access management with aruba clearpass
DESCRIPTION
Access Management with Aruba ClearPass presentation from our Airheads Local event.TRANSCRIPT
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Access Management with Aruba ClearPass
Seth Fiermonti
June 2014
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Agenda
• Introductions & Expectations
• What is ClearPass
• ClearPass – Policy Model
• Authorization – What and Why
• Profile – How does it work
• Clustering & Deployment
• Q & A
ClearPass Overview
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Evolving IT Landscape
USER CENTRIC, SELF SERVICEIT CENTRIC
Windows
Fixed Environment
Wired Network
IT Managed
Slow Refresh
Multiple Platforms
Work from anywhere
Wired, Wi-Fi, Cellular
Selection of devices & apps
User Timeframes
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
The ClearPass Solution
Comprehensive Solutions Architecture
WORKFLOW POLICYVISIBILITY
Role-basedEnforcement
Health/PostureChecks
Device and App
Device Profiling
Troubleshooting
Per Session Tracking
Onboarding, Registration
Guest Management
MDMIntegration
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
The ClearPass Access Security Platform
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 6 @arubanetworks
Policy Services
IdentityStores
3rd PartyMDM
App Servers
DIFFERENTIATEDACCESS
UNIFIEDPOLICIES
DEVICEVISIBILITY
GUEST EMPLOYEE
POLICY SERVICES
ENTERPRISE-CLASS AAARADIUS, TACACS+
VPN
OnGuardPosture &
Health Checks
OnboardDevice
Provisioning
GuestVisitor Management
Multivendor Networks
ClearPass Policy Manager
AAA Services ONE IDPolicy Engine
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Context-Based Access Control
• Differentiated Access– Role, device type, access method
• Policy-based AAA Services– Support for 802.1X, MAC, Web (HTTPS) authentication
– Communicate to network devices via RADIUS, RADIUS CoA, TACACS+, SNMP
– Ability to read from multiple identity stores (AD, LDAP, SQL, Kerberos, Token Server, Etc.)
– Enforcement Options – Allow/Deny, VLAN, ACL, dACL, url redirects, SNMP
• Contextual Policy Elements– Time, location, group, OS version, project
VPN
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Platform Features – Out of the box
Multivendor DNA• Wired, WLAN, VPN
Core Authentication • AAA, LDAP, AD, Kerberos, Token, SQL, MAC,
802.1x, TACACS+, HTTPS, SSO (SAML, Okta)
Integrated Profiling• Device profiling across wired & wireless• Use directly in authorization policy
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
ClearPass Core Services
MDM Integration• Leverage information gained
from MDM vendors for profile & to influence policy
TACACS+ Server• Replace legacy ACS solutions
Context Aware Authorization• Device type, User, Time, Location, Posture• Layer multiple conditions for policy derivation
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Platform Features – Out of the box
Scale with Clustering• Supports 1 million endpoints per cluster• Centralized or distributed architecture
Flexible Licensing• Perpetual licenses• Subscription licenses• 25 free endpoint Enterprise license included
Physical or Virtual Appliances• Sized for variety of customer needs• Virtual Appliance relies upon VMWare
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
What’s in ClearPass 6.3
INTEGRATIONINTEROPERABILITY
Auto Sign-On for Apps• Simple Network authentication for App login• Opens doors for mobile device SSO opportunities
Guest Advertising Included • Customizable for gender, season, location• Larger story in retail, healthcare, entertainment
Enhanced Certificate Distribution• 3rd Party MDM solutions can now use Onboard CA• You are the alternative for internal PKI integration
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
INTEGRATIONINTEROPERABILITY
Remote Support• Setup secure TAC session with a simple click• Customer support because you asked for it
SPAN Port Profiling• Any device addressed via DHCP gets profiled• You get the big picture faster, from one port
Exchange• Built-in tools for integration of third-party systems• Data exchange with MDM, helpdesk, SIEM apps
made easy
What’s in ClearPass 6.3
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
ClearPass Auto Sign-On
Only Aruba lets you sign-in once & you’re good to go
• One login for all web/mobile apps
– Uses valid network login
• NO App logins
• IBM, Okta, Ping
• ClearPass as Provider (IdP)
– Uses SAML, not RADIUS
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
ClearPass Exchange
Two-way Third-Party Integration
Third-party Systems
Payment Management
Patient Check-in
Helpdesk Tickets
MDM Solutions
SIEM Systems
ClearPass
Syslog Messages / RESTful APIs
Jail-broken device
detected
Helpdesk ticket auto generated
Message to device auto generated
1.
