Aruba, a Hewlett Packard Enterprise company, profile picture
Uploaded byAruba, a Hewlett Packard Enterprise company
PPTX, PDF11,304 views

ClearPass design scenarios that solve the toughest security policy requirements

This document discusses ClearPass design scenarios for improving the user experience while maintaining security. It addresses allowing employees on the guest network, identifying corporate devices, and supporting "headless" wired and wireless devices that do not support 802.1x authentication. The document recommends using ClearPass policies to communicate with users, provide self-service options, dynamically update other systems, and proactively identify and resolve problems to balance usability and security. It also suggests profiling and registering devices to authorize network access for devices that cannot use 802.1x authentication.

Embed presentation

Downloaded 788 times
#ATM15 | ClearPass Design Scenarios Austin Hawthorne Feb 26, 2015
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved2#ATM15 | Agenda 1. Better user experience and tighter security, is that possible? 2. Employees on Guest Network 3. The headless device dilemma
3#ATM15 | Security and Usability Cohabitation
4 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Better user experience and tighter security, is that possible? Solutions: 1. Status updates and notifications 2. Provide self-service workflows 3. Dynamically Update other network security systems 4. Implement proactive problem identification and resolution
5 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | The User Problem…. How do I get my device my on the network? What is a MAC Address? Why is the network not working?
6 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Common Security Concerns  Who does this device belong to?  Does this device meet minimum corporate compliance standards?  Can I really support this technology?
7 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | 1. Communicate with your users  Don’t just REJECT a connection if something goes wrong!  Sure that’s secure, but what does the user think?  Let a user know what went wrong:  SMS  Web Notification Page (Walled Garden)  Push Notification  Phone Call  OnGuard Message  Email • Most can be done even if you still send a REJECT
8 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | 2. Provide Self Service Workflows  BYOD Provisioning and Management (Onboard)  802.1x Supplicant Configuration (QuickConnect)  Device Registration and Management  Guest Self Registration and Management  AirGroup Registration and Management  Posture Check (OnGuard DA)  Posture Remediation (OnGuard PA)
9 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | 3. Dynamically Prepare the Rest of the Network  Getting past the front door is one thing….  How many more “identity” controlled doors do you have?  DHCP/DNS Controls?  Firewalls?  IDS/IPS?  Proxies?  Application Logins (SSO)?
10 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Example Update WLAN AD/LDAP Update Firewall EMM/MDM Adaptive Trust Identity Update Web Proxy / Filter Logon to Applications (SSO) Update EMM/MDM Who: Bob Group: Faculty Device: Personal iPad Location: Room 104 Time: 9am, Monday Compliance: Healthy Mac Address: X IP Address: Y Airgroup Permissions
11 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | 4. Proactive Problem Identification and Resolution  Use ClearPass to notify/alert helpdesk systems  The right teams with the right information  As soon as a problem happens  Not just Syslog/SNMP  Email  HelpDesk Ticketing Systems  SMS/Voice
12 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Example Radius Action to force notification page Send user SMS notification Update Palo Alto Firewall Open Help Desk Ticket Sound the alarm!Send Email to security team
13#ATM15 | Employees on Guest Network
14 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Why is it a bad idea? 1. Users/Devices are exposed to cyber-attacks 2. SSID Confusion 3. User circumvent web policy at work Protect your users and devices
15 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Get visibility and control on your Guest SSID Wireless Controller ADSQL Store ClearPass MDM RADIUS LDAP SQL 1 2 3 User 4AP SSID: Guest MAC Authentication MAC | 11:22:33:44:55:66
16 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | How can we identify corporate devices? ClearPass Policy Manager DATA CENTER Network Infrastructure WIRELESS WIRED VPN REMOTE OFFICE OUTDOOR ADORACLECMDBEndpoint Database MDM JAMF Authorization Sources
18 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | CP Exchange – Integration with MDM
20 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | CP Exchange – Integration with CMDB SELECT MAC_ADDR as cmdb_mac where MAC_ADDR = ‘%{Connection:Client-Mac-Address-Hyphen}’
23 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Endpoint Attribute Tagging ClearPass AD/LDAP Device Authentication SSID: Secure WPA2-AES [MACHINE AUTHENTICATED] Certificate:Issuer-CN Update Endpoint Ownership: Corporate MAC | 11:22:33:44:55:66 Authorization
24 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Update Endpoint Enforcement
25 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Let’s build a Role Mapping Policy (Tagging)
26 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Policy Enforcement Options Auto-generate Helpdesk Ticket Notify user: SMS & voice call to phone IT administrator: Email alert Redirect to Captive Portal ENFORCEMENT WORKFLOWS Employee connects to Guest SSID CLEARPASS IDENTIFIES Corp-Device Role ClearPass SSID: Guest MAC Authentication
27 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Let’s build an Enforcement Policy (Actions)
28 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Corporate Device Warning Page
29 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Enforcement Profile– SMS with twilio
31 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Enforcement Profile – Helpdesk Ticket {"short_description":”Corporate Device Event","priority":"3","description":"The following Corporate device has attempted to connect to the Guest WiFi network:nMac Address: %{Connection:Client-Mac-Address}nEnrolled User: %{Authentication:Full-Username}nDevice Serial: %{Endpoint:Serial Number}nMobile: %{Endpoint:Model}nOS Version: %{Endpoint:OS Version}nLocation: %{Radius:Aruba:Aruba- Location- Id}","u_category":"%{u_category}","u_subcategory ":"%{u_subcategory}","assigned_to":"mobileadmin" }
3232#ATM15 | Headless Devices on Wired/Wireless
33 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Is 802.1X the only option? 1. Many wired/wireless devices do not support 802.1x authentication 2. How do we make sure only the desired devices get access? 3. What about MAC Spoofing?
34 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Supporting “Headless” Devices  For devices that do not support 802.1X:  Wireless: Need a PSK SSID with MAC Authentication  Wired: Need to use MAB on the port  Two mechanisms for authentication: 1. Device Profiler 2. Device Registration
35 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | 1. Endpoint Profiler • Authorize devices like IP Phones, Hand Scanners, Printers, or Access Points. Protect your users and devices
36 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Profiling “Unknowns”  Recommended Best Practice:  Allow DHCP, SNMP, and maybe redirects HTTP to CPPM  Once profiled, re-authenticate against new information
37 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Example Profiling Policy • Create an enforcement profile and policy rule to send the dACL (in the case of, say, a Cisco LAN switch) Protect your users and devices
38 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Pulling it all together
39 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | 2. Device Registration • The default device registration page looks like this: Protect your users and devices
40 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | MAC Spoofing What if someone spoofs their device MAC address?
41 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | ClearPass can detect device conflicts
THANK YOU 42#ATM15 |
43 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Sign up, save $200! arubanetworks.com/atmosphere2016 Give feedback! … Before You Go atmosphere 2016

