Clear pass policy manager advanced_ashwath murthy
 

Like this? Share it with your network

Share

Clear pass policy manager advanced_ashwath murthy

on

  • 1,749 views

 

Statistics

Views

Total Views
1,749
Views on SlideShare
1,568
Embed Views
181

Actions

Likes
0
Downloads
104
Comments
0

2 Embeds 181

http://community.arubanetworks.com 178
http://www.airheads.eu 3

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Clear pass policy manager advanced_ashwath murthy Presentation Transcript

  • 1. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 1 #airheadsconf#airheadsconf ClearPass Policy Manager – Advanced Ashwath Murthy 03/15/2013
  • 2. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 2 #airheadsconf ClearPass – Policy Model Authorization – What and Why? Profile – How does it work? Clustering & Deployment Q & A Agenda
  • 3. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 3 #airheadsconf#airheadsconf3 ClearPass Policy Model
  • 4. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 4 #airheadsconf •  What constitutes the policy model? •  How does it work? •  What are the interactions between various components? •  How does the policy model affect configuration & deployment? ClearPass Policy Model
  • 5. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 5 #airheadsconf ClearPass Policy Model Policy Identity Health Device Conditions • Role • Department • Group •  AV, AS, FW • Registry Keys • Services… • Device type, status, health • Address, O/S • Corp. Owned • Time • Location • Day of Week
  • 6. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 6 #airheadsconf What’s the flow? Authenticate • Valid Authentication Authorize • Find Out What’s Allowed Associate Context • Device, Time, Location, Posture Enforce on NAS • Roles, ACLs, VLANs
  • 7. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 7 #airheadsconf What Are The Interactions? RADIUS Server – Authenticate Policy Server – Authorize Policy Server – Associate Context Policy Server – Decision Tree RADIUS Server – Enforce
  • 8. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 8 #airheadsconf Service Flow – 802.1X Layer 2 RADIUS Request Layer 2 Authentication Layer 2 Authorization Layer 2 Role Derivation Layer 2 RADIUS Enforcement Layer 3 Profile Layer 2 NAP Layer 3 OnGuard
  • 9. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 9 #airheadsconf •  Layer 2 Authentications are completed first –  Full Authorization –  Role Derivation –  NAP (if enabled) –  Layer 2 Enforcement •  Layer 3 : Profile next –  DHCP Request, DHCP Offer –  RFC 3576 – Change of Authorization •  Another Layer 2 authentication! –  No RFC 3576 message if “fingerprint” does not change •  Layer 3 : Collect Posture last (OnGuard) –  Posture over HTTPS –  RFC 3576 based on policy •  Another Layer 2 authentication! Service Flow – Implications
  • 10. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 10 #airheadsconf#airheadsconf10 Authorization – What and Why?
  • 11. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 11 #airheadsconf •  Authentication vs. Authorization •  Authorization & ClearPass •  Use Cases Authorization – What and Why?
  • 12. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 12 #airheadsconf Authorization & ClearPass •  “Authorization” Sources in ClearPass –  Where do I find them? –  How do I use them? –  How often does ClearPass talk to an authorization source? –  What happens in case something goes wrong?
  • 13. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 13 #airheadsconf •  An “Authentication Source” is an “Authorization Source” –  RADIUS Server vs. Policy Server Authorization Sources – Where?
  • 14. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 14 #airheadsconf Authorization Sources – How? Authentication Sources are automatic Authorization Sources Additional Authorization Sources enabled per Service No Authorization unless used in Roles!
  • 15. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 15 #airheadsconf Authorization Sources – How? Authorize with Active Directory Authorize with Profile Data Rule Algorithm : Evaluate All
  • 16. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 16 #airheadsconf •  Ok, great. But will ClearPass flood my AD with authorization requests? –  Authorization data is cached per user –  New request made to fetch data once the cache expires –  Cache timers can be tuned Authorization – How? Cache Timeout Default: 10 hours
  • 17. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 17 #airheadsconf •  Got it •  But I just made a bunch of changes on my AD. Should I need to wait 10 hours? –  Tune the cache timers –  “Clear Cache” button on the Authentication Source •  Wipes out cache for all users –  “Save” button on the Authentication Source •  Wipes out cache for all users –  Restart Policy Server •  BAD IDEA!!! Authorization – How?
  • 18. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 18 #airheadsconf •  If an Authentication/Authorization Source is not reachable –  Configure Backup Servers –  Configure Fail-Over Timeout Authorization – Uh-Oh! Fail-Over Timeout Backup Servers
  • 19. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 19 #airheadsconf Use Cases – Mergers & Acquisitions Active Directory Domain – avendasys.com Active Directory Domain – arubanetworks.com
  • 20. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 20 #airheadsconf Authentication & Authorization Sources for TLS Certificate Details used for Authorization Enable Authorization – Source specified in the Service Compare Certificate – Source specified in the Service Use Cases – Certificates & TLS
  • 21. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 21 #airheadsconf •  LDAP/SQL Interface to Asset Databases –  Key : MAC Address –  Authorization Attributes •  Ownership – Corporate vs. Personal •  Compliance Status – In/Out of compliance –  Identify corporate-owned non-Windows devices Use Cases – Asset Databases
