CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!#airheadsconf!1!
ClearPass Access Management Basics Carlos Gomez Gallego
Ashwath Murthy
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!2!
ClearPass Basics Controlling Access Advanced Features !
Agenda
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!#airheadsconf!3!
Why ClearPass?!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
IT Centric!
LAN/VPN!MS Enterprise!apps!
Mainly Windows!
User Centric!
Multiple!platforms!
Personaldevices!
Mobile!apps!
Web!Apps!
Collaboration!services!
One size no longer fits all….!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
ClearPass Core Solution Components!
Policy
• Security • Usage
Workflow
• Automation • Provisioning
• Consolidation • Troubleshooting
Visibility
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
ClearPass Enables New Workflows!
• Offload IT Services • Guest access – Sponsors, self-service portals. – One time login – IT controlled guest privileges.
• Secure device onboarding – Automatic device identification. – One time user registration – Provisioning of 802.1X settings, certificates.
• Device/App management – Centralized distribution and policies – Automatic updates
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
Device Visibility!
– Works across multi vendor networks – Uses multiple active and passive techniques for high accuracy – Device fingerprints updated automatically over the web – Use device visibility to trigger a workflow, quarantine a device or grant
network access
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 8 #airheadsconf
Network Policies Based on Context
Policy Example
Use context from ClearPass & external sources to set network policy
• Application installed
• blacklisted
• Device Profile • OS version • Endpoint health • Jailbreak status • Pincode/encryption
• Location • Trusted or
untrusted network
• Time/Date • eg. in semester
• User/group membership
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!#airheadsconf!9!
Guest Access!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!10!
ClearPass Basics!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!11!
• Guest Accounts • Self generated access • Sponsor controlled access • Differentiated guest access
Who is a Guest?
ClearPass Basics!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 12 Download AQ Mobile
Automated Guest Onboarding
1. 3.
Access Network
2. Sponsor prompted to confirm that guest is valid
ClearPass Policy Manager
Account enabled, visitor notified via
screen, SMS, or email Visitor Registers for access, email sent to sponsor
New Visitor
Sponsor
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 13 Download AQ Mobile
Guest
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!#airheadsconf!14!
Controlling Access!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!15!
Enterprise Grade RADIUS
and TACACS
ClearPass Platform!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!16!
Authentication and Authorization
Controlling Access!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 17 #airheadsconf
What’s the flow?
Authenticate • Valid Authentication
Authorize • Find Out What’s Allowed
Associate Context
• Device, Time, Location, Posture
Enforce on NAS
• Roles, ACLs, VLANs
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 18 #airheadsconf
Service Flow – 802.1X
Layer 2 RADIUS Request
Layer 2 Authentication
Layer 2 Authorization
Layer 2 Role
Derivation
Layer 2 RADIUS
Enforcement
Layer 3 Profile
Layer 2 NAP
Layer 3 OnGuard
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 19 #airheadsconf
• Layer 2 Authentications are completed first – Full Authorization – Role Derivation – NAP (if enabled) – Layer 2 Enforcement
• Layer 3 : Profile next – DHCP Request, DHCP Offer – RFC 3576 – Change of Authorization • Another Layer 2 authentication!
– No RFC 3576 message if “fingerprint” does not change
• Layer 3 : Collect Posture last (OnGuard) – Posture over HTTPS – RFC 3576 based on policy • Another Layer 2 authentication!
Service Flow – Implications
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!20!
Controlling Access!
A world of possibilities!!
Time Based Access!
Asset Tracking Database!
Location Based Roles!
MDM!
Aruba Activate!
LogDB!Endpoints Repository!
Profile Information!
Domain User Groups!
Static Host List!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!21!
Why does it matter
Controlling Access!
?!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 22 #airheadsconf #airheadsconf 22
Authorization – What and Why?
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 23 #airheadsconf
• Authentication vs. Authorization • Authorization & ClearPass • Use Cases
Authorization – What and Why?