More Related Content

PPTX
Access Management with Aruba ClearPass
byAruba, a Hewlett Packard Enterprise company
 
PDF
Aruba Networks - Overview ClearPass
byPaulo Eduardo Sibalde
 
PPTX
Airheads Tech Talks: Understanding ClearPass OnGuard Agents
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Advanced Aruba ClearPass Workshop
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads How licensing works in Aruba OS 8.x
byAruba, a Hewlett Packard Enterprise company
 
PDF
Apple Captive Network Assistant Bypass with ClearPass Guest
byAruba, a Hewlett Packard Enterprise company
 
PDF
Aruba clearpass ebook_chpt1_final
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Advanced ClearPass Workshop
byAruba, a Hewlett Packard Enterprise company
 
Access Management with Aruba ClearPass
byAruba, a Hewlett Packard Enterprise company
 
Aruba Networks - Overview ClearPass
byPaulo Eduardo Sibalde
 
Airheads Tech Talks: Understanding ClearPass OnGuard Agents
byAruba, a Hewlett Packard Enterprise company
 
Advanced Aruba ClearPass Workshop
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads How licensing works in Aruba OS 8.x
byAruba, a Hewlett Packard Enterprise company
 
Apple Captive Network Assistant Bypass with ClearPass Guest
byAruba, a Hewlett Packard Enterprise company
 
Aruba clearpass ebook_chpt1_final
byAruba, a Hewlett Packard Enterprise company
 
Advanced ClearPass Workshop
byAruba, a Hewlett Packard Enterprise company
 

What's hot

PPTX
Getting the most out of the aruba policy enforcement firewall
byAruba, a Hewlett Packard Enterprise company
 
PDF
Useful cli commands v1
byAruba, a Hewlett Packard Enterprise company
 
PDF
Optimizing Aruba WLANs for Roaming Devices
byAruba, a Hewlett Packard Enterprise company
 
PDF
BYOD with ClearPass
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads- Layer-3 Redundancy for Mobility Master - ArubaOS 8.x
byAruba, a Hewlett Packard Enterprise company
 
PDF
Aruba ClearPass Guest 6.3 User Guide
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Real-world 802.1X Deployment Challenges
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Roaming behavior and Client Troubleshooting
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Adapting to evolving user, security, and business needs with aruba clear pass
byAruba, a Hewlett Packard Enterprise company
 
PDF
Managing and Optimizing RF Spectrum for Aruba WLANs
byAruba, a Hewlett Packard Enterprise company
 
