Access Management with Aruba ClearPass

CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc. All rights
reserved
Access Management with Aruba ClearPass
Seth Fiermonti
June 2014

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Agenda
• Introductions & Expectations
• What is ClearPass
• ClearPass – Policy Model
• Authorization – What and Why
• Profile – How does it work
• Clustering & Deployment
• Q & A

Evolving IT Landscape
USER CENTRIC, SELF SERVICEIT CENTRIC
Windows
Fixed
Environment
Wired
Network
IT Managed
Slow
Refresh
Multiple Platforms
Work from
anywhere
Wired, Wi-Fi,
Cellular
Selection of
devices & apps
User Timeframes

The ClearPass Solution
Comprehensive Solutions Architecture
WORKFLOW POLICYVISIBILITY
Role-based
Enforcement
Health/Posture
Checks
Device and App
Device Profiling
Troubleshooting
Per Session
Tracking
Onboarding,
Registration
Guest
Management
MDM
Integration

The ClearPass Access Security Platform
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved
6 @arubanetworks
Policy Services
Identity
Stores
3rd Party
MDM
App
Servers
DIFFERENTIATED
ACCESS
UNIFIED
POLICIES
DEVICE
VISIBILITY
GUEST EMPLOYEE
POLICY SERVICES
ENTERPRISE-CLASS AAA
RADIUS, TACACS+
VPN
OnGuard
Posture &
Health Checks
Onboard
Device
Provisioning
Guest
Visitor Management
Multivendor
Networks
ClearPass Policy Manager
AAA Services ONE IDPolicy Engine

Context-Based Access Control
• Differentiated Access
– Role, device type, access method
• Policy-based AAA Services
– Support for 802.1X, MAC, Web (HTTPS) authentication
– Communicate to network devices via RADIUS, RADIUS CoA,
TACACS+, SNMP
– Ability to read from multiple identity stores (AD, LDAP, SQL,
Kerberos, Token Server, Etc.)
– Enforcement Options – Allow/Deny, VLAN, ACL, dACL, url
redirects, SNMP
• Contextual Policy Elements
– Time, location, group, OS version, project
VPN

Platform Features – Out of the box
Multivendor DNA
• Wired, WLAN, VPN
Core Authentication
• AAA, LDAP, AD, Kerberos, Token, SQL, MAC,
802.1x, TACACS+, HTTPS, SSO (SAML, Okta)
Integrated Profiling
• Device profiling across wired & wireless
• Use directly in authorization policy

ClearPass Core Services
MDM Integration
• Leverage information gained
from MDM vendors for profile &
to influence policy
TACACS+ Server
• Replace legacy ACS solutions
Context Aware Authorization
• Device type, User, Time, Location, Posture
• Layer multiple conditions for policy derivation

Platform Features – Out of the box
Scale with Clustering
• Supports 1 million endpoints per cluster
• Centralized or distributed architecture
Flexible Licensing
• Perpetual licenses
• Subscription licenses
• 25 free endpoint Enterprise license included
Physical or Virtual Appliances
• Sized for variety of customer needs
• Virtual Appliance relies upon VMWare

What’s in ClearPass 6.3
INTEGRATIONINTEROPERABILITY
Auto Sign-On for Apps
• Simple Network authentication for App login
• Opens doors for mobile device SSO opportunities
Guest Advertising Included
• Customizable for gender, season, location
• Larger story in retail, healthcare, entertainment
Enhanced Certificate Distribution
• 3rd Party MDM solutions can now use Onboard CA
• You are the alternative for internal PKI integration

INTEGRATIONINTEROPERABILITY
Remote Support
• Setup secure TAC session with a simple click
• Customer support because you asked for it
SPAN Port Profiling
• Any device addressed via DHCP gets profiled
• You get the big picture faster, from one port
Exchange
• Built-in tools for integration of third-party systems
• Data exchange with MDM, helpdesk, SIEM apps
made easy
What’s in ClearPass 6.3

ClearPass Auto Sign-On
Only Aruba lets you sign-in once & you’re good to go
• One login for all web/mobile apps
– Uses valid network login
• NO App logins
• IBM, Okta, Ping
• ClearPass as Provider (IdP)
– Uses SAML, not RADIUS

ClearPass Exchange
Two-way Third-Party Integration
Syslog Messages / RESTful APIs
Jail-broken
device
detected
Helpdesk
ticket auto
generated
Message to
device auto
generated
1.
2.3.
ClearPass
denies access
to device

ClearPass Policy Model
• What constitutes the policy model?
• How does it work?
• What are the interactions between various
components?
• How does the policy model affect configuration
& deployment?