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 24 #airheadsconf
Authorization & ClearPass
• “Authorization” Sources in ClearPass – Where do I find them? – How do I use them? – How often does ClearPass talk to an authorization source? – What happens in case something goes wrong?
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 25 #airheadsconf
• An “Authentication Source” is an “Authorization Source” – RADIUS Server vs. Policy Server
Authorization Sources – Where?
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 26 #airheadsconf
Authorization Sources – How?
Authentication Sources are automatic Authorization Sources
Additional Authorization Sources enabled per Service
No Authorization unless used in Roles!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 27 #airheadsconf
Authorization Sources – How?
Authorize with Active Directory
Authorize with Profile Data
Rule Algorithm : Evaluate All
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 28 #airheadsconf
Use Cases – Mergers & Acquisitions
Active Directory Domain – avendasys.com
Active Directory Domain – arubanetworks.com
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 29 #airheadsconf
Authentication & Authorization Sources for TLS
Certificate Details used for Authorization
Enable Authorization – Source specified in the Service
Compare Certificate – Source specified in the Service
Use Cases – Certificates & TLS
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 30 #airheadsconf
• LDAP/SQL Interface to Asset Databases – Key : MAC Address – Authorization Attributes • Ownership – Corporate vs. Personal • Compliance Status – In/Out of compliance
– Identify corporate-owned non-Windows devices
Use Cases – Asset Databases
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 31 #airheadsconf #airheadsconf 31
Profile – How does it work?
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 32 #airheadsconf
• Profile & Network Data • Automatic Profile “upgrades” • Using Profile data in policy • Configuring Profile – DHCP? HTTP? SNMP?
• Use Cases
Profile – How does it work?
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 33 #airheadsconf
• What does ClearPass use to profile? – MAC OUIs – DHCP Request, DHCP Offer – HTTP User-Agent – MDM Fingerprints – Device Interrogation – SNMP/CDP/LLDP Data
Profile & Network Data
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 34 #airheadsconf
Fingerprint Updates
• Subscribe to Fingerprint Updates – Automatic reclassification – Updated frequently
• Tell Aruba! – Create policy exceptions – Grab fingerprints from UI – Send fingerprints to Aruba – Crowd-sourced, community oriented
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 35 #airheadsconf
• Automatic 3-level categorization – Device Category, OS Family, Device Name
• Using raw profile data – DHCP Data, HTTP User-Agent, SNMP Data
• Role Mapping – What should I use?
• Enforcement – How do I enforce? – What are the benefits?
Using Profile data in policy
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 36 #airheadsconf
• DHCP Relay – Where should I setup DHCP relays?
• Captive Portal Configuration – Is there a knob for this?
• Reading SNMP Data – CDP – LLDP – HR MIB – SysDescr MIB
Configuring Profile – Network Considerations
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 37 #airheadsconf
• Policy – CEOs & iPads • Policy – “Headless” Devices • Visibility – Demystifying BYODs
Use Cases
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 38 #airheadsconf
Use Cases – CEOs & iPads
Assign Roles
Enforce Access
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 39 #airheadsconf
Use Cases – Headless Devices
Identify & Assign Roles To Headless Devices
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 40 #airheadsconf
Use Cases – Visibility
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 41 #airheadsconf
The ClearPass Solution
Workflow!Automation!
App Security!
Onboarding, Registra0on
Profile-‐based App Distribu0on
Guest Management
ConsolidatedVisibility/Policy!
Device Profiling
User, Device Role-‐mapping
MDM
Integra0on Per Session Tracking
Mobile App Management
Encryp0on, VPN Services
All things Network, Device and App Management!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 42 #airheadsconf
ClearPass Summary
Complete Multivendor Solution on your existing network
Designed to Support IT-Managed and BYOD Use Cases
Highly flexible Self Service and Workflow automation portals
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!#airheadsconf!43!
Q & A!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!#airheadsconf!44!
Thank You!