PDF
EMEA Airheads- ArubaOS - Understanding Control-Plane-Security
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads - Aruba Remote Access Point (RAP) Troubleshooting
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Airheads Tech Talks: Advanced Clustering in AOS 8.x
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads- ArubaOS - Cluster Manager
byAruba, a Hewlett Packard Enterprise company
 
PDF
Guest Access with ArubaOS
byAruba, a Hewlett Packard Enterprise company
 
PPT
Access Management with Aruba ClearPass
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Advanced Access Management with Aruba ClearPass #AirheadsConf Italy
byAruba, a Hewlett Packard Enterprise company
 
PDF
Amigopod and ArubaOS Integration
byAruba, a Hewlett Packard Enterprise company
 
PDF
Base Designs Lab Setup for Validated Reference Design
byAruba, a Hewlett Packard Enterprise company
 
PDF
Onboard Deployment Guide 3.9.6
byAruba, a Hewlett Packard Enterprise company
 
Getting the most out of the aruba policy enforcement firewall
byAruba, a Hewlett Packard Enterprise company
 
Useful cli commands v1
byAruba, a Hewlett Packard Enterprise company
 
Optimizing Aruba WLANs for Roaming Devices
byAruba, a Hewlett Packard Enterprise company
 
BYOD with ClearPass
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Layer-3 Redundancy for Mobility Master - ArubaOS 8.x
byAruba, a Hewlett Packard Enterprise company
 
Aruba ClearPass Guest 6.3 User Guide
byAruba, a Hewlett Packard Enterprise company
 
Real-world 802.1X Deployment Challenges
byAruba, a Hewlett Packard Enterprise company
 
Roaming behavior and Client Troubleshooting
byAruba, a Hewlett Packard Enterprise company
 
Adapting to evolving user, security, and business needs with aruba clear pass
byAruba, a Hewlett Packard Enterprise company
 
Managing and Optimizing RF Spectrum for Aruba WLANs
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- ArubaOS - Understanding Control-Plane-Security
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads - Aruba Remote Access Point (RAP) Troubleshooting
byAruba, a Hewlett Packard Enterprise company
 
Airheads Tech Talks: Advanced Clustering in AOS 8.x
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- ArubaOS - Cluster Manager
byAruba, a Hewlett Packard Enterprise company
 
Guest Access with ArubaOS
byAruba, a Hewlett Packard Enterprise company
 
Access Management with Aruba ClearPass
byAruba, a Hewlett Packard Enterprise company
 
Advanced Access Management with Aruba ClearPass #AirheadsConf Italy
byAruba, a Hewlett Packard Enterprise company
 
Amigopod and ArubaOS Integration
byAruba, a Hewlett Packard Enterprise company
 
Base Designs Lab Setup for Validated Reference Design
byAruba, a Hewlett Packard Enterprise company
 
Onboard Deployment Guide 3.9.6
byAruba, a Hewlett Packard Enterprise company
 

Viewers also liked

PPTX
Large scale, distributed access management deployment with aruba clear pass
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Aruba ClearPass Exchange Deep Dive
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Aruba WLANs 101 and design fundamentals
byAruba, a Hewlett Packard Enterprise company
 
PPTX
RF characteristics and radio fundamentals
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Getting the most out of the Aruba Policy Enforcement Firewall
byAruba, a Hewlett Packard Enterprise company
 
PPTX
The Aruba Tech Support Top 10: WLAN design, configuration and troubleshooting...
byAruba, a Hewlett Packard Enterprise company
 
PPTX
A-to-Z design guide for the all-wireless workplace
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Mobility certification through CWNP and Aruba
byAruba, a Hewlett Packard Enterprise company
 
POTX
Network management with Aruba AirWave
byAruba, a Hewlett Packard Enterprise company
 
PDF
RF planning for high-densities of mobile devices and bandwidth-hungry mobile ...
byAruba, a Hewlett Packard Enterprise company
 
PDF
Fast-track your career by going from wireless to mobility engineer
byAruba, a Hewlett Packard Enterprise company
 
POTX
Packets never lie: An in-depth overview of 802.11 frames
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Wi-Fi Security Fundamentals
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Extend mobility to remote branch networks with Aruba's new cloud services con...
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Self-Registration, Policy & Branding for Guest Access #AirheadsConf Italy
byAruba, a Hewlett Packard Enterprise company
 
PPTX
ClearPass Guest Overview
byAruba, a Hewlett Packard Enterprise company
 
PDF
Campus Redundancy Models
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Deploying mobile unified communications and collaboration (UCC) with Microsof...
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Unified access with Aruba Mobility Access Switches – Live Demo
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Mobile engagement with Aruba Beacons and the Meridian Mobile App Platform
byAruba, a Hewlett Packard Enterprise company
 