ClearPass Policy Model
Policy
Identity
Health
Device
Conditions
• Role
• Department
• Group
• AV, AS, FW
• Registry Keys
• Services…
• Device type,
status, health
• Address, O/S
• Corp. Owned
• Time
• Location
• Day of Week

What’s the flow?
Authenticate
• Valid Authentication
Authorize
• Find Out What’s Allowed
Associate
Context
• Device, Time, Location, Posture
Enforce on
NAS
• Roles, ACLs, VLANs

What Are The Interactions?
RADIUS Server – Authenticate
Policy Server – Authorize
Policy Server – Associate Context
Policy Server – Decision Tree
RADIUS Server – Enforce

ClearPass Policy Enforcement
ClearPass
Use external context to
define granular policies
• User / role • Device fingerprint
• OS version
• Health checks
• Jailbreak status
• Location
• Trusted or
untrusted
network
• Time
• Date
• Wired, Wi-Fi, VPN
enforcement

Service Flow – 802.1X
Layer 2
RADIUS
Request
Layer 2
Authentication
Layer 2
Authorization
Layer 2
Role
Derivation
Layer 2
RADIUS
Enforcement
Layer 3
Profile
Layer 2
NAP
Layer 3
OnGuard

Service Flow – Implications
• Layer 2 Authentications are completed first
– Full Authorization
– Role Derivation
– NAP (if enabled)
– Layer 2 Enforcement
• Layer 3 : Profile next
– DHCP Request, DHCP Offer
– RFC 3576 – Change of Authorization
• Another Layer 2 authentication!
– No RFC 3576 message if “fingerprint” does not change
• Layer 3 : Collect Posture last (OnGuard)
– Posture over HTTPS
– RFC 3576 based on policy
– Another Layer 2 authentication!

Authorization – What and Why

Authorization – What and Why?
• Authentication vs. Authorization
• Authorization & ClearPass
• Use Cases

Authorization & ClearPass
• “Authorization” Sources in ClearPass
– Where do I find them?
– How do I use them?
– How often does ClearPass talk to an authorization source?
– What happens in case something goes wrong?

Authorization Sources – Where?
• An “Authentication Source” is an “Authorization
Source”
– RADIUS Server vs. Policy Server

Authorization Sources – How?
Authentication Sources
are automatic
Authorization Sources
Additional Authorization
Sources enabled
per Service
No Authorization unless
used in Roles!

Authorization Sources – How?
Authorize with
Active Directory
Authorize with
Profile Data
Rule Algorithm :
Evaluate All

Authorization – How?
• Ok, great. But will ClearPass flood my AD with
authorization requests?
– Authorization data is cached per user
– New request made to fetch data once the cache expires
– Cache timers can be tuned
Cache Timeout
Default: 10 hours

Authorization – How?
• Got it
• But I just made a bunch of changes on my AD.
Should I need to wait 10 hours?
– Tune the cache timers
– “Clear Cache” button on the Authentication Source
– Wipes out cache for all users
– “Save” button on the Authentication Source
• Wipes out cache for all users
– Restart Policy Server
• BAD IDEA!!!

Authorization – Uh-Oh!
• If an Authentication/Authorization Source is not
reachable
– Configure Backup Servers
– Configure Fail-Over Timeout
Fail-Over Timeout
Backup Servers

Use Cases – Mergers & Acquisitions
Active Directory
Domain –
avendasys.com
Active Directory
Domain –
arubanetworks.com

Authentication &
Authorization
Sources for TLS
Certificate Details
used for
Authorization
Enable Authorization –
Source specified in the
Service
Compare Certificate –
Source specified in the
Service
Use Cases – Certificates & TLS

Use Cases – Asset Databases
• LDAP/SQL Interface to Asset Databases
– Key : MAC Address
– Authorization Attributes
• Ownership – Corporate vs. Personal
• Compliance Status – In/Out of compliance
– Identify corporate-owned non-Windows devices

Profile – How does it work?
• Profile & Network Data
• Automatic Profile “upgrades”
• Using Profile data in policy
• Configuring Profile
– DHCP? HTTP? SNMP?
• Use Cases

