Guests, contractors and employees are expected to connect wide variety of devices to your Wi-Fi, wired and VPN networks. Thankfully you can use Aruba ClearPass to define the right set of policies from a centralized system and extend them to many geographical locations. Join this session to discuss role based policies, device inventory management, mobile device onboarding, NAC for wired & wireless access and more To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com

1. Advanced ClearPass – Beyond AAA
Ashwath Murthy
March, 2014

2. CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
2 #AirheadsConf
Agenda
Single Sign-On and Auto Sign-On
ClearPass Exchange
HTTP Enforcement
MDM Integration
Post Authentication Engine
What’s new in ClearPass?

3. 3
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Single Sign-On and Auto Sign-On

4. 4
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Identity Access Evolution
Multiple Accounts
Multiple Logins
Multiple Identity Sources
Multiple Logins
Single Account
Multiple Logins
Single Identity Source
Multiple Logins
Single Account
Single Login
Single Identity Source
Single Login

5. 5
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Single Sign-On
• Single source of identity information
• Need to authenticate & authorize users
across applications
Security
• Provide the best user experience
• Highly mobile users
• Smaller screens, virtual keyboards
Usability
• On-Premise and Off-Premise
applications
• Move to the cloud
Mobility

6. 6
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Single Sign-On
• Security Assertion Markup Language (SAML)
– Key technology behind SSO
– ClearPass is compliant with SAML v2.0
• Key Roles within SAML
– Principal – Typically a user who requests a service
– Identity Provider (IdP) – Provides identity assertions by
authenticating the user
– Service Provider (SP) – Requests identity assertions from an
IdP
• OpenId (as SSO technology – out of scope)

7. 7
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
SAML – Workflow
Browser

8. 8
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
ClearPass and SSO
• ClearPass as a Service Provider (SP)
– ClearPass’ captive portals can act as a Service Provider
– ClearPass will request identity assertions from an IdP
– ClearPass may need to register with the IdP
• ClearPass as an Identity Provider (IdP)
– ClearPass can act as an Identity Provider to supply identity
assertions
– Requesting applications (Service Providers) may need to
register with ClearPass

9. 9
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
ClearPass as SP
• When and Why?
– A SAML IdP exists on the network
– Need for centralized authentication/authorization for web
applications
– Portal driven options for network access
– Portal driven options for device registration
– ClearPass examples with portals, use-cases such as
reporting, guest sponsors, device reg

10. 10
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
ClearPass as IdP
• When and Why?
– Need for centralized authentication/authorization for web
applications
– Multiple internal applications are driven off a web interface
– ClearPass acts as an authentication/authorization engine for
network transactions and application SSO
– ClearPass can “chain” itself onto popular IDMs such as Ping
Federate and Okta

11. 11
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
ClearPass – IdP
Works on multivendor LAN and WLAN
Redirect to
SSO Portal
Open
Application
Sign in, use
application
SSO enabled
for all apps

12. 12
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Auto Sign-On
• What is Auto Sign-On?
– Reuse L2 network authentication information for SSO
– Remove manual, repetitive application sign-on
– Provide seamless identity transition from network  application
• What do I need to enable this?
– ClearPass 6.3 as the L2 RADIUS server
– ClearPass 6.3 as a SAML IdP
– AOS 6.4 on Aruba Mobility Controllers

13. 13
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Auto Sign-On
Successful network authentication validates the user for
automatic access to SAML enabled web/work apps
1. 2. 3.

14. 14
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Auto Sign-On – Benefits
• No need to repeatedly key in application
passwords on all devices!
• Extend “TLS” derived credentials to applications!
• Automate application sign-on
• Reuse network credentials for SSO
• Centralize identity and access management across
L2 and L7
• UI Walkthrough

15. 15
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
ClearPass Exchange

16. 16
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
ClearPass Exchange
AUTOMATE SECURITY
Tickets, Notifications & Guest Login
ENABLE USERS
Enterprise, Guest, BYOD, Apps
Users & Devices
ClearPass
Exchange
(REST-based APIs)
Payment
Management
Internet
Security
Mobile Device
Management
SIEM

17. 17
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
ClearPass Exchange
• Inbound APIs
• Syslog/SQL Access
• Outbound Messaging
• Post-Authentication Controls

18. 18
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
ClearPass APIs – Inbound
• Inbound APIs for identity management
– Create/Register new users & devices
– Retrieve/Manage users & devices
– Update/Delete users & devices
• Inbound APIs for configuration management
– Create/Retrieve/Update/Delete new policy elements
– Includes Services, Authentication/Authorization
Sources, Role Mappings, Enforcement, etc.
• SQL Access to Insight & “Log” Databases
– Read-Only access for supplemental data processing

19. 19
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
ClearPass APIs – Inbound
• Read
– https://<server>/tipsapi/config/read/<Entity>
• Write
– https://<server>/tipsapi/config/write/<Entity>
• Delete Confirm
– https://<server>/tipsapi/config/deleteConfirm/<Entity>
• Delete
– https://<server>/tipsapi/config/delete/<Entity>

20. 20
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
ClearPass Exchange – MDM
Device
Policies
• Device restrictions
• Remote Lock & Wipe
• Install Application
• Black list Apps
• Firewall Policies
• Redirect to enroll
• Quarantine devices
• Bandwidth Prioritization
Network
Policies
Exchange endpoint
context & trigger
policies

21. 21
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
MDM Interaction – Inbound
Posture
Manufacturer: Apple
Model: iPad2
OS Version: iOS 6.1
UDID 1730235f564094186
Serial Number 79049XXXA4S
IMEI 012416009780168
Phone Number 408-534-2819
Carrier Verizon
MDM Id 130d0f992t34
Owner jhoward
Display Name John Howard
Ownership Employee Liable
Inventory
MDM Enabled Yes
Compromised Not Jailbroken
Encryption Enabled Yes
Blacklisted Apps No
Required Apps Yes
Last Check in 01/30/2012 9:03am

