Breakout - Airheads Macau 2013 - ClearPass Access Management Basics

ClearPass Access Management Basics Carlos Gomez Gallego

Ashwath Murthy

ClearPass Basics Controlling Access Advanced Features !

Agenda

Why ClearPass?!

IT Centric!

LAN/VPN!MS Enterprise!apps!

Mainly Windows!

User Centric!

Multiple!platforms!

Personaldevices!

Mobile!apps!

Web!Apps!

Collaboration!services!

One size no longer fits all….!

ClearPass Core Solution Components!

Policy

• Security • Usage

Workflow

• Automation • Provisioning

• Consolidation • Troubleshooting

Visibility

ClearPass Enables New Workflows!

•  Offload IT Services •  Guest access –  Sponsors, self-service portals. –  One time login –  IT controlled guest privileges.

•  Secure device onboarding –  Automatic device identification. –  One time user registration –  Provisioning of 802.1X settings, certificates.

•  Device/App management – Centralized distribution and policies – Automatic updates

Device Visibility!

–  Works across multi vendor networks –  Uses multiple active and passive techniques for high accuracy –  Device fingerprints updated automatically over the web –  Use device visibility to trigger a workflow, quarantine a device or grant

network access

Network Policies Based on Context

Policy Example

Use context from ClearPass & external sources to set network policy

• Application installed

• blacklisted

• Device Profile • OS version • Endpoint health • Jailbreak status • Pincode/encryption

• Location • Trusted or

untrusted network

• Time/Date • eg. in semester

• User/group membership

Guest Access!

ClearPass Basics!

•  Guest Accounts •  Self generated access •  Sponsor controlled access •  Differentiated guest access

Who is a Guest?

ClearPass Basics!

Automated Guest Onboarding

Access Network

2. Sponsor prompted to confirm that guest is valid

ClearPass Policy Manager

Account enabled, visitor notified via

screen, SMS, or email Visitor Registers for access, email sent to sponsor

New Visitor

Sponsor

Controlling Access!

Enterprise Grade RADIUS

and TACACS

ClearPass Platform!

Authentication and Authorization

Controlling Access!

What’s the flow?

Authenticate • Valid Authentication

Authorize • Find Out What’s Allowed

Associate Context

• Device, Time, Location, Posture

Enforce on NAS

• Roles, ACLs, VLANs

Service Flow – 802.1X

Layer 2 RADIUS Request

Layer 2 Authentication

Layer 2 Authorization

Layer 2 Role

Derivation

Layer 2 RADIUS

Enforcement

Layer 3 Profile

Layer 2 NAP

Layer 3 OnGuard

•  Layer 2 Authentications are completed first –  Full Authorization –  Role Derivation –  NAP (if enabled) –  Layer 2 Enforcement

•  Layer 3 : Profile next –  DHCP Request, DHCP Offer –  RFC 3576 – Change of Authorization •  Another Layer 2 authentication!

–  No RFC 3576 message if “fingerprint” does not change

•  Layer 3 : Collect Posture last (OnGuard) –  Posture over HTTPS –  RFC 3576 based on policy •  Another Layer 2 authentication!

Service Flow – Implications

Controlling Access!

A world of possibilities!!

Time Based Access!

Asset Tracking Database!

Location Based Roles!

Aruba Activate!

LogDB!Endpoints Repository!

Profile Information!

Domain User Groups!

Static Host List!

Why does it matter

Controlling Access!

Authorization – What and Why?

•  Authentication vs. Authorization •  Authorization & ClearPass •  Use Cases

Authorization – What and Why?

Authorization & ClearPass

•  “Authorization” Sources in ClearPass –  Where do I find them? –  How do I use them? –  How often does ClearPass talk to an authorization source? –  What happens in case something goes wrong?

•  An “Authentication Source” is an “Authorization Source” –  RADIUS Server vs. Policy Server

Authorization Sources – Where?

Authorization Sources – How?

Authentication Sources are automatic Authorization Sources

Additional Authorization Sources enabled per Service

No Authorization unless used in Roles!

Authorization Sources – How?

Authorize with Active Directory

Authorize with Profile Data

Rule Algorithm : Evaluate All

Use Cases – Mergers & Acquisitions

Active Directory Domain – avendasys.com

Active Directory Domain – arubanetworks.com

Authentication & Authorization Sources for TLS

Certificate Details used for Authorization

Enable Authorization – Source specified in the Service

Compare Certificate – Source specified in the Service

Use Cases – Certificates & TLS

•  LDAP/SQL Interface to Asset Databases –  Key : MAC Address –  Authorization Attributes •  Ownership – Corporate vs. Personal •  Compliance Status – In/Out of compliance

–  Identify corporate-owned non-Windows devices

Use Cases – Asset Databases

Profile – How does it work?

•  Profile & Network Data •  Automatic Profile “upgrades” •  Using Profile data in policy •  Configuring Profile –  DHCP? HTTP? SNMP?

•  Use Cases

Profile – How does it work?

•  What does ClearPass use to profile? –  MAC OUIs –  DHCP Request, DHCP Offer –  HTTP User-Agent –  MDM Fingerprints –  Device Interrogation –  SNMP/CDP/LLDP Data

Profile & Network Data

Fingerprint Updates

•  Subscribe to Fingerprint Updates –  Automatic reclassification –  Updated frequently

•  Tell Aruba! –  Create policy exceptions –  Grab fingerprints from UI –  Send fingerprints to Aruba –  Crowd-sourced, community oriented

•  Automatic 3-level categorization –  Device Category, OS Family, Device Name

•  Using raw profile data –  DHCP Data, HTTP User-Agent, SNMP Data

•  Role Mapping –  What should I use?