Large scale, distributed access management deployment with aruba clear pass
byAruba, a Hewlett Packard Enterprise company
 
Aruba ClearPass Exchange Deep Dive
byAruba, a Hewlett Packard Enterprise company
 
Aruba WLANs 101 and design fundamentals
byAruba, a Hewlett Packard Enterprise company
 
RF characteristics and radio fundamentals
byAruba, a Hewlett Packard Enterprise company
 
Getting the most out of the Aruba Policy Enforcement Firewall
byAruba, a Hewlett Packard Enterprise company
 
The Aruba Tech Support Top 10: WLAN design, configuration and troubleshooting...
byAruba, a Hewlett Packard Enterprise company
 
A-to-Z design guide for the all-wireless workplace
byAruba, a Hewlett Packard Enterprise company
 
Mobility certification through CWNP and Aruba
byAruba, a Hewlett Packard Enterprise company
 
Network management with Aruba AirWave
byAruba, a Hewlett Packard Enterprise company
 
RF planning for high-densities of mobile devices and bandwidth-hungry mobile ...
byAruba, a Hewlett Packard Enterprise company
 
Fast-track your career by going from wireless to mobility engineer
byAruba, a Hewlett Packard Enterprise company
 
Packets never lie: An in-depth overview of 802.11 frames
byAruba, a Hewlett Packard Enterprise company
 
Wi-Fi Security Fundamentals
byAruba, a Hewlett Packard Enterprise company
 
Extend mobility to remote branch networks with Aruba's new cloud services con...
byAruba, a Hewlett Packard Enterprise company
 
Self-Registration, Policy & Branding for Guest Access #AirheadsConf Italy
byAruba, a Hewlett Packard Enterprise company
 
ClearPass Guest Overview
byAruba, a Hewlett Packard Enterprise company
 
Campus Redundancy Models
byAruba, a Hewlett Packard Enterprise company
 
Deploying mobile unified communications and collaboration (UCC) with Microsof...
byAruba, a Hewlett Packard Enterprise company
 
Unified access with Aruba Mobility Access Switches – Live Demo
byAruba, a Hewlett Packard Enterprise company
 
Mobile engagement with Aruba Beacons and the Meridian Mobile App Platform
byAruba, a Hewlett Packard Enterprise company
 

Similar to ClearPass design scenarios that solve the toughest security policy requirements

PDF
Breakout - Airheads Macau 2013 - ClearPass Access Management Basics
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Defining Advanced AAA Policies for Access Networks
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Shanghai Breakout: Access Management with Aruba ClearPass
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Securing the LAN Best practices to secure the wired access network
byAruba, a Hewlett Packard Enterprise company
 
PDF
Clear pass policy manager advanced_ashwath murthy
byAruba, a Hewlett Packard Enterprise company
 
PDF
ClearPass Overview
byJoAnna Cheshire
 
PPTX
Access Management with Aruba ClearPass #AirheadsConf Italy
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Adaptive Trust Security
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Secure Enterprise Mobility
byAruba, a Hewlett Packard Enterprise company
 
PPTX
ClearPass_Design Info.pptx
byssuser63c018
 
PPTX
Breakout - Airheads Macau 2013 - BYOD, MDM, and MAM
byAruba, a Hewlett Packard Enterprise company
 
PDF
Security advanced rich langston_jon green
byAruba, a Hewlett Packard Enterprise company
 
PPTX
ClearPass_Policy_Manager_Overview - Sandi Pradana.pptx
bysandipradana7
 
PDF
Clear passbasics derinmellor
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Hpe Intelligent Management Center
byAruba, a Hewlett Packard Enterprise company
 
PDF
2012 ah apj guest access fundamentals
byAruba, a Hewlett Packard Enterprise company
 
PDF
2012 ah vegas guest access fundamentals
byAruba, a Hewlett Packard Enterprise company
 
PDF
Cisco switch setup with cppm v1.2
byAruba, a Hewlett Packard Enterprise company
 
PDF
2012 ah vegas wlan design fundamentals
byAruba, a Hewlett Packard Enterprise company
 
PDF
Byod and guest access workshop enabling byod carlos gomez gallego_network ser...
byAruba, a Hewlett Packard Enterprise company
 
Breakout - Airheads Macau 2013 - ClearPass Access Management Basics
byAruba, a Hewlett Packard Enterprise company
 
Defining Advanced AAA Policies for Access Networks
byAruba, a Hewlett Packard Enterprise company
 
Shanghai Breakout: Access Management with Aruba ClearPass
byAruba, a Hewlett Packard Enterprise company
 
