ClearPass Exchange allows customers to integrate ClearPass with third-party applications like firewalls, mobile device management (MDM) solutions, and SIEM reporting tools via APIs and syslog messages. This sharing of user and device context across different systems improves visibility and security. The API explorer makes it easy for developers to test out and understand ClearPass APIs to build their own integrations. Future plans include additional Exchange integrations and capabilities.
2. 2
What is ClearPass Exchange?
It is a partner ecosystem based on API’s and Syslog messaging that allows
customers to share context between ClearPass, MDM/EMM, Firewalls,
Wi-Fi equipment, Wired switches, VPN concentrators and other
solutions (SIEM, PMS, Trouble-ticket, etc.).
3. 3
• Included in Base License
• Integrates with virtually any web
based application
• Allows customers to build their own
integrations
• Recipes available on Airheads
Community
• Built-in native integration (over
65 and counting)
• Build-your-own integrations
utilizing HTTP RESTful APIs
18. 18#ATM16@ArubaNetworks |
Firewall Integration
– Today’s challenge is to allow traffic
based upon contextual data such as
username
– Session Notification Enforcement - is
introduced in 6.5.0. Notification of a change
in IP address can now be sent to any external
context server (such as a firewall) by
configuring that server as a generic HTTP
server and adding the appropriate generic
HTTP context server actions. The content of
the payload to be posted by CPPM to the
external server is based on the REST API
defined by the external server for
communication.
19. 19#ATM16@ArubaNetworks |
What ClearPass sees that it can send to the firewall
– When a user authenticates to the wireless or
wired network using ClearPass we gather
information about the user.
• Username
• AD information
• Domain
• IP address and MAC
• Location
• Device Type
• Device OS
Internet
Internal Segment
(include Staff, Student, Teacher, etc)
Existing
Firewall
Next Gen Firewall
ClearPass MS AD
• V-wire inline mode
• Monitoring Internet segment
• Provides application visibility
• Enabled Threat Prevention ,
URL filtering , Wildfire
• User-ID feature
• Standalone mode
• Integrated with Firewall
• Authentication Users (Students)
• 802.1x Authentication for Wi-FI
User
Controller + AP
LAN Switch
20. 20#ATM16@ArubaNetworks |
Event Network Diagram Flow
Internet
Internal Segment
(include Staff, Student, Teacher, etc)
Next Gen Firewall
ClearPass MS AD
Controller + AP
LAN Switch
If a device breaks one of the firewall rules it can signal ClearPass
that will signal back to the wired or wireless network to move the
device to a quarantine network. It can also send a text to them via
twilio and open a helpdesk ticket
22. 22#ATM16@ArubaNetworks |
MDM Integration – Google
Admin Console – Create account on External
Server
• Client ID and Client Secret
Manufacturer, Model
– Model, OS version, Serial
Number
Owner
– Display Name
Ownership
– Corporate, Personal
MDM Identifier
– MDM Enabled
Security Status
– Compromised, Blacklist or
Required App Encryption
enabled, Last Check-in
25. 25#ATM16@ArubaNetworks |
ClearPass Splunk App – Customer Example
“I had to apply a new radius cert, and for all of the corporate devices (windows and mobile) we have ways to
whitelist the radius server certificate in advance, but personal IOS devices detected a cert change and
wouldn’t connect until a user drills into their wifi settings and accept the new cert. Before doing that it just
aborts the authentication attempt as soon as it see the radius server cert doesn’t match what it has cached,
which just shows as a timeout in ClearPass. The trend graph using Splunk gave a pretty cool visual of what
happened when I made that change, and how it diminished as people figured out they weren’t connecting,
drilled in, and accepted the cert. Blue arrow is when I made the change.”
41. 41
Join Aruba’s Titans of Tomorrow
force in the fight against network
mayhem. Find out what your
IT superpower is.
Share your results with friends
and receive a free superpower
t-shirt.
www.arubatitans.com
Exchange is process by which CPPM can get data from other applications as well as send data. More formally, it’s a partner eco system.