•  Enforcement –  How do I enforce? –  What are the benefits?

Using Profile data in policy

•  DHCP Relay –  Where should I setup DHCP relays?

•  Captive Portal Configuration –  Is there a knob for this?

•  Reading SNMP Data –  CDP –  LLDP –  HR MIB –  SysDescr MIB

Configuring Profile – Network Considerations

•  Policy – CEOs & iPads •  Policy – “Headless” Devices •  Visibility – Demystifying BYODs

Use Cases

Use Cases – CEOs & iPads

Assign Roles

Enforce Access

Use Cases – Headless Devices

Identify & Assign Roles To Headless Devices

Use Cases – Visibility

The ClearPass Solution

Workflow!Automation!

App Security!

Onboarding, Registra0on

Profile-‐based App Distribu0on

Guest Management

ConsolidatedVisibility/Policy!

Device Profiling

User, Device Role-‐mapping

Integra0on Per Session Tracking

Mobile App Management

Encryp0on, VPN Services

All things Network, Device and App Management!

ClearPass Summary

Complete Multivendor Solution on your existing network

Designed to Support IT-Managed and BYOD Use Cases

Highly flexible Self Service and Workflow automation portals

Q & A!

Thank You!

Breakout - Airheads Macau 2013 - ClearPass Access Management Basics

Business

Transcript of Breakout - Airheads Macau 2013 - ClearPass Access Management Basics

Breakout - Airheads Macau 2013 - Top 10 Tips from Aruba TAC

Breakout - Airheads Macau 2013 - Unified Access: Deploying Mobility Access Switches & Instant

ClearPass 6.5.0 Release Notes - Home - Airheads …community.arubanetworks.com/.../1/ClearPass_6.5.0_ReleaseNotes.pdf · Release Notes. ... InternationalTelephones arubanetworks.com/support-services/support-program/contact-support

ClearPass Welcome Home! - Airheads Communitycommunity.arubanetworks.com/aruba/attachments/aruba...ClearPass Exchange provides context-sharing and integration of ClearPass services

University of Ottawa iPad Deployment - Airheads …community.arubanetworks.com/aruba/attachments/aruba/Chinese/367/1...– SSO support for SAML 2.0 (Service Provider), ... ClearPass-Supported

Spectralink airheads 2013

ClearPassGuest 6.1 RN - Airheads Communitycommunity.arubanetworks.com/.../761/1/ClearPass_6.1_RN.pdfSAML Service Provider Support ... please refer to ... You can upgrade to ClearPass

2a. Aruba Airheads Meet Up Nov 14th 2018 - SD-Branch Deep Dive … · 2018-11-23 · 3 ClearPass 4 Roles snooped by GW All traffic goes through the firewall > 5 Micro-Segmentation

Aruba ClearPass

_x0001_ - Airheads Community · Web viewPACKETSHAPER ADMIN ACCESS USING RADIUS WITH CLEARPASS In this article I’ll try to explain how we can do radius authentication for administrator

ClearPass 6.5.0 Release Notes - Airheads Community · 2015-02-22 · 6|AboutClearPass6.5.0 ClearPass6.5.0|ReleaseNotes ContactingSupport MainSite arubanetworks.com SupportSite support.arubanetworks.com

APJ Workshop Lab-draft-20130514 - Airheads Community€¦ · Workshop Aruba 802.1X Wireless Enforcement Policy", Add/Edit rules as below: ClearPass 6.1 2013Q4 Partner Training Workshop

ClearPass 6.3.6 Release Notes - Airheads Communitycommunity.arubanetworks.com/aruba/attachments/... · Documentation 40 Guest 40 MDM 40 OnGuard 41 Fixedin6.3.2 41 PolicyManager 41

ARUBA CLEARPASS DEVICE INSIGHT - BKM · Ensures Secure Access via seamless integration with ClearPass Policy Manager. ... NETWORK ACCESS • ClearPass ARUBA INFRASTRUCTURE • Controller

ClearPass Guest Deployment Guide - Airheads Community · Troubleshooting802.1XArubaConfigurationIssues 129 ActiveDirectoryAuthenticationSourceConfigurationIssues 129 MobilityControllerConfigurationIssues

Breakout - Airheads Macau 2013 - BYOD, MDM, and MAM

A ClearPass Policy Manager Application · 2013. 9. 2. · Aruba ClearPass Onboard Aruba Data Sheet ClearPass OnbOard A ClearPass Policy Manager Application ClearPass Onboard automatically

Tech Note: ClearPass Profiling TechNote - Airheads Community · INFORM to CPPM (DHCP Relay/ IP-Helper). These DHCP packets are decoded by CPPM to arrive at the device category, family,

ClearPass Certificates 101 - Airheads Community · ClearPass(Version(6.x( ( Tech(Note:(ClearPass(Certificates(101–(V1(Aruba(Networks(6!Overview* Scope* Thefollowingguidehasbeenproducedto

ClearPass Series CP1000-R - Turnstilesturnstiles.us/Controlled_Access/ClearPass/TURNSTILES US - ClearPass... · ClearPass Series CP1000-R Service & Installation Manual ... The primary