Securing the LAN Best practices to secure the wired access network
byAruba, a Hewlett Packard Enterprise company
 
Clear pass policy manager advanced_ashwath murthy
byAruba, a Hewlett Packard Enterprise company
 
ClearPass Overview
byJoAnna Cheshire
 
Access Management with Aruba ClearPass #AirheadsConf Italy
byAruba, a Hewlett Packard Enterprise company
 
Adaptive Trust Security
byAruba, a Hewlett Packard Enterprise company
 
Secure Enterprise Mobility
byAruba, a Hewlett Packard Enterprise company
 
ClearPass_Design Info.pptx
byssuser63c018
 
Breakout - Airheads Macau 2013 - BYOD, MDM, and MAM
byAruba, a Hewlett Packard Enterprise company
 
Security advanced rich langston_jon green
byAruba, a Hewlett Packard Enterprise company
 
ClearPass_Policy_Manager_Overview - Sandi Pradana.pptx
bysandipradana7
 
Clear passbasics derinmellor
byAruba, a Hewlett Packard Enterprise company
 
Hpe Intelligent Management Center
byAruba, a Hewlett Packard Enterprise company
 
2012 ah apj guest access fundamentals
byAruba, a Hewlett Packard Enterprise company
 
2012 ah vegas guest access fundamentals
byAruba, a Hewlett Packard Enterprise company
 
Cisco switch setup with cppm v1.2
byAruba, a Hewlett Packard Enterprise company
 
2012 ah vegas wlan design fundamentals
byAruba, a Hewlett Packard Enterprise company
 
Byod and guest access workshop enabling byod carlos gomez gallego_network ser...
byAruba, a Hewlett Packard Enterprise company
 

More from Aruba, a Hewlett Packard Enterprise company

PPTX
Airheads Tech Talks: Cloud Guest SSID on Aruba Central
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads_ Advance Aruba Central
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads_ Aruba AppRF – AOS 6.x & 8.x
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads- Switch stacking_ ArubaOS Switch
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads- LACP and distributed LACP – ArubaOS Switch
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Introduction to AirWave 10
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads- Virtual Switching Framework- Aruba OS Switch
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads- Aruba Central with Instant AP
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads- AirGroup profiling changes across 8.1 & 8.2 – ArubaOS 8.x
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads- Getting Started with the ClearPass REST API – CPPM
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads - AP Discovery Logic and AP Deployment
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads- Manage Devices at Branch Office (BOC)
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads - What does AirMatch do differently?v2
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Airheads Meetups: 8400 Presentation
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Airheads Meetups: Ekahau Presentation
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Airheads Meetups- High density WLAN
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Airheads Meetups- Avans Hogeschool goes Aruba
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads - Configuring different APIs in Aruba 8.x
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads - Multi zone ap and centralized image upgrade
byAruba, a Hewlett Packard Enterprise company
 
PPT
Bringing up Aruba Mobility Master, Managed Device & Access Point
byAruba, a Hewlett Packard Enterprise company
 
Airheads Tech Talks: Cloud Guest SSID on Aruba Central
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads_ Advance Aruba Central
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads_ Aruba AppRF – AOS 6.x & 8.x
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Switch stacking_ ArubaOS Switch
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- LACP and distributed LACP – ArubaOS Switch
byAruba, a Hewlett Packard Enterprise company
 
Introduction to AirWave 10
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Virtual Switching Framework- Aruba OS Switch
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Aruba Central with Instant AP
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- AirGroup profiling changes across 8.1 & 8.2 – ArubaOS 8.x
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Getting Started with the ClearPass REST API – CPPM
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads - AP Discovery Logic and AP Deployment
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Manage Devices at Branch Office (BOC)
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads - What does AirMatch do differently?v2
byAruba, a Hewlett Packard Enterprise company
 
Airheads Meetups: 8400 Presentation
byAruba, a Hewlett Packard Enterprise company
 
Airheads Meetups: Ekahau Presentation
byAruba, a Hewlett Packard Enterprise company
 
Airheads Meetups- High density WLAN
byAruba, a Hewlett Packard Enterprise company
 
Airheads Meetups- Avans Hogeschool goes Aruba
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads - Configuring different APIs in Aruba 8.x
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads - Multi zone ap and centralized image upgrade
byAruba, a Hewlett Packard Enterprise company
 
Bringing up Aruba Mobility Master, Managed Device & Access Point
byAruba, a Hewlett Packard Enterprise company
 

Recently uploaded

PDF
Are AI Hallucinations Getting Better or Worse? We Analyzed the Data.
byScott M. Graffius
 
PDF
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
PDF
Mercury Computer Systems & The Cell Broadband Engine
bySlide_N
 