22. 22
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
MDM Interaction – Outbound
Trigger MDM Action Using Device Information
ClearPass
Endpoint data replicated
to ClearPass cluster
ClearPass requests
MDM Action
ClearPass
Device type & posture polled
for policy decisions &
reporting
MDM
Device Checks in
with MDM
Device connects
over WiFi

23. 23
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Outbound HTTP Messaging
• Can now combine both RADIUS and HTTP
– Enforce on the network with RADIUS
– Enforce via HTTP using RESTful API’s
• Reverse action back to MDM server
• Create a helpdesk ticket, post to a web application

24. 24
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Outbound HTTP Messaging
• Typically used for create actions
– Most often used with HTTP POST method
• Select the Content-Type
– Options includes HTTP, JSON, XML, PLAIN and CUSTOM
• Support parameterized values

25. 25
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Post Authentication Engine
• Policy Control AFTER Authentication?
– Bandwidth Control
– Session Control
– Action chaining
– 3rd Party Integration
• Use Cases
– Restrict “Guests” to 500MB per day
– Allow only ONE BYOD per employee
– Update identity and forensic data

26. 26
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Post Authentication Engine
• ClearPass can take “actions” after network
authentications
• Why?
– Asynchronous event processing
– Interrupt-free authentication flows
– Allows ClearPass to undertake high-latency transactions
• Types of actions
– Restrict Sessions – Set Bandwidth/Time quotas
– Update ClearPass Entities
– Integrate with 3rd party systems using HTTP
• HelpDesk and Communication systems
• MDM, Payment Gateways, …

27. 27
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Session Restrictions
• Bandwidth Limits
• Session Limits
• Session Duration
• PANW Updates
• Agent Disconnect

28. 28
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Bandwidth Limits
• Enforce limits on the amount of bandwidth that
the user can use
• Date / Time based checks
• Disconnect and blacklist the user on exceeding
the bandwidth

29. 29
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Session Limits
• Limit the number of simultaneous sessions for
the user
• Fix a scenario to work with Guest MAC Caching
flow
• Disconnect the user on exceeding the max
sessions

30. 30
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Session Duration
• Enforce limits on the amount of time the user is
allowed to access the network.
• Date / Time based checks
• Disconnect and blacklist the user on exceeding
the total session duration.
• Allow flexibility to reset the session duration by
specifying start/stop date/time.

31. 31
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Update Palo Alto Networks
Firewall
• Send userId and registration updates to Palo
Alto device
• Integration with NetWatch framework for faster
updates
• Ability to send full usernames in userId updates
[with domain prefix/suffix]
• HIP support
• Extended support for MAC Caching flow

32. 32
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Entity Updates
• Endpoint Updates
• Guest Updates [User + Devices]

33. 33
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Example – ServiceNow

34. 34
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Example – SendGrid

35. 35
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
What’s new in ClearPass?

36. 36
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
ClearPass 6.3
Key Additions
• Single Sign On
– Streamline login to cloud/web applications
– Aruba Auto Sign On
• BYOD and Guest Features
– Improved integration with MDM vendors
– AirGroup time and group sharing
• NAC Enhancements
– Integration with Patch Management solutions
– Improved dissolvable agent workflows
• Platform Features
– Real time outbound HTTP enforcement
– FIPS 140-2, New performance monitoring framework

37. 37
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
ClearPass 6.3
BYOD & MDM
– CPPM as the Certificate Authority for leading MDM
providers (via SCEP or EST)
– Trigger MDM actions from CPPM via HTTP enforcement
– Provision full iOS 7.0 feature set through Onboard

38. 38
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
ClearPass 6.3
Profiling and Enforcement
• New Profile Options
– Profile DHCP via SPAN port
– Profile from Cisco network equipment (requires IOS 15SE1)
– Update Device Fingerprint
• New Enforcement Options
– Use Active Directory expiration date
– Custom outbound HTTP actions (JSON, XML, HTTP, PUT, GET)

39. 39
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
ClearPass 6.3
Server Certificates
• Dual Certificates for Web Logins and 802.1x
– One for RADIUS/802.1X, One for HTTPS/SSL

40. 40
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
ClearPass 6.3
BYOD Certificates

41. 41
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
ClearPass 6.3
AirGroup
• Group Sharing
– Admin defines groups
– Users allowed to access/share
based on groups
– New or removed
groups/devices enforced
automatically
• Time Sharing
– Schedule every Tuesday at
4pm for 1 hour with Class A
– Only allow access when
schedule permits the group
attribute *requires AOS 6.4

42. 42
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
ClearPass 6.3
OnGuard
• User Experience
– Localization framework for persistent agent
– Dissolvable agent on CP Guest, all new workflow
– Inline update of persistent agent
• New Health Classes
– Installed Applications (Windows, OSX)
– Patch Management Solutions (Windows/OSX)
• Enforcement
– Per-Application health checks
– Configurable health check period (persistent)
– Monitor mode support for health classes

43. 43
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
ClearPass 6.3
Open in AirWave

44. 44
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
ClearPass 6.3
Performance Monitoring

45. 45
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
ClearPass 6.3
Authentication Simulation

46. 46
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Summary

47. 47
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Summary
WORKFLOW POLICYVISIBILITY
Role-based
Enforcement
Health/Posture
Checks
Device Context
Device Profiling
Troubleshooting
Per Session
Tracking
Onboarding,
Registration
Guest
Management
MDM
Integration

48. 48
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Q&A

49. 49
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
Thank You
#AirheadsConf

50. 50