  • 22. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 22 #airheadsconf#airheadsconf22 Profile – How does it work?
  • 23. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 23 #airheadsconf •  Profile & Network Data •  Automatic Profile “upgrades” •  Using Profile data in policy •  Configuring Profile –  DHCP? HTTP? SNMP? •  Use Cases Profile – How does it work?
  • 24. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 24 #airheadsconf •  What does ClearPass use to profile? –  MAC OUIs –  DHCP Request, DHCP Offer –  HTTP User-Agent –  MDM Fingerprints –  Device Interrogation –  SNMP/CDP/LLDP Data Profile & Network Data
  • 25. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 25 #airheadsconf Fingerprint Updates •  Subscribe to Fingerprint Updates –  Automatic reclassification –  Updated frequently •  Tell Aruba! –  Create policy exceptions –  Grab fingerprints from UI –  Send fingerprints to Aruba –  Crowd-sourced, community oriented
  • 26. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 26 #airheadsconf •  Automatic 3-level categorization –  Device Category, OS Family, Device Name •  Using raw profile data –  DHCP Data, HTTP User-Agent, SNMP Data •  Role Mapping –  What should I use? •  Enforcement –  How do I enforce? –  What are the benefits? Using Profile data in policy
  • 27. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 27 #airheadsconf •  DHCP Relay –  Where should I setup DHCP relays? •  Captive Portal Configuration –  Is there a knob for this? •  Reading SNMP Data –  CDP –  LLDP –  HR MIB –  SysDescr MIB Configuring Profile – Network Considerations
  • 28. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 28 #airheadsconf •  Policy – CEOs & iPads •  Policy – “Headless” Devices •  Visibility – Demystifying BYODs Use Cases
  • 29. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 29 #airheadsconf Use Cases – CEOs & iPads Assign Roles Enforce Access
  • 30. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 30 #airheadsconf Use Cases – Headless Devices Identify & Assign Roles To Headless Devices
  • 31. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 31 #airheadsconf Use Cases – Visibility
  • 32. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 32 #airheadsconf#airheadsconf32 Clustering & Deployment
  • 33. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 33 #airheadsconf •  Clustering Technology –  What’s replicated? What’s not? •  Deploying ClearPass Clusters –  Considerations •  Operations & Maintenance –  What happens when a ClearPass node is down? –  Events & Alerts –  Rescue & Recovery Clustering & Deployment
  • 34. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 34 #airheadsconf •  What’s replicated? –  All policy configuration elements –  All Audit data –  All identity store data •  Guest Accounts, Endpoints, Profile data –  Runtime Information •  Authorization status, Posture status, Roles •  Connectivity Information, NAS Details –  Database replication on port# 5432 over SSL –  Runtime replication on port# 443 over SSL Clustering Technology
  • 35. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 35 #airheadsconf •  What’s not replicated? –  Log files –  Authentication Records –  Accounting Records –  System Events –  System Monitor Data Clustering Technology
  • 36. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 36 #airheadsconf •  How do they connect? –  Requires IP connectivity (bi-directional) •  Port # 5432 (Database over SSL) •  Port# 80 (HTTP) •  Port #443 (HTTPS) •  Port #123 (NTP) •  How much data should we expect to see crossing the wire? –  Only elements in the configuration database –  First sync is a full database copy –  Subsequent sync – Delta changes propagated Clustering – Considerations
  • 37. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 37 #airheadsconf Clustering – Considerations PUBLISHER SUBSCRIBER 1 SUBSCRIBER 2 SUBSCRIBER 3 SUBSCRIBER 4 SUBSCRIBER 5 SUBSCRIBER 6 Hub & Spoke
  • 38. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 38 #airheadsconf Clustering – Considerations CPPM – Publisher DNS DHCP Identity Stores Main Data Center Mid-size Branch Regional Office DMZ CPPM Subscriber VM CP Guest CP Onboard CPPM Subscriber CPPM Subscriber •  Central / Distributed Admin Domains •  Redundancy/Load Balancing •  Cluster wide licenses
  • 39. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 39 #airheadsconf •  What happens when a node goes down? –  Operations •  If Deployed Right – Nothing •  RADIUS Backup settings on the NAS –  If the Publisher goes down •  No Database Writes Allowed!! •  Promote a Subscriber to a Publisher •  Resume configuration updates Operations & Maintenance
  • 40. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 40 #airheadsconf •  How long before ClearPass figures out something’s wrong? –  24 hours before it automatically “drops” a node from the cluster –  Cluster Synchronization Warnings •  1 event every hour x 24 hours = 24 events –  CPU/Memory Usage Warnings  Every 2 Minutes –  Server Certificate Warnings  Every 24 Hours –  Service Alerts  Immediate •  Email/SMS Alerts using Insight, Syslog & SNMP Events & Alerts
  • 41. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 41 #airheadsconf •  Rescue & Recovery –  Establish cluster connectivity •  Database sync will ensue. Watch for “Last Sync Time” –  Restore certificates •  Server Certificates are not installed as a part of the sync –  Restore log entries (If necessary) •  Caveat : High disk activity for an extended period of time –  Verify fail-back on the NAS •  NAS fail-back timers should kick in Operations & Maintenance
  • 42. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 42 #airheadsconf#airheadsconf42 Q & A
  • 43. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 43 #airheadsconf#airheadsconf Thank You
  • 44. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 44 #airheadsconf#airheadsconf44