access management with aruba clearpass
TRANSCRIPT
![Page 1: Access Management with Aruba ClearPass](https://reader030.vdocuments.us/reader030/viewer/2022032617/55ab53b81a28ab17208b484e/html5/thumbnails/1.jpg)
#ATM15 |
Access Management with Aruba ClearPassLive Walkthrough of Config, Troubleshooting, and User Experience
March 2015
@ArubaNetworks
![Page 2: Access Management with Aruba ClearPass](https://reader030.vdocuments.us/reader030/viewer/2022032617/55ab53b81a28ab17208b484e/html5/thumbnails/2.jpg)
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved2#ATM15 |
Agenda
•Review existing customer deployment
•Customer Challenges and Solutions
•Live Config, Authentication, and Troubleshooting Walkthrough
@ArubaNetworks
![Page 3: Access Management with Aruba ClearPass](https://reader030.vdocuments.us/reader030/viewer/2022032617/55ab53b81a28ab17208b484e/html5/thumbnails/3.jpg)
3 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Transition Content
Existing Customer Deployment
•Enterprise environment with:– 802.1X WLAN
• EAP-PEAP/MSCHAPv2 with Active Directory
– User authentication
– Corporate laptops• No checks & balances for validation
@ArubaNetworks
![Page 4: Access Management with Aruba ClearPass](https://reader030.vdocuments.us/reader030/viewer/2022032617/55ab53b81a28ab17208b484e/html5/thumbnails/4.jpg)
4 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Transition Content
Three new initiatives
@ArubaNetworks
1. MDM Rollout– Client Services Team deploying Mobile Iron– Enrollment of all mobile devices
2. Palo Alto Firewall Deployment– Security Team chose Palo Alto as new
Internet Gateway platform
3. Visitor Network with ClearPass Guest– ClearPass Guest for Visitor Access
![Page 5: Access Management with Aruba ClearPass](https://reader030.vdocuments.us/reader030/viewer/2022032617/55ab53b81a28ab17208b484e/html5/thumbnails/5.jpg)
5 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Transition Content
Next-Generation Solutions
@ArubaNetworks
Limit access to only: •MDM-enrolled•Corporate laptops
Granular user/device policies•Only marketing folks permitted to social media sites
Prohibit corporate devices from Guest network•Open HelpDesk incident for violators
![Page 6: Access Management with Aruba ClearPass](https://reader030.vdocuments.us/reader030/viewer/2022032617/55ab53b81a28ab17208b484e/html5/thumbnails/6.jpg)
6 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Use ClearPass Exchange!
Use Post_Authentication Enforcement Profiles!
Transition Content
How do I integrate with these solutions?
@ArubaNetworks
![Page 7: Access Management with Aruba ClearPass](https://reader030.vdocuments.us/reader030/viewer/2022032617/55ab53b81a28ab17208b484e/html5/thumbnails/7.jpg)
7 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Transition Content
ClearPass Exchange Recipes
@ArubaNetworks
Recipe site and tech note available to help you with your integrations:
– Site:• http://community.arubanetworks.com/t5/ClearPass-Exchange-Recipes/tkbc-p/clearpass-recipes
– TechNote:• http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=15508
– Not to be confused with Aruba Solution Exchange• http://ase.arubanetworks.com• (More on this at the end)
![Page 8: Access Management with Aruba ClearPass](https://reader030.vdocuments.us/reader030/viewer/2022032617/55ab53b81a28ab17208b484e/html5/thumbnails/8.jpg)
8 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Lab Setup
@ArubaNetworks
![Page 9: Access Management with Aruba ClearPass](https://reader030.vdocuments.us/reader030/viewer/2022032617/55ab53b81a28ab17208b484e/html5/thumbnails/9.jpg)
9 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Lab Workflow – 802.1X
@ArubaNetworks
SSID:CP-Atm-dot1x(PEAP-MSCHAPv2)
SSID:CP-Atm-dot1x(PEAP-MSCHAPv2)
Corporate Device?
Corporate Device?
