Access Management with Aruba ClearPass

55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Access Management with Aruba ClearPass Seth Fiermonti June 2014

description

Access Management with Aruba ClearPass presentation from our Airheads Local event.

Transcript of Access Management with Aruba ClearPass

Page 1: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Access Management with Aruba ClearPass

Seth Fiermonti

June 2014

Page 2: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Agenda

• Introductions & Expectations

• What is ClearPass

• ClearPass – Policy Model

• Authorization – What and Why

• Profile – How does it work

• Clustering & Deployment

• Q & A

Page 3: Access Management with Aruba ClearPass

ClearPass Overview

Page 4: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Evolving IT Landscape

USER CENTRIC, SELF SERVICEIT CENTRIC

Windows

Fixed Environment

Wired Network

IT Managed

Slow Refresh

Multiple Platforms

Work from anywhere

Wired, Wi-Fi, Cellular

Selection of devices & apps

User Timeframes

Page 5: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

The ClearPass Solution

Comprehensive Solutions Architecture

WORKFLOW POLICYVISIBILITY

Role-basedEnforcement

Health/PostureChecks

Device and App

Device Profiling

Troubleshooting

Per Session Tracking

Onboarding, Registration

Guest Management

MDMIntegration

Page 6: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

The ClearPass Access Security Platform

CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 6 @arubanetworks

Policy Services

IdentityStores

3rd PartyMDM

App Servers

DIFFERENTIATEDACCESS

UNIFIEDPOLICIES

DEVICEVISIBILITY

GUEST EMPLOYEE

POLICY SERVICES

ENTERPRISE-CLASS AAARADIUS, TACACS+

VPN

OnGuardPosture &

Health Checks

OnboardDevice

Provisioning

GuestVisitor Management

Multivendor Networks

ClearPass Policy Manager

AAA Services ONE IDPolicy Engine

Page 7: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Context-Based Access Control

• Differentiated Access– Role, device type, access method

• Policy-based AAA Services– Support for 802.1X, MAC, Web (HTTPS) authentication

– Communicate to network devices via RADIUS, RADIUS CoA, TACACS+, SNMP

– Ability to read from multiple identity stores (AD, LDAP, SQL, Kerberos, Token Server, Etc.)

– Enforcement Options – Allow/Deny, VLAN, ACL, dACL, url redirects, SNMP

• Contextual Policy Elements– Time, location, group, OS version, project

VPN

Page 8: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Platform Features – Out of the box

Multivendor DNA• Wired, WLAN, VPN

Core Authentication • AAA, LDAP, AD, Kerberos, Token, SQL, MAC,

802.1x, TACACS+, HTTPS, SSO (SAML, Okta)

Integrated Profiling• Device profiling across wired & wireless• Use directly in authorization policy

Page 9: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

ClearPass Core Services

MDM Integration• Leverage information gained

from MDM vendors for profile & to influence policy

TACACS+ Server• Replace legacy ACS solutions

Context Aware Authorization• Device type, User, Time, Location, Posture• Layer multiple conditions for policy derivation

Page 10: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Platform Features – Out of the box

Scale with Clustering• Supports 1 million endpoints per cluster• Centralized or distributed architecture

Flexible Licensing• Perpetual licenses• Subscription licenses• 25 free endpoint Enterprise license included

Physical or Virtual Appliances• Sized for variety of customer needs• Virtual Appliance relies upon VMWare

Page 11: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

What’s in ClearPass 6.3

INTEGRATIONINTEROPERABILITY

Auto Sign-On for Apps• Simple Network authentication for App login• Opens doors for mobile device SSO opportunities

Guest Advertising Included • Customizable for gender, season, location• Larger story in retail, healthcare, entertainment

Enhanced Certificate Distribution• 3rd Party MDM solutions can now use Onboard CA• You are the alternative for internal PKI integration

Page 12: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

INTEGRATIONINTEROPERABILITY

Remote Support• Setup secure TAC session with a simple click• Customer support because you asked for it

SPAN Port Profiling• Any device addressed via DHCP gets profiled• You get the big picture faster, from one port

Exchange• Built-in tools for integration of third-party systems• Data exchange with MDM, helpdesk, SIEM apps

made easy

What’s in ClearPass 6.3

Page 13: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

ClearPass Auto Sign-On

Only Aruba lets you sign-in once & you’re good to go

• One login for all web/mobile apps

– Uses valid network login

• NO App logins

• IBM, Okta, Ping

• ClearPass as Provider (IdP)

– Uses SAML, not RADIUS

Page 14: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

ClearPass Exchange

Two-way Third-Party Integration

Third-party Systems

Payment Management

Patient Check-in

Helpdesk Tickets

MDM Solutions

SIEM Systems

ClearPass

Syslog Messages / RESTful APIs

Jail-broken device

detected

Helpdesk ticket auto generated

Message to device auto generated

1.

2.3.

ClearPass denies access

to device

Page 15: Access Management with Aruba ClearPass

ClearPass Policy Model

Page 16: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

ClearPass Policy Model

• What constitutes the policy model?

• How does it work?

• What are the interactions between various components?