2.3.
ClearPass denies access
to device
ClearPass Policy Model
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
ClearPass Policy Model
• What constitutes the policy model?
• How does it work?
• What are the interactions between various components?
• How does the policy model affect configuration & deployment?
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
ClearPass Policy Model
Policy
Identity
HealthDevice
Conditions
• Role• Department• Group
• AV, AS, FW• Registry Keys• Services…
• Device type, status, health
• Address, O/S• Corp. Owned
• Time• Location• Day of Week
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
What’s the flow?
Authenticate • Valid Authentication
Authorize • Find Out What’s Allowed
Associate Context • Device, Time, Location, Posture
Enforce on NAS • Roles, ACLs, VLANs
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
What Are The Interactions?
RADIUS Server – Authenticate
Policy Server – Authorize
Policy Server – Associate Context
Policy Server – Decision Tree
RADIUS Server – Enforce
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
ClearPass Policy Enforcement
ClearPass Use external context to define granular policies
WHO
• User / role
WHAT WHEN
• Device fingerprint• OS version• Health checks• Jailbreak status
• Location• Trusted or
untrusted network
• Time• Date
?
• Wired, Wi-Fi, VPNenforcement
HOWWHERE
Per
mit
/Den
y
Whi
telis
t /
Bla
cklis
t
Rem
edia
te
Qua
rant
ine
Red
irect
Rol
e-ba
sed
Sec
urity
Ban
dwid
th
Mgm
t
Opt
imiz
ed
Mul
timed
ia
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Service Flow – 802.1X
Layer 2RADIUSRequest
Layer 2Authentication
Layer 2Authorization
Layer 2Role
Derivation
Layer 2RADIUS
Enforcement
Layer 3Profile
Layer 2NAP
Layer 3OnGuard
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Service Flow – Implications
• Layer 2 Authentications are completed first– Full Authorization
– Role Derivation
– NAP (if enabled)
– Layer 2 Enforcement
• Layer 3 : Profile next– DHCP Request, DHCP Offer
– RFC 3576 – Change of Authorization• Another Layer 2 authentication!
– No RFC 3576 message if “fingerprint” does not change
• Layer 3 : Collect Posture last (OnGuard)– Posture over HTTPS
– RFC 3576 based on policy
– Another Layer 2 authentication!
Authorization – What and Why
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Authorization – What and Why?
• Authentication vs. Authorization
• Authorization & ClearPass
• Use Cases
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Authorization & ClearPass
• “Authorization” Sources in ClearPass– Where do I find them?– How do I use them?– How often does ClearPass talk to an authorization source?– What happens in case something goes wrong?
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Authorization Sources – Where?
• An “Authentication Source” is an “Authorization Source”– RADIUS Server vs. Policy Server
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Authorization Sources – How?
Authentication Sources are automatic Authorization Sources
Additional Authorization Sources enabled per Service
No Authorization unless used in Roles!
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Authorization Sources – How?
Authorize with Active Directory
Authorize withProfile Data
Rule Algorithm :Evaluate All
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Authorization – How?
• Ok, great. But will ClearPass flood my AD with authorization requests?– Authorization data is cached per user– New request made to fetch data once the cache expires– Cache timers can be tuned
Cache TimeoutDefault: 10 hours
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Authorization – How?
• Got it• But I just made a bunch of changes on my AD.
Should I need to wait 10 hours?– Tune the cache timers– “Clear Cache” button on the Authentication Source– Wipes out cache for all users
– “Save” button on the Authentication Source
• Wipes out cache for all users
– Restart Policy Server
• BAD IDEA!!!
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Authorization – Uh-Oh!
• If an Authentication/Authorization Source is not reachable– Configure Backup Servers– Configure Fail-Over Timeout
Fail-Over Timeout
Backup Servers
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Use Cases – Mergers & Acquisitions
Active Directory Domain – avendasys.com
Active Directory Domain – arubanetworks.com
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Authentication & Authorization Sources for TLS
Certificate Details used for Authorization
Enable Authorization –Source specified in the Service
Compare Certificate –Source specified in the Service
Use Cases – Certificates & TLS
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Use Cases – Asset Databases
• LDAP/SQL Interface to Asset Databases– Key : MAC Address
– Authorization Attributes• Ownership – Corporate vs. Personal
• Compliance Status – In/Out of compliance
– Identify corporate-owned non-Windows devices
Profile – How Does It Work?
