 #airheadsconf First System to Combine All BYOD Tools ClearPass with Aruba WorkSpace When What Who Where How Network Control Device Control Application Control Unified  access   management   1   Built-­‐in  Onboarding   &  MDM   2   Complete  BYOD   visibility  and  control   4   Built-­‐in  mobile   app  management   3  
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 7 #airheadsconf#airheadsconf7 Onboarding with ClearPass
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 8 #airheadsconf#airheadsconf8 Technology Overview
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 9 #airheadsconf BYOD Workflow •  Supplicant Config •  Push Trusted Cert •  Enable Posture •  Set Auth type •  Enrollment workflow •  Authorize User to provision device •  Device credential push •  Link User to Device •  Complete view device & network •  Command & Control •  Inventory •  Diagnostics •  Revoke Device Access •  Device Profiling •  Role Derivation •  Corp vs Employee Liable Device Access Controls Join BYOD Domain Visibility & Reporting Onboard Device 1 2 3 4
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 10 #airheadsconf Deployment Architecture Devices authenticate with Unique Device Credentials iOS Windows Mac OS X Android ClearPass Onboard ClearPass Policy Manager “Bring Your Own” Client Devices Network Authentication Server Users enroll with Onboard Workflow Onboard Workflow Manage Devices Policy Definition Administer Secure BYOD Network Access 1 2 3 4
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 11 #airheadsconf Detailed Architecture Aruba Controller Over-the-Air Provisioning QuickConnect™ Provisioning AP EAP-TLS (Device Certificate) Web Login Page Onboard GUI Certificates Users Endpoints Users Onboard Workflow iOS and OSX 10.6+ Windows Mac OS X Android ClearPass Onboard ClearPass Policy Manager “Bring Your Own” Client Devices Network Server EAP-TLS (Device Certificate) Server VLAN Untrusted / DMZ Active Directory
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 12 #airheadsconf Onboard Workflow – iOS & OS X iOS Device Network Infrastructure ClearPass Onboard ClearPass Policy Manager Associate, HTTP GET Redirect Provisioning role Request mobile device provisioning page Download and install root certificate from portal Login with provisioning user’s credentials Authenticate with Active Directory Apple Over-the-Air Provisioning Switch to EAP-TLS EAP-TLS Auth RADIUS Auth (EAP-TLS) Access-Accept Client certificate verified AuthenticatedEAP-Success Server certificate verified Device authenticated Provisioning complete Captive portal Pre-provisioning Provisioning Onboard Complete
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 13 #airheadsconf iOS “Over-the-Air Provisioning” iOS Device Network Infrastructure ClearPass Onboard ClearPass Policy Manager Start device enrollment (signed profile payload) Request for enrollment SCEP enrollment profile Request device certificate using SCEP User authenticated for device enrollment Issue SCEP certificate for device Request device configuration profile (signed) Install device identity certificate Device configuration profile (signed + encrypted) Generate TLS certificate and payload with Onboard settings User accepts enrollment profile Install profile and return to Safari Refresh enrollment progress page Switch to EAP-TLS Apple Over-the-Air Provisioning Provisioning Complete
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 14 #airheadsconf Onboard Workflow – other OS’s Android Device Network Infrastructure ClearPass Onboard ClearPass Policy Manager Associate, HTTP GET Redirect Provisioning role Request mobile device provisioning page Return provisioning portal page Download Onboard configuration QuickConnect Provisioning Switch to PEAP PEAP-MSCHAPv2 Auth RADIUS Auth (PEAP-MSCHAPv2) Access-Accept Verify unique device credentials AuthenticatedEAP-Success Server certificate verified Device authenticated Onboard Complete Detect device type Launch app Provisioning complete Device enrollment Push unique device credentials
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 15 #airheadsconf Onboarding Deployment Options Aruba Controller AP 802.1x Authenticator 802.1x Authentication Server Endpoints Users iPad Android ClearPass Policy Manager Client Devices Network Server Active Directory 802.1x Supplicants Provisioning SSID Provisioned SSID BYOD Employee-Secure •  Different SSID for Provisioning & Provisioned –  Standalone SSID –  Linked from Guest Access Portal
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 16 #airheadsconf Onboarding Deployment Options Aruba Controller AP 802.1x Authenticator 802.1x Authentication Server Endpoints Users iPad Android ClearPass Policy Manager Client Devices Network Server Active Directory 802.1x Supplicants Provisioning & Provisioned SSID Employee-Secure •  Same SSID for Provisioning & Provisioned –  Device Profiling –  Lack of provisioning credential –  MDM integration
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 17 #airheadsconf Onboarding Workflow 1. Device type automatically detected & redirected to portal 2. Settings & credentials are auto-configured after user enters domain credentials 3. User automatically placed on proper SSID & network segment
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 18 #airheadsconf#airheadsconf18 Detecting BYO Devices
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 19 #airheadsconf •  No longer a binary decision •  Leverage context sources to determine enforcement –  Active Directory Group Membership –  Machine authentication for domain joined devices –  Device Type / Posture of the device –  Managed by MDM / context from MDM –  Lack of provisioned credential •  Differentiate Corporate Managed / Provisioned devices –  Enforce Machine Authentication differently –  Enforce MDM managed differently –  Enforce Onboard provisioning differently –  Redirect unmanaged / un-provisioned device to provisioning workflow (for example – only using PEAP AD credentials) Power of context aware policies
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 20 #airheadsconf •  Native –  MAC OUI –  HTTP User Agent (Captive Portal Services) –  Onboard (explicit knowledge from client OS interactions) –  OnGuard (explicit knowledge from client OS interactions) •  Network Sourced –  DHCP Option fingerprinting (DHCP relay) –  Subnet scan with SNMP profiling (CDP, LLDP, sysDescr) –  AOS Controller 6.3 export (DHCP, HTTP, mDNS) •  Agent / Server Integration –  MS Exchange (Active-Sync device type) –  MDM Deployments •  Fingerprints updated automatically over the net Sources of Profile Data