Redirect to information pageRedirect to information page
User?User?Full Internet(Including Social Media)
Full Internet(Including Social Media)
Marketing
Limited Internet(No Social Media)
Limited Internet(No Social Media)
Everyone Else
No
Yes
![Page 10: Access Management with Aruba ClearPass](https://reader030.vdocuments.us/reader030/viewer/2022032617/55ab53b81a28ab17208b484e/html5/thumbnails/10.jpg)
10 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Enforcement
@ArubaNetworks
RADIUS REQUEST
RADIUS RESPONSE
HTTP ENFORCEMENT
RADIUS Accounting New in CP 6.5
Target: Checkpoint, Fortinet, Websense, others
via ACCT Proxy
![Page 11: Access Management with Aruba ClearPass](https://reader030.vdocuments.us/reader030/viewer/2022032617/55ab53b81a28ab17208b484e/html5/thumbnails/11.jpg)
11 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
802.1X Demo
•Audience•Use your personal SmartDevice•You will be redirected.
•Presenter•Connect with corporate SmartDevice•mark is in Marketing.•jsmith is not in Marketing.
@ArubaNetworks
![Page 12: Access Management with Aruba ClearPass](https://reader030.vdocuments.us/reader030/viewer/2022032617/55ab53b81a28ab17208b484e/html5/thumbnails/12.jpg)
12 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Transition Content
Lab Workflow - Guest
@ArubaNetworks
SSID:CP-Atm-Guest(open)
SSID:CP-Atm-Guest(open)
Corporate Device?
Corporate Device?
• AOS: Redirect to corporate security guidelines
• ServiceNow: Open HelpDesk Incident
• AOS: Redirect to corporate security guidelines
• ServiceNow: Open HelpDesk Incident
Guest Self-Reg Workflow
Guest Self-Reg Workflow
No
Yes
![Page 13: Access Management with Aruba ClearPass](https://reader030.vdocuments.us/reader030/viewer/2022032617/55ab53b81a28ab17208b484e/html5/thumbnails/13.jpg)
13 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Transition Content
Three components to HTTP enforcement
@ArubaNetworks
1. Endpoint Context Server– Define the External Server
• (i.e. IP Address, credentials)
1. Context Server Action– Define the action to take place
• (i.e. Open a helpdesk ticket, send push notification)
1. Enforcement Profile– Joins the External Context Server with the Context
Server Action.
![Page 14: Access Management with Aruba ClearPass](https://reader030.vdocuments.us/reader030/viewer/2022032617/55ab53b81a28ab17208b484e/html5/thumbnails/14.jpg)
14 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Endpoint Context Server
@ArubaNetworks
1. Endpoint Context Server
![Page 15: Access Management with Aruba ClearPass](https://reader030.vdocuments.us/reader030/viewer/2022032617/55ab53b81a28ab17208b484e/html5/thumbnails/15.jpg)
15 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Transition Content
Context Server Action
@ArubaNetworks
2. Context Server Action
![Page 16: Access Management with Aruba ClearPass](https://reader030.vdocuments.us/reader030/viewer/2022032617/55ab53b81a28ab17208b484e/html5/thumbnails/16.jpg)
16 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Enforcement Profile
@ArubaNetworks
3. Enforcement Profile
![Page 17: Access Management with Aruba ClearPass](https://reader030.vdocuments.us/reader030/viewer/2022032617/55ab53b81a28ab17208b484e/html5/thumbnails/17.jpg)
17 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Transition Content
Using Dynamic Variables in ClearPass
• Almost all of the “context” that is collected by ClearPass can be called up and used via dynamic “namespace” variables.
• For example:• %{Radius:Aruba:Aruba-Location-Id}• %{Connection:Client-Mac-Address-Colon}• %{Endpoint:AD_Name}
• These can be used in:• Service Matching• Role mapping• Enforcement profiles and policies• Auth source filters/queries• Context Server Actions
• When used, the value is replaced with information pertaining to that device or user dynamically
@ArubaNetworks
![Page 18: Access Management with Aruba ClearPass](https://reader030.vdocuments.us/reader030/viewer/2022032617/55ab53b81a28ab17208b484e/html5/thumbnails/18.jpg)
18 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Context Examples
![Page 19: Access Management with Aruba ClearPass](https://reader030.vdocuments.us/reader030/viewer/2022032617/55ab53b81a28ab17208b484e/html5/thumbnails/19.jpg)
19 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Transition Content
Using Dynamic Variable Examples
@ArubaNetworks
{"short_description":"Corporate Device on the Guest Network","priority":"3","description":"Offending Device:\n User: %{Endpoint:AD_Name}\n Mac Address: %{Connection:Client-Mac-Address-Colon}\n Location: %{Radius:Aruba:Aruba-Location-Id}","u_category":"71feaf0f8c00d100a4e1ee6a09f9bc72","u_subcategory":"02feaf0f8c00d100a4e1ee6a09f9bc29":"assigned_to":"mobileadmin"
}
Context Server Action – POST to ServiceNow.
