Recommended
Recommended
More Related Content
Similar to ClearPass_Design Info.pptx
Similar to ClearPass_Design Info.pptx (20)
Recently uploaded
Recently uploaded (20)
ClearPass_Design Info.pptx
- 2. Agenda • Flex-N-Gate Requirements • CPPM Design Definitions
- 3. Aruba Clearpass Virtual Appliances 1. ClearPass 25K Virtual Appliance: • Radius/TACACS+ Server with Advance Policy control for up to 25,000 unique endpoints 2. ClearPass 5K Virtual Appliance: • Radius/TACACS+ Server with Advance Policy control for up to 5,000 unique endpoints 3. ClearPass 500 Virtual Appliance: • Radius/TACACS+ Server with Advance Policy control for up to 500 unique endpoints
- 4. Aruba ClearPass License 1. Aruba ClearPass Access License: • Provides Secure network access for AAA with Radius and TACACS for Enterprise and Guest Users • License are sold in Blocks 100-500-1000-2500-5000-10000 Endpoints 2. Aruba ClearPass Onboard License: • Onboard lets BYOD and IT-issued device connect safely to your network in compliance with Security mandates. Flexible policies and unique Cert enable full and limited access base on roles Device type and security posture. • License are sold in Blocks 100-500-1000-2500-5000-10000 Users 3. Aruba ClearPass OnGuard: • ClearPass OnGuard preforms vital endpoint health checks and posture assessments automatically to ensure that all mobile devices are fully compliant with industry and internal requirements before they connect to wired and wireless networks • License are sold in Blocks 100-500-1000-2500-5000-10000 Endpoints 4. Aruba ClearPass Guest Portal Customization • Give your guest web site a professional look and feel. The Aruba Networks skins team will leverage your unique brand to create a customized skin for your guest portal, optimized for smartphones, tablets and laptops. • Onetime cost $4500.00
- 5. CPPM Design Definitions – ClearPass uses a Publisher/Subscriber model to provide multiple-box clustering. Another term for this model is hub and spoke, where the hub corresponds to the Publisher, and the spokes correspond to the Subscribers. – Publisher node functions as the master controller in a cluster. The Publisher is your central point of configuration, monitoring, and reporting. It is also the central point of database replication. All the databases are managed through the Publisher. – There is at most one active Publisher in this model, and a potentially unlimited number of Subscribers. – The Publisher node has full read/write access to the configuration database. All configuration changes must be made on the Publisher. The Publisher node sends configuration changes to each Subscriber. – Subscriber nodes are worker nodes. All the AAA load, all RADIUS requests, and the node where policy decisions are being made are on the Subscriber nodes. – Subscriber nodes maintain a local copy of the configuration database, and each Subscriber has read only access to a local copy of the configuration database.
- 6. Publisher and Subscribers in Hub and Spoke
- 7. Flex-N-Gate Requirements Design Requirements: 1. 802.1x wireless access using Active Directory 2. 802.1x wireless access using MAC Auth. 3. Guest Access Design Questions: 1. Determine how many endpoints need to be authenticated. 1. AD Auth ? 2. MAC Auth ? 3. Guest Auth ?
- 8. Thankyou
- 9. CONFIDENTIAL © Copyright 2016. Aruba, a Hewlett Packard Enterprise Company. All rights reserved Flexible Guest Logins for Any Visitor Visitor uses self registration Rich self-service workflows to control guest access privileges Logon support for social, sponsor Mac Caching for repeat visitors
- 10. CONFIDENTIAL © Copyright 2016. Aruba, a Hewlett Packard Enterprise Company. All rights reserved BYOD: Employees Login with Personal Devices User and IT friendly: One time user registration / no IT intervention Security: IT managed, 802.1X and Certificates Context: Data added to profile for adaptive policy and troubleshooting
- 11. CONFIDENTIAL © Copyright 2016. Aruba, a Hewlett Packard Enterprise Company. All rights reserved Automated Health Checks Before Access Wired/Wireless: Ensures posture compliance for laptops/computers Security: Forces use of Anti-Virus, Anti-Spyware, firewalls, disk encryption… Remediation: Manual or auto Visibility: Identifies poor behavior
- 12. Internet of Things (IoT) BYOD and corporate owned REST API, Syslog Security monitoring and threat prevention Device management and multi-factor authentication Helpdesk and voice/SMS service in the cloud Multi-vendor switching Multi-vendor WLANs Aruba ClearPass with Exchange Ecosystem ClearPass Exchange: End to End Controls
- 13. Visibility • Policy Engine • RADIUS/CoA • TACACS+ • Profiling+ • +100 RADIUS dictionaries • OnConnect • Advanced reporting Automation • Policy simulation • Access Tracking • Template-based policy creation • Basic Guest (Social Login) • LDAP browser • Per session logs Protect • Exchange • API • Syslog • Extensions • AirGroup Bonjour/DLNA • Device registration • Certificate revocation ClearPass – What's Inside?
- 14. Understanding Device & IoT Connectivity Options Businesses want to manage what devices connect Only some support secure connections 50% of IoT may be wired
- 15. OnConnect – The cure for dumb ‘smart’ devices Policy Engine SNMP Enforcement Printer Vlan Infusion Pump Vlan Existing 802.1X wired/wireless support No 802.1X ? 1)802.1X (Gold Standard) or 2) SNMP Authentication or 3) Captive Portal = All devices 1)Authenticated or 2)Authorized Sequential Authentication = Lowered Risk No unknown devices Fewer tickets
Editor's Notes
- But beyond that – IoT – devices beyond smartphones, tablets and PC’s – Connected sensors, across a multitude of vertical specific devices have grown in years from 10 to 40 billion in just years Automated VPN – transition to MDM and VIA
- For organizations that are weary of spending too much time on guest networks, position the rich workflow and branding capabilities of an intelligent Guest solution. IT gains the ability to use various sponsor workflows that provide guest access governance and auditability. User Self-registration and MAC caching can simplify the user experience. And they can create policies that limit time on the network, and how much bandwidth is used. Flexibility on the user side is key. IT enforcement that’s performed on the beck end is key for IT.
- To enable the use of personal devices in the workplace, IT needs a way to automate who and what can be used. We often get used if anyone can onboard a device or devices, but the answer is no. IT creates the rules and leverages identity and role to permit users to onboard a device. A user must enter login and password information to start the process. Automated device certificate makes it easier for the user and IT can easily pull certs if needed. The fact that a device was onboarded even lets IT use that data within policies. If the guest network is off limits to employee devices, IT has ownership data. If the certificate is invalid, IT has that data. It’s a win for the organization and the user if BYOD is managed versus thrown to a guest network.
- The same system should also be leveraged to perform health checks on computers. Before a laptop gains access to internal resources IT can automatically ensure that security apps are being run on a regular basis. Colleges and universities can limit the use of Peer to Peer apps so that movies are not illegally downloaded by users on the campus domain. Again, flexibility plays a role. Auto-remediation can turn off an app or service before a device is connected to the network, or IT can quarantine a device and request that user contact a help-desk for educational training.
- But beyond that – IoT – devices beyond smartphones, tablets and PC’s – Connected sensors, across a multitude of vertical specific devices have grown in years from 10 to 40 billion in just years