Profile & Network Data
What does ClearPass use to profile?
– MAC OUIs
– DHCP Request, DHCP Offer
– HTTP User-Agent
– MDM Fingerprints
– Device Interrogation
– SNMP/CDP/LLDP Data

Fingerprint Updates
• Subscribe to Fingerprint Updates
– Automatic reclassification
– Updated frequently
• Tell Aruba!
– Create policy exceptions
– Grab fingerprints from UI
– Send fingerprints to Aruba
– Crowd-sourced, community oriented

Using Profile data in policy
• Automatic 3-level categorization
– Device Category, OS Family, Device Name
• Using raw profile data
– DHCP Data, HTTP User-Agent, SNMP Data
• Role Mapping
– What should I use?
• Enforcement
– How do I enforce?
– What are the benefits?

Configuring Profile – Network Considerations
• DHCP Relay
– Where should I setup DHCP relays?
• Captive Portal Configuration
– Is there a knob for this?
• Reading SNMP Data
– CDP
– LLDP
– HR MIB
– SysDescr MIB

Use Cases
• Policy – CEOs & iPads
• Policy – “Headless” Devices
• Visibility – Demystifying BYODs

Use Cases – CEOs & iPads
Assign Roles
Enforce Access

Use Cases – Headless Devices
Identify & Assign
Roles To Headless
Devices

Use Cases – Visibility

Clustering & Deployment
• Clustering Technology
– What’s replicated? What’s not?
• Deploying ClearPass Clusters
– Considerations
• Operations & Maintenance
– What happens when a ClearPass node is down?
– Events & Alerts
– Rescue & Recovery

Clustering Technology
• What’s replicated?
– All policy configuration elements
– All Audit data
– All identity store data
• Guest Accounts, Endpoints, Profile data
– Runtime Information
• Authorization status, Posture status, Roles
• Connectivity Information, NAS Details
– Database replication on port# 5432 over SSL
– Runtime replication on port# 443 over SSL

Clustering Technology
• What’s not replicated?
– Log files
– Authentication Records
– Accounting Records
– System Events
– System Monitor Data

Clustering – Considerations
• How do they connect?
– Requires IP connectivity (bi-directional)
• Port # 5432 (Database over SSL)
• Port# 80 (HTTP)
• Port #443 (HTTPS)
• Port #123 (NTP)
• How much data should we expect to see
crossing the wire?
– Only elements in the configuration database
– First sync is a full database copy
– Subsequent sync – Delta changes propagated

Hub & Spoke PUBLISHER
SUBSCRIBER
1
SUBSCRIBER
2
SUBSCRIBER
3
SUBSCRIBER
4
SUBSCRIBER
5
SUBSCRIBER
6

• Central / Distributed Admin Domains
• Redundancy/Load Balancing
• Cluster wide licenses
CPPM – Publisher
DNS
DHCP
Identity
Stores
Main Data Center
Mid-size Branch
Regional Office
DMZ
CPPM
Subscriber
VM
CP Guest
CP Onboard
CPPM
Subscriber
CPPM
Subscriber

Operations & Maintenance
• What happens when a node goes down?
– Operations
• If Deployed Right – Nothing
• RADIUS Backup settings on the NAS
– If the Publisher goes down
• No Database Writes Allowed!!
• Promote a Subscriber to a Publisher
• Resume configuration updates

Events & Alerts
• How long before ClearPass figures out
something’s wrong?
– 24 hours before it automatically “drops” a node from the
cluster
– Cluster Synchronization Warnings
• 1 event every hour x 24 hours = 24 events
– CPU/Memory Usage Warnings Every 2 Minutes
– Server Certificate Warnings Every 24 Hours
– Service Alerts Immediate
• Email/SMS Alerts using Insight, Syslog & SNMP

Operations & Maintenance
• Rescue & Recovery
– Establish cluster connectivity
• Database sync will ensue. Watch for “Last Sync Time”
– Restore certificates
• Server Certificates are not installed as a part of the sync
– Restore log entries (If necessary)
• Caveat : High disk activity for an extended period of time
– Verify fail-back on the NAS
• NAS fail-back timers should kick in

Access Management with Aruba ClearPass

More Related Content

What's hot

Viewers also liked

Similar to Access Management with Aruba ClearPass

More from Aruba, a Hewlett Packard Enterprise company

Recently uploaded

Access Management with Aruba ClearPass

Editor's Notes