Your SlideShare is downloading. ×
  • Like

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Clear pass policy manager advanced_ashwath murthy

  • 1,673 views
Published

 

Published in Business , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,673
On SlideShare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
115
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 1 #airheadsconf#airheadsconf ClearPass Policy Manager – Advanced Ashwath Murthy 03/15/2013
  • 2. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 2 #airheadsconf ClearPass – Policy Model Authorization – What and Why? Profile – How does it work? Clustering & Deployment Q & A Agenda
  • 3. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 3 #airheadsconf#airheadsconf3 ClearPass Policy Model
  • 4. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 4 #airheadsconf •  What constitutes the policy model? •  How does it work? •  What are the interactions between various components? •  How does the policy model affect configuration & deployment? ClearPass Policy Model
  • 5. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 5 #airheadsconf ClearPass Policy Model Policy Identity Health Device Conditions • Role • Department • Group •  AV, AS, FW • Registry Keys • Services… • Device type, status, health • Address, O/S • Corp. Owned • Time • Location • Day of Week
  • 6. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 6 #airheadsconf What’s the flow? Authenticate • Valid Authentication Authorize • Find Out What’s Allowed Associate Context • Device, Time, Location, Posture Enforce on NAS • Roles, ACLs, VLANs
  • 7. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 7 #airheadsconf What Are The Interactions? RADIUS Server – Authenticate Policy Server – Authorize Policy Server – Associate Context Policy Server – Decision Tree RADIUS Server – Enforce
  • 8. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 8 #airheadsconf Service Flow – 802.1X Layer 2 RADIUS Request Layer 2 Authentication Layer 2 Authorization Layer 2 Role Derivation Layer 2 RADIUS Enforcement Layer 3 Profile Layer 2 NAP Layer 3 OnGuard
  • 9. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 9 #airheadsconf •  Layer 2 Authentications are completed first –  Full Authorization –  Role Derivation –  NAP (if enabled) –  Layer 2 Enforcement •  Layer 3 : Profile next –  DHCP Request, DHCP Offer –  RFC 3576 – Change of Authorization •  Another Layer 2 authentication! –  No RFC 3576 message if “fingerprint” does not change •  Layer 3 : Collect Posture last (OnGuard) –  Posture over HTTPS –  RFC 3576 based on policy •  Another Layer 2 authentication! Service Flow – Implications
  • 10. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 10 #airheadsconf#airheadsconf10 Authorization – What and Why?
  • 11. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 11 #airheadsconf •  Authentication vs. Authorization •  Authorization & ClearPass •  Use Cases Authorization – What and Why?
  • 12. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 12 #airheadsconf Authorization & ClearPass •  “Authorization” Sources in ClearPass –  Where do I find them? –  How do I use them? –  How often does ClearPass talk to an authorization source? –  What happens in case something goes wrong?
  • 13. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 13 #airheadsconf •  An “Authentication Source” is an “Authorization Source” –  RADIUS Server vs. Policy Server Authorization Sources – Where?
  • 14. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 14 #airheadsconf Authorization Sources – How? Authentication Sources are automatic Authorization Sources Additional Authorization Sources enabled per Service No Authorization unless used in Roles!
  • 15. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 15 #airheadsconf Authorization Sources – How? Authorize with Active Directory Authorize with Profile Data Rule Algorithm : Evaluate All
  • 16. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 16 #airheadsconf •  Ok, great. But will ClearPass flood my AD with authorization requests? –  Authorization data is cached per user –  New request made to fetch data once the cache expires –  Cache timers can be tuned Authorization – How? Cache Timeout Default: 10 hours
  • 17. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 17 #airheadsconf •  Got it •  But I just made a bunch of changes on my AD. Should I need to wait 10 hours? –  Tune the cache timers –  “Clear Cache” button on the Authentication Source •  Wipes out cache for all users –  “Save” button on the Authentication Source •  Wipes out cache for all users –  Restart Policy Server •  BAD IDEA!!! Authorization – How?
  • 18. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 18 #airheadsconf •  If an Authentication/Authorization Source is not reachable –  Configure Backup Servers –  Configure Fail-Over Timeout Authorization – Uh-Oh! Fail-Over Timeout Backup Servers
  • 19. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 19 #airheadsconf Use Cases – Mergers & Acquisitions Active Directory Domain – avendasys.com Active Directory Domain – arubanetworks.com
  • 20. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 20 #airheadsconf Authentication & Authorization Sources for TLS Certificate Details used for Authorization Enable Authorization – Source specified in the Service Compare Certificate – Source specified in the Service Use Cases – Certificates & TLS
  • 21. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 21 #airheadsconf •  LDAP/SQL Interface to Asset Databases –  Key : MAC Address –  Authorization Attributes •  Ownership – Corporate vs. Personal •  Compliance Status – In/Out of compliance –  Identify corporate-owned non-Windows devices Use Cases – Asset Databases
  • 22. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 22 #airheadsconf#airheadsconf22 Profile – How does it work?