PDF
Zniber Partners. Audience Foresight for Confident Decisions
bySamuel Zniber
 
PPTX
congo red stain nd PAS STAIN histopathology
bybushrariaz1240
 
PPTX
Full course that Prymehat uploads for you version 2
byOhenebaManu1
 
PPTX
Accelerate Innovation with Engineering R&D Services
byChetu
 
PDF
Salesforce Sales Cloud and Generative AI Present a Fresh Approach to Personal...
byMinuscule Technologies
 
PPTX
Microsoft Azure News - January 2026 - BAUG
byDaniel Toomey
 
PDF
One String, Many Prompts: AI Code Generation
byGeoffrey Goetz
 
PPTX
Webinar: EVerest for Production: Accelerating EV Charger Development w/ Indus...
byDanBrown980551
 
PDF
Top 5 Best Dedicated Server Providers in Los Angeles (Updated Edition)
byAtal Networks
 
PPTX
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
PDF
Philippine Agricultural Engineering Standard_Hand Tractor .pdf
by6xfrnmdp4b
 
PPTX
AI_Architecture_for_Chatbots_Corporate.pptx
bywrksmith9
 
PPTX
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
PDF
Implementing A Data Lakehouse Using Iceberg & Spark
byAnass Nabil
 
PDF
Hart, Inc. M&A Data Transition Checklist
byHart, Inc.
 
PPTX
Fortify Your Digital Defenses with ServiceNow Security Operations by Suma Soft
byGavin Ellis
 
PDF
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
Are AI Hallucinations Getting Better or Worse? We Analyzed the Data.
byScott M. Graffius
 
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
Mercury Computer Systems & The Cell Broadband Engine
bySlide_N
 
Zniber Partners. Audience Foresight for Confident Decisions
bySamuel Zniber
 
congo red stain nd PAS STAIN histopathology
bybushrariaz1240
 
Full course that Prymehat uploads for you version 2
byOhenebaManu1
 
Accelerate Innovation with Engineering R&D Services
byChetu
 
Salesforce Sales Cloud and Generative AI Present a Fresh Approach to Personal...
byMinuscule Technologies
 
Microsoft Azure News - January 2026 - BAUG
byDaniel Toomey
 
One String, Many Prompts: AI Code Generation
byGeoffrey Goetz
 
Webinar: EVerest for Production: Accelerating EV Charger Development w/ Indus...
byDanBrown980551
 
Top 5 Best Dedicated Server Providers in Los Angeles (Updated Edition)
byAtal Networks
 
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
Philippine Agricultural Engineering Standard_Hand Tractor .pdf
by6xfrnmdp4b
 
AI_Architecture_for_Chatbots_Corporate.pptx
bywrksmith9
 
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
Implementing A Data Lakehouse Using Iceberg & Spark
byAnass Nabil
 
Hart, Inc. M&A Data Transition Checklist
byHart, Inc.
 
Fortify Your Digital Defenses with ServiceNow Security Operations by Suma Soft
byGavin Ellis
 