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 21 #airheadsconf Sample Profile Dashboard
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 22 #airheadsconf Example Enforcement Policy
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 23 #airheadsconf#airheadsconf23 Device Management with ClearPass
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 24 #airheadsconf MDM Partners or Native ClearPass MDM Partners Multi-Platform Support iOS Only Support for Corporate Issued Devices ClearPass with WorkSpace Coming in CPPM 6.2
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 25 #airheadsconf#airheadsconf25 MDM Partners
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 26 #airheadsconf Integrating Leading MDM Vendors •  ClearPass uses public APIs for: •  Normalize MDM endpoint data across vendors
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 27 #airheadsconf ClearPass MDM Integration Using MDM device information for Policy ClearPass Endpoint data replicated to ClearPass cluster CoA triggers network enforcement ClearPass Device type & posture polled for policy decisions & reporting MDM Server
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 28 #airheadsconf Use MDM Attributes for Network Policy MDM Attributes Posture Manufacturer: Apple Model: iPad2 OS Version: iOS 6.1 UDID 1730235f564094186 Serial Number 79049XXXA4S IMEI 012416009780168 Phone Number 408-534-2819 Carrier Verizon MDM Id 130d0f992t34 Owner jhoward Display Name John Howard Ownership Employee Liable MDM Enabled Yes Compromised Not Jailbroken Encryption Enabled Yes Blacklisted Apps No Required Apps Yes Last Check in 01/30/2012 9:03am Inventory
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 29 #airheadsconf Setting Network Policy Policy Example Use context from ClearPass + MDM to set network policy • Application installed • blacklisted • Device Profile • OS version • Endpoint health • Jailbreak status • Pincode/encryption • Location • Trusted or untrusted network • Time/Date • eg. in semester • User/group membership
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 30 #airheadsconf Sample network policies based on MDM !! •  Jailbreak •  Blacklisted App •  Corporate Issued vs Employee Owned •  MDM Enabled •  iPad vs iPhone ! ! !
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 31 #airheadsconf#airheadsconf31 Native ClearPass iOS MDM
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 32 #airheadsconf Enforce iOS Device Policy with MDM Aruba WorkSpace helps organizations reduce the cost and risk of managing corporate-issued mobile devices Monitor device inventory Audit devices to ensure compliance Configure security settings Over the air remote provisioning Lock and wipe devices Passcode enforcement
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 33 #airheadsconf Enabling ClearPass for MDM Active Directory CPPM (Publisher) WorkSpace (Subscriber) DMZ LDAPInternet Internal Firewall Ports (DMZ-Internal) Inbound Outbound HTTPS (TCP 443) HTTPS (TCP 443) SQL (TCP 5432) SQL (TCP 5432) NTP (UDP 123) NTP (UDP 123) Apple Push Notification Servers APNS Push Certificate
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 34 #airheadsconf Managing iOS devices over the air ClearPass with WorkSpace Apple Push Notification Servers MDM Enrollment MDM Management OTA Enrollment Generate MDM Profile Install MDM Profile Bind to WorkSpace Server Device connects to WorkSpace Send Push Notification Policy Change on WorkSpace Execute Command / Queries
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 35 #airheadsconf Example Configuration for MDM
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 36 #airheadsconf#airheadsconf36 App Management with ClearPass
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 37 #airheadsconf Separating Corporate and Personal Data
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 38 #airheadsconf Create App Policy based on context Mobile Context Must be used during store hours Must be used at hospital or member facilities Can not be used while driving/ moving Cut & paste restrictions, Jailbreak / Root detection, Cloud backup Can not access torrent sites
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 39 #airheadsconf One App for Employee Self-Service •  Employee self-service mobility •  Personalized portal with Single Sign-On •  WorkSpace App provisioned to device @mycompany   My AccessMy DevicesMy Apps
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 40 #airheadsconf ClearPass with Aruba WorkSpace First Integrated BYOD System Most Comprehensive Self-Service Portal •  Simplify BYOD Rollout: No need to onboard multiple vendors and integrate multiple systems •  Faster Service Delivery: automate BYOD provisioning across network, device and app •  Stronger Security: More options to control BYOD use •  Personalized BYOD: Employees get visibility and are empowered to customize their BYOD experience Extensive Partner Ecosystem •  More than 40 3rd-Party ISV Apps: Extensive list of productivity and collaboration tools
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 41 #airheadsconf Enabling ClearPass for WorkSpace Active Directory CPPM (Publisher) WorkSpace (Subscriber) DMZ LDAPInternet Internal Firewall Ports (DMZ-Internal) Inbound Outbound HTTPS (TCP 443) HTTPS (TCP 443) SQL (TCP 5432) SQL (TCP 5432) NTP (UDP 123) NTP (UDP 123) Enterprise Developer Certificate Apple AppStore WorkSpace ‘For Aruba Apps’ Enterprise AppStore
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 42 #airheadsconf Managing App Policy over the air ClearPass with WorkSpace WorkSpace Enrollment App Policy Management Trigger WorkSpace App Install OTA Enrollment Authenticate User & Provision App Install Policy Managed Apps Device connects to WorkSpace WorkSpace or App Launch Policy Change on WorkSpace Execute Policy / Update App Apple AppStore WorkSpace ‘For Aruba Apps’ Enterprise AppStore
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 43 #airheadsconf Example configuration for WorkSpace
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 44 #airheadsconf Q&A
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 45 #airheadsconf#airheadsconf45
  • CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 46 #airheadsconf#airheadsconf Thank You