  • 23. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 23 #airheadsconf •  Profile & Network Data •  Automatic Profile “upgrades” •  Using Profile data in policy •  Configuring Profile –  DHCP? HTTP? SNMP? •  Use Cases Profile – How does it work?
  • 24. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 24 #airheadsconf •  What does ClearPass use to profile? –  MAC OUIs –  DHCP Request, DHCP Offer –  HTTP User-Agent –  MDM Fingerprints –  Device Interrogation –  SNMP/CDP/LLDP Data Profile & Network Data
  • 25. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 25 #airheadsconf Fingerprint Updates •  Subscribe to Fingerprint Updates –  Automatic reclassification –  Updated frequently •  Tell Aruba! –  Create policy exceptions –  Grab fingerprints from UI –  Send fingerprints to Aruba –  Crowd-sourced, community oriented
  • 26. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 26 #airheadsconf •  Automatic 3-level categorization –  Device Category, OS Family, Device Name •  Using raw profile data –  DHCP Data, HTTP User-Agent, SNMP Data •  Role Mapping –  What should I use? •  Enforcement –  How do I enforce? –  What are the benefits? Using Profile data in policy
  • 27. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 27 #airheadsconf •  DHCP Relay –  Where should I setup DHCP relays? •  Captive Portal Configuration –  Is there a knob for this? •  Reading SNMP Data –  CDP –  LLDP –  HR MIB –  SysDescr MIB Configuring Profile – Network Considerations
  • 28. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 28 #airheadsconf •  Policy – CEOs & iPads •  Policy – “Headless” Devices •  Visibility – Demystifying BYODs Use Cases
  • 29. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 29 #airheadsconf Use Cases – CEOs & iPads Assign Roles Enforce Access
  • 30. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 30 #airheadsconf Use Cases – Headless Devices Identify & Assign Roles To Headless Devices
  • 31. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 31 #airheadsconf Use Cases – Visibility
  • 32. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 32 #airheadsconf#airheadsconf32 Clustering & Deployment
  • 33. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 33 #airheadsconf •  Clustering Technology –  What’s replicated? What’s not? •  Deploying ClearPass Clusters –  Considerations •  Operations & Maintenance –  What happens when a ClearPass node is down? –  Events & Alerts –  Rescue & Recovery Clustering & Deployment
  • 34. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 34 #airheadsconf •  What’s replicated? –  All policy configuration elements –  All Audit data –  All identity store data •  Guest Accounts, Endpoints, Profile data –  Runtime Information •  Authorization status, Posture status, Roles •  Connectivity Information, NAS Details –  Database replication on port# 5432 over SSL –  Runtime replication on port# 443 over SSL Clustering Technology
  • 35. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 35 #airheadsconf •  What’s not replicated? –  Log files –  Authentication Records –  Accounting Records –  System Events –  System Monitor Data Clustering Technology
  • 36. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 36 #airheadsconf •  How do they connect? –  Requires IP connectivity (bi-directional) •  Port # 5432 (Database over SSL) •  Port# 80 (HTTP) •  Port #443 (HTTPS) •  Port #123 (NTP) •  How much data should we expect to see crossing the wire? –  Only elements in the configuration database –  First sync is a full database copy –  Subsequent sync – Delta changes propagated Clustering – Considerations
  • 37. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 37 #airheadsconf Clustering – Considerations PUBLISHER SUBSCRIBER 1 SUBSCRIBER 2 SUBSCRIBER 3 SUBSCRIBER 4 SUBSCRIBER 5 SUBSCRIBER 6 Hub & Spoke
  • 38. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 38 #airheadsconf Clustering – Considerations CPPM – Publisher DNS DHCP Identity Stores Main Data Center Mid-size Branch Regional Office DMZ CPPM Subscriber VM CP Guest CP Onboard CPPM Subscriber CPPM Subscriber •  Central / Distributed Admin Domains •  Redundancy/Load Balancing •  Cluster wide licenses
  • 39. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 39 #airheadsconf •  What happens when a node goes down? –  Operations •  If Deployed Right – Nothing •  RADIUS Backup settings on the NAS –  If the Publisher goes down •  No Database Writes Allowed!! •  Promote a Subscriber to a Publisher •  Resume configuration updates Operations & Maintenance
  • 40. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 40 #airheadsconf •  How long before ClearPass figures out something’s wrong? –  24 hours before it automatically “drops” a node from the cluster –  Cluster Synchronization Warnings •  1 event every hour x 24 hours = 24 events –  CPU/Memory Usage Warnings  Every 2 Minutes –  Server Certificate Warnings  Every 24 Hours –  Service Alerts  Immediate •  Email/SMS Alerts using Insight, Syslog & SNMP Events & Alerts
  • 41. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 41 #airheadsconf •  Rescue & Recovery –  Establish cluster connectivity •  Database sync will ensue. Watch for “Last Sync Time” –  Restore certificates •  Server Certificates are not installed as a part of the sync –  Restore log entries (If necessary) •  Caveat : High disk activity for an extended period of time –  Verify fail-back on the NAS •  NAS fail-back timers should kick in Operations & Maintenance
  • 42. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 42 #airheadsconf#airheadsconf42 Q & A
  • 43. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 43 #airheadsconf#airheadsconf Thank You
  • 44. CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 44 #airheadsconf#airheadsconf44