![Page 20: Access Management with Aruba ClearPass](https://reader030.vdocuments.us/reader030/viewer/2022032617/55ab53b81a28ab17208b484e/html5/thumbnails/20.jpg)
20 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
ServiceNow Configuration & Demo
•Let’s configure ServiceNow• Use Case: Open HelpDesk Incident when corporate device
connects to Guest network
•Use your SmartDevice• Register for an account
@ArubaNetworks
![Page 21: Access Management with Aruba ClearPass](https://reader030.vdocuments.us/reader030/viewer/2022032617/55ab53b81a28ab17208b484e/html5/thumbnails/21.jpg)
21 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Transition Content
Web Login Page Customization
• Many customization/personalization options exist in WebLogin pages
• (Different from your Skin)
• Built in capability to:• Leverage “FontAwesome” fonts• Insert other page links• Inject PHP code into header/footer• Leverage user/device/session variables
• For this, create a “dump” page to see what’s available
@ArubaNetworks
![Page 22: Access Management with Aruba ClearPass](https://reader030.vdocuments.us/reader030/viewer/2022032617/55ab53b81a28ab17208b484e/html5/thumbnails/22.jpg)
22 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Transition Content
Variable Dump Page
@ArubaNetworks
https://10.0.0.25/guest/dump.php?mac=64:20:0c:3d:8f:d7
![Page 23: Access Management with Aruba ClearPass](https://reader030.vdocuments.us/reader030/viewer/2022032617/55ab53b81a28ab17208b484e/html5/thumbnails/23.jpg)
23 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Transition Content
Variable use in WebLogin Pages
•Using HTTP User-Agent:
•Using Endpoint attributes:
@ArubaNetworks
<p align=center>You are attempting to Onboard your {$_wpl.browser.uaparser.os.family} device with {$_wpl.browser.uaparser.ua.family},
{if $_wpl.browser.uaparser.os.family == "Mac OS X"}please try again using the Safari browser.</p>
<p>Attention {$_endpoint.AD_Name}, This device is a corporate asset and therefore should not be accessing the visitor network. </p>
![Page 24: Access Management with Aruba ClearPass](https://reader030.vdocuments.us/reader030/viewer/2022032617/55ab53b81a28ab17208b484e/html5/thumbnails/24.jpg)
24 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Guest – Weblogin customization
•Let’s explore weblogin customizations• How did we pull the Username onto the page?• Let’s see the ‘dump’ page.
@ArubaNetworks
![Page 25: Access Management with Aruba ClearPass](https://reader030.vdocuments.us/reader030/viewer/2022032617/55ab53b81a28ab17208b484e/html5/thumbnails/25.jpg)
25 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Lab Setup
4th Gen Intel NUC D54250WYK– Core i5, 16GB RAM, 512GB SSD– ESXi 5.5 (custom install with Intel
ethernet driver net-e1000e)
Aruba 7005 Controller
IAP-205 (in CAP Mode)
@ArubaNetworks
Internet
DHCP
Internet
DHCP
Con
trol
ler
NA
T
99
99
99
99
99
999
9
99100100
99
9910010011
ESXiPA-VM
CP-VA-EVALWin2k8
ESXiPA-VM
CP-VA-EVALWin2k8
![Page 26: Access Management with Aruba ClearPass](https://reader030.vdocuments.us/reader030/viewer/2022032617/55ab53b81a28ab17208b484e/html5/thumbnails/26.jpg)
26 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Transition Content
Aruba Solution Exchange
ase.arubanetworks.com
Configuration Made Simple
Undo Configs
AOS, Instant, MAS, ClearPass, Juniper, Cisco…
@ArubaNetworks
![Page 27: Access Management with Aruba ClearPass](https://reader030.vdocuments.us/reader030/viewer/2022032617/55ab53b81a28ab17208b484e/html5/thumbnails/27.jpg)
THANK YOU
27#ATM15 | @ArubaNetworks