Notice that here we are using HTTPS to connect to Twilio to get data back. Unlike the previous PAN example where we use an API, here we simply make a HTTPS call.
Keep in mind that we are using HTTPS and not an inbuilt API.
Notice that here we are using HTTPS to connect to Twilio to get data back. Unlike the previous PAN example where we use an API, here we simply make a HTTPS call.
Notice that here we are using HTTPS to connect to Twilio to get data back. Unlike the previous PAN example where we use an API, here we simply make a HTTPS call.
Notice that here we are using HTTPS to connect to Twilio to get data back. Unlike the previous PAN example where we use an API, here we simply make a HTTPS call.
Notice that here we are using HTTPS to connect to Twilio to get data back. Unlike the previous PAN example where we use an API, here we simply make a HTTPS call.
Notice that here we are using HTTPS to connect to Twilio to get data back. Unlike the previous PAN example where we use an API, here we simply make a HTTPS call.
Notice that here we are using HTTPS to connect to Twilio to get data back. Unlike the previous PAN example where we use an API, here we simply make a HTTPS call.
Notice that here we are using HTTPS to connect to Twilio to get data back. Unlike the previous PAN example where we use an API, here we simply make a HTTPS call.
From what we talked about in the previous slides, we got the guest’s phone number. So, we can take action only after the guest has entered their details.
Historically we've received a RADIUS request and responded to the NAD which sent it. We all get that. That's tablesteaks. But, there is a finite set of enterprise devices which speak RADIUS. On the other hand, there's an infinite number of devices and cloud services which speak a RESTful HTTP API. (Think Internet of Things). I call that HTTP-based Enforcement. CPPM now supports HTTP-based enforcement in a flexible framework.
Its not just RADIUS requests anymore. ClearPass can now receive a syslog message and process it; just like a RADIUS or TACACS request.
Session Notification Enforcement - is introduced in 6.5.0. Notification of a change in IP address can now be sent to any external context server (such as a firewall) by configuring that server as a generic HTTP server and adding the appropriate generic HTTP context server actions. The content of the payload to be posted by CPPM to the external server is based on the REST API defined by the external server for communication.
Here you can see that we have different grant types and profiles. These profiles have different levels of permissions.
Here you can see that the “QuickAccess API Rights” profile has read-write access to all the Guest services and read-only for viewing passwords. An important item to note here is that this profile also has API access.
Similarly, the “API tester” only has read access across different services.
Recall that we setup the Client IDs with the appropriate profiles. We now have to provide a token with which we can access the API.
Here we are providing a wildcard filter and the return html will be on JSON format. Notice that we are limiting the results to 25 here.
Remember to zoom in with “+”
Recall that we show you what the response codes actually mean.
We use “curl” with the appropriate header with the authorized token.
Syslog ingestor
Additional APIs
Contest Overview
- Aruba is running a marketing campaign where we ask “What is your IT superpower?”
- Go to arubatitans.com to take a quick quiz to discover your superpower.
- Share your results with friends and encourage others to play the game
- Once you share, go to the Social and Community Hub, Gracia Commons, 3rd fl to pick up your free superpower shirt.
FAQ
1. What do I have to do to get a shirt?
Share your IT superpower results with friends and encourage them to play the game. Then come to the Social & Community Hub, 3rd Floor Gracia Commons to pick up your shirt. We just need your name and badge for verification.
2. Where do I get my shirt?
Come to the #ATM16 Social & Community hub located at Gracia Commons on the 3rd Floor
3. Do I have to be at the event to get the shirt?
Yes. You have to be at #ATM16 to get a shirt.
4. Can I get my colleague a shirt? He/she is in a session right now.
Unfortunately not. We encourage your colleague to participate so that they can win a shirt for themselves.
5. Can I bring a shirt home for my colleague?
Unfortunately not. You have to be at #ATM16 to get a shirt.
6. You don’t have a shirt in my size, can you ship the right size to me later?
Unfortunately not. Please select the best size from our inventory on site.