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 

ClearPass design scenarios that solve the toughest security policy requirements

  • 1.
    #ATM15 | ClearPass DesignScenarios Austin Hawthorne Feb 26, 2015
  • 2.
    CONFIDENTIAL © Copyright2015. Aruba Networks, Inc. All rights reserved2#ATM15 | Agenda 1. Better user experience and tighter security, is that possible? 2. Employees on Guest Network 3. The headless device dilemma
  • 3.
    3#ATM15 | Security andUsability Cohabitation
  • 4.
    4 CONFIDENTIAL ©Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Better user experience and tighter security, is that possible? Solutions: 1. Status updates and notifications 2. Provide self-service workflows 3. Dynamically Update other network security systems 4. Implement proactive problem identification and resolution
  • 5.
    5 CONFIDENTIAL ©Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | The User Problem…. How do I get my device my on the network? What is a MAC Address? Why is the network not working?
  • 6.
    6 CONFIDENTIAL ©Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Common Security Concerns  Who does this device belong to?  Does this device meet minimum corporate compliance standards?  Can I really support this technology?
  • 7.
    7 CONFIDENTIAL ©Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | 1. Communicate with your users  Don’t just REJECT a connection if something goes wrong!  Sure that’s secure, but what does the user think?  Let a user know what went wrong:  SMS  Web Notification Page (Walled Garden)  Push Notification  Phone Call  OnGuard Message  Email • Most can be done even if you still send a REJECT
  • 8.
    8 CONFIDENTIAL ©Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | 2. Provide Self Service Workflows  BYOD Provisioning and Management (Onboard)  802.1x Supplicant Configuration (QuickConnect)  Device Registration and Management  Guest Self Registration and Management  AirGroup Registration and Management  Posture Check (OnGuard DA)  Posture Remediation (OnGuard PA)
  • 9.
    9 CONFIDENTIAL ©Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | 3. Dynamically Prepare the Rest of the Network  Getting past the front door is one thing….  How many more “identity” controlled doors do you have?  DHCP/DNS Controls?  Firewalls?  IDS/IPS?  Proxies?  Application Logins (SSO)?
  • 10.
    10 CONFIDENTIAL ©Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Example Update WLAN AD/LDAP Update Firewall EMM/MDM Adaptive Trust Identity Update Web Proxy / Filter Logon to Applications (SSO) Update EMM/MDM Who: Bob Group: Faculty Device: Personal iPad Location: Room 104 Time: 9am, Monday Compliance: Healthy Mac Address: X IP Address: Y Airgroup Permissions
  • 11.
    11 CONFIDENTIAL ©Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | 4. Proactive Problem Identification and Resolution  Use ClearPass to notify/alert helpdesk systems  The right teams with the right information  As soon as a problem happens  Not just Syslog/SNMP  Email  HelpDesk Ticketing Systems  SMS/Voice
  • 12.
    12 CONFIDENTIAL ©Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Example Radius Action to force notification page Send user SMS notification Update Palo Alto Firewall Open Help Desk Ticket Sound the alarm!Send Email to security team
  • 13.
  • 14.
    14 CONFIDENTIAL ©Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Why is it a bad idea? 1. Users/Devices are exposed to cyber-attacks 2. SSID Confusion 3. User circumvent web policy at work Protect your users and devices
  • 15.
    15 CONFIDENTIAL ©Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Get visibility and control on your Guest SSID Wireless Controller ADSQL Store ClearPass MDM RADIUS LDAP SQL 1 2 3 User 4AP SSID: Guest MAC Authentication MAC | 11:22:33:44:55:66
  • 16.
    16 CONFIDENTIAL ©Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | How can we identify corporate devices? ClearPass Policy Manager DATA CENTER Network Infrastructure WIRELESS WIRED VPN REMOTE OFFICE OUTDOOR ADORACLECMDBEndpoint Database MDM JAMF Authorization Sources
  • 17.
    18 CONFIDENTIAL ©Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | CP Exchange – Integration with MDM
  • 18.
    20 CONFIDENTIAL ©Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | CP Exchange – Integration with CMDB SELECT MAC_ADDR as cmdb_mac where MAC_ADDR = ‘%{Connection:Client-Mac-Address-Hyphen}’
  • 19.
    23 CONFIDENTIAL ©Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Endpoint Attribute Tagging ClearPass AD/LDAP Device Authentication SSID: Secure WPA2-AES [MACHINE AUTHENTICATED] Certificate:Issuer-CN Update Endpoint Ownership: Corporate MAC | 11:22:33:44:55:66 Authorization
  • 20.
    24 CONFIDENTIAL ©Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Update Endpoint Enforcement
  • 21.
    25 CONFIDENTIAL ©Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Let’s build a Role Mapping Policy (Tagging)
  • 22.
    26 CONFIDENTIAL ©Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Policy Enforcement Options Auto-generate Helpdesk Ticket Notify user: SMS & voice call to phone IT administrator: Email alert Redirect to Captive Portal ENFORCEMENT WORKFLOWS Employee connects to Guest SSID CLEARPASS IDENTIFIES Corp-Device Role ClearPass SSID: Guest MAC Authentication
  • 23.
    27 CONFIDENTIAL ©Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Let’s build an Enforcement Policy (Actions)
  • 24.
    28 CONFIDENTIAL ©Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Corporate Device Warning Page
  • 25.
    29 CONFIDENTIAL ©Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Enforcement Profile– SMS with twilio
  • 26.
    31 CONFIDENTIAL ©Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Enforcement Profile – Helpdesk Ticket {"short_description":”Corporate Device Event","priority":"3","description":"The following Corporate device has attempted to connect to the Guest WiFi network:nMac Address: %{Connection:Client-Mac-Address}nEnrolled User: %{Authentication:Full-Username}nDevice Serial: %{Endpoint:Serial Number}nMobile: %{Endpoint:Model}nOS Version: %{Endpoint:OS Version}nLocation: %{Radius:Aruba:Aruba- Location- Id}","u_category":"%{u_category}","u_subcategory ":"%{u_subcategory}","assigned_to":"mobileadmin" }
  • 27.
  • 28.
    33 CONFIDENTIAL ©Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Is 802.1X the only option? 1. Many wired/wireless devices do not support 802.1x authentication 2. How do we make sure only the desired devices get access? 3. What about MAC Spoofing?
  • 29.
    34 CONFIDENTIAL ©Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Supporting “Headless” Devices  For devices that do not support 802.1X:  Wireless: Need a PSK SSID with MAC Authentication  Wired: Need to use MAB on the port  Two mechanisms for authentication: 1. Device Profiler 2. Device Registration
  • 30.
    35 CONFIDENTIAL ©Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | 1. Endpoint Profiler • Authorize devices like IP Phones, Hand Scanners, Printers, or Access Points. Protect your users and devices
  • 31.
    36 CONFIDENTIAL ©Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Profiling “Unknowns”  Recommended Best Practice:  Allow DHCP, SNMP, and maybe redirects HTTP to CPPM  Once profiled, re-authenticate against new information
  • 32.
    37 CONFIDENTIAL ©Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Example Profiling Policy • Create an enforcement profile and policy rule to send the dACL (in the case of, say, a Cisco LAN switch) Protect your users and devices
  • 33.
    38 CONFIDENTIAL ©Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Pulling it all together
  • 34.
    39 CONFIDENTIAL ©Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | 2. Device Registration • The default device registration page looks like this: Protect your users and devices
  • 35.
    40 CONFIDENTIAL ©Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | MAC Spoofing What if someone spoofs their device MAC address?
  • 36.
    41 CONFIDENTIAL ©Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | ClearPass can detect device conflicts
  • 37.
  • 38.
    43 CONFIDENTIAL ©Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 | Sign up, save $200! arubanetworks.com/atmosphere2016 Give feedback! … Before You Go atmosphere 2016