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Profile – How does it work?
• Profile & Network Data
• Automatic Profile “upgrades”
• Using Profile data in policy
• Configuring Profile
– DHCP? HTTP? SNMP?
• Use Cases
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Profile & Network Data
What does ClearPass use to profile?– MAC OUIs– DHCP Request, DHCP Offer– HTTP User-Agent– MDM Fingerprints– Device Interrogation– SNMP/CDP/LLDP Data
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Fingerprint Updates
• Subscribe to Fingerprint Updates– Automatic reclassification
– Updated frequently
• Tell Aruba!– Create policy exceptions
– Grab fingerprints from UI
– Send fingerprints to Aruba
– Crowd-sourced, community oriented
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Using Profile data in policy
• Automatic 3-level categorization– Device Category, OS Family, Device Name
• Using raw profile data– DHCP Data, HTTP User-Agent, SNMP Data
• Role Mapping– What should I use?
• Enforcement– How do I enforce?
– What are the benefits?
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Configuring Profile – Network Considerations
• DHCP Relay– Where should I setup DHCP relays?
• Captive Portal Configuration– Is there a knob for this?
• Reading SNMP Data– CDP
– LLDP
– HR MIB
– SysDescr MIB
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Use Cases
• Policy – CEOs & iPads
• Policy – “Headless” Devices
• Visibility – Demystifying BYODs
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Use Cases – CEOs & iPads
Assign Roles
Enforce Access
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Use Cases – Headless Devices
Identify & Assign Roles To Headless Devices
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Use Cases – Visibility
Clustering & Deployment
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Clustering & Deployment
• Clustering Technology– What’s replicated? What’s not?
• Deploying ClearPass Clusters– Considerations
• Operations & Maintenance– What happens when a ClearPass node is down?
– Events & Alerts
– Rescue & Recovery
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Clustering Technology
• What’s replicated?– All policy configuration elements
– All Audit data
– All identity store data• Guest Accounts, Endpoints, Profile data
– Runtime Information• Authorization status, Posture status, Roles
• Connectivity Information, NAS Details
– Database replication on port# 5432 over SSL
– Runtime replication on port# 443 over SSL
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Clustering Technology
• What’s not replicated?
– Log files
– Authentication Records
– Accounting Records
– System Events
– System Monitor Data
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Clustering – Considerations
• How do they connect?– Requires IP connectivity (bi-directional)• Port # 5432 (Database over SSL)
• Port# 80 (HTTP)
• Port #443 (HTTPS)
• Port #123 (NTP)
• How much data should we expect to see crossing the wire?– Only elements in the configuration database
– First sync is a full database copy
– Subsequent sync – Delta changes propagated
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Clustering – Considerations
Hub & Spoke
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Clustering – Considerations
• Central / Distributed Admin Domains
• Redundancy/Load Balancing
• Cluster wide licensesCPPM – Publisher
DNSDHCP
IdentityStores
Main Data CenterMid-size Branch
Regional Office
DMZ
CPPMSubscriberVM
CP GuestCP Onboard
CPPMSubscriber
CPPMSubscriber
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Operations & Maintenance
• What happens when a node goes down?
– Operations
• If Deployed Right – Nothing
• RADIUS Backup settings on the NAS
– If the Publisher goes down
• No Database Writes Allowed!!
• Promote a Subscriber to a Publisher
• Resume configuration updates
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Events & Alerts
• How long before ClearPass figures out something’s wrong?– 24 hours before it automatically “drops” a node from the
cluster
– Cluster Synchronization Warnings• 1 event every hour x 24 hours = 24 events
– CPU/Memory Usage Warnings Every 2 Minutes
– Server Certificate Warnings Every 24 Hours
– Service Alerts Immediate
• Email/SMS Alerts using Insight, Syslog & SNMP
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Operations & Maintenance
• Rescue & Recovery– Establish cluster connectivity• Database sync will ensue. Watch for “Last Sync Time”
– Restore certificates• Server Certificates are not installed as a part of the sync
– Restore log entries (If necessary)• Caveat : High disk activity for an extended period of time
– Verify fail-back on the NAS• NAS fail-back timers should kick in
#AirheadsLocal