Editor's Notes

  • #4 Make networks mobility-defined instead of fixed
  • #5 Problem Statement: As I implement more security, the number of help desk tickets increase. Users cannot resolve issues themselves, and cannot relay accurate problem description. Users are constantly being prompted to get through yet another security checkpoint
  • #6 How do I get my device on the network? Who do I talk to when I have a problem? Is the network working? What’s a firewall? What is MAC Address?
  • #9 Notification is step #1 Offloading IT/Helpdesk and giving users “simple” path to resolution is the next step.
  • #12 What if the user cannot solve the problem themselves, then what?
  • #14 Make networks mobility-defined instead of fixed
  • #17 MDM Integration Endpoint Attribute Tagging Machine Auth Cache SQL integration
  • #18 MDM Integration Endpoint Attribute Tagging Machine Auth Cache SQL integration
  • #19 MDM Integration Endpoint Attribute Tagging Machine Auth Cache SQL integration
  • #20 MDM Integration Endpoint Attribute Tagging Machine Auth Cache SQL integration
  • #21 MDM Integration Endpoint Attribute Tagging Machine Auth Cache SQL integration
  • #22 MDM Integration Endpoint Attribute Tagging Machine Auth Cache SQL integration
  • #23 MDM Integration Endpoint Attribute Tagging Machine Auth Cache SQL integration
  • #24 MDM Integration Endpoint Attribute Tagging Machine Auth Cache SQL integration
  • #25 MDM Integration Endpoint Attribute Tagging Machine Auth Cache SQL integration
  • #26 MDM Integration Endpoint Attribute Tagging Machine Auth Cache SQL integration
  • #27 MDM Integration Endpoint Attribute Tagging Machine Auth Cache SQL integration
  • #28 MDM Integration Endpoint Attribute Tagging Machine Auth Cache SQL integration
  • #29 MDM Integration Endpoint Attribute Tagging Machine Auth Cache SQL integration
  • #30 MDM Integration Endpoint Attribute Tagging Machine Auth Cache SQL integration
  • #31 MDM Integration Endpoint Attribute Tagging Machine Auth Cache SQL integration
  • #32 MDM Integration Endpoint Attribute Tagging Machine Auth Cache SQL integration
  • #33 Make networks mobility-defined instead of fixed
  • #37 But what about new devices or devices that haven’t been profiled yet?
  • #40 ClearPass comes with a device registration feature that allows a specific device (MAC) to be registered and authorized in the system. This allows a user to pre-register a device before bringing it onto the network. Thus creating an audit trail Useful when a general category or OS family isn’t specific enough or when you need to only allow specific devices. Example: We don’t want to authorize all Apple MacBooks but we will allow some to be registered and authorized
  • #41 What if someone gets the MAC address of a printer or other authorized device and spoofs it on their PC? CPPM will set the Conflict flag on the Endpoint if the same MAC profiles as a different device than it previously had been. You can then act on that in
  • #42 What if someone gets the MAC address of a printer or other authorized device and spoofs it on their PC? CPPM will set the Conflict flag on the Endpoint if the same MAC profiles as a different device than it previously had been. You can then act on that in
  • #43 Make networks mobility-defined instead of fixed
  • #44 Make networks mobility-defined instead of fixed