• How does the policy model affect configuration & deployment?

Page 17: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

ClearPass Policy Model

Policy

Identity

HealthDevice

Conditions

• Role• Department• Group

• AV, AS, FW• Registry Keys• Services…

• Device type, status, health

• Address, O/S• Corp. Owned

• Time• Location• Day of Week

Page 18: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

What’s the flow?

Authenticate • Valid Authentication

Authorize • Find Out What’s Allowed

Associate Context • Device, Time, Location, Posture

Enforce on NAS • Roles, ACLs, VLANs

Page 19: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

What Are The Interactions?

RADIUS Server – Authenticate

Policy Server – Authorize

Policy Server – Associate Context

Policy Server – Decision Tree

RADIUS Server – Enforce

Page 20: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

ClearPass Policy Enforcement

ClearPass Use external context to define granular policies

WHO

• User / role

WHAT WHEN

• Device fingerprint• OS version• Health checks• Jailbreak status

• Location• Trusted or

untrusted network

• Time• Date

?

• Wired, Wi-Fi, VPNenforcement

HOWWHERE

Per

mit

/Den

y

Whi

telis

t /

Bla

cklis

t

Rem

edia

te

Qua

rant

ine

Red

irect

Rol

e-ba

sed

Sec

urity

Ban

dwid

th

Mgm

t

Opt

imiz

ed

Mul

timed

ia

Page 21: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Service Flow – 802.1X

Layer 2RADIUSRequest

Layer 2Authentication

Layer 2Authorization

Layer 2Role

Derivation

Layer 2RADIUS

Enforcement

Layer 3Profile

Layer 2NAP

Layer 3OnGuard

Page 22: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Service Flow – Implications

• Layer 2 Authentications are completed first– Full Authorization

– Role Derivation

– NAP (if enabled)

– Layer 2 Enforcement

• Layer 3 : Profile next– DHCP Request, DHCP Offer

– RFC 3576 – Change of Authorization• Another Layer 2 authentication!

– No RFC 3576 message if “fingerprint” does not change

• Layer 3 : Collect Posture last (OnGuard)– Posture over HTTPS

– RFC 3576 based on policy

– Another Layer 2 authentication!

Page 23: Access Management with Aruba ClearPass

Authorization – What and Why

Page 24: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Authorization – What and Why?

• Authentication vs. Authorization

• Authorization & ClearPass

• Use Cases

Page 25: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Authorization & ClearPass

• “Authorization” Sources in ClearPass– Where do I find them?– How do I use them?– How often does ClearPass talk to an authorization source?– What happens in case something goes wrong?

Page 26: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Authorization Sources – Where?

• An “Authentication Source” is an “Authorization Source”– RADIUS Server vs. Policy Server

Page 27: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Authorization Sources – How?

Authentication Sources are automatic Authorization Sources

Additional Authorization Sources enabled per Service

No Authorization unless used in Roles!

Page 28: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Authorization Sources – How?

Authorize with Active Directory

Authorize withProfile Data

Rule Algorithm :Evaluate All

Page 29: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Authorization – How?

• Ok, great. But will ClearPass flood my AD with authorization requests?– Authorization data is cached per user– New request made to fetch data once the cache expires– Cache timers can be tuned

Cache TimeoutDefault: 10 hours

Page 30: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Authorization – How?

• Got it• But I just made a bunch of changes on my AD.

Should I need to wait 10 hours?– Tune the cache timers– “Clear Cache” button on the Authentication Source– Wipes out cache for all users

– “Save” button on the Authentication Source

• Wipes out cache for all users

– Restart Policy Server

• BAD IDEA!!!

Page 31: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Authorization – Uh-Oh!

• If an Authentication/Authorization Source is not reachable– Configure Backup Servers– Configure Fail-Over Timeout

Fail-Over Timeout

Backup Servers

Page 32: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Use Cases – Mergers & Acquisitions

Active Directory Domain – avendasys.com

Active Directory Domain – arubanetworks.com

Page 33: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Authentication & Authorization Sources for TLS

Certificate Details used for Authorization

Enable Authorization –Source specified in the Service

Compare Certificate –Source specified in the Service

Use Cases – Certificates & TLS

Page 34: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Use Cases – Asset Databases

• LDAP/SQL Interface to Asset Databases– Key : MAC Address

– Authorization Attributes• Ownership – Corporate vs. Personal

• Compliance Status – In/Out of compliance

– Identify corporate-owned non-Windows devices

Page 35: Access Management with Aruba ClearPass

Profile – How Does It Work?

Page 36: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Profile – How does it work?

• Profile & Network Data

• Automatic Profile “upgrades”

• Using Profile data in policy

• Configuring Profile

– DHCP? HTTP? SNMP?

• Use Cases

Page 37: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Profile & Network Data

What does ClearPass use to profile?– MAC OUIs– DHCP Request, DHCP Offer– HTTP User-Agent– MDM Fingerprints– Device Interrogation– SNMP/CDP/LLDP Data

Page 38: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Fingerprint Updates

• Subscribe to Fingerprint Updates– Automatic reclassification

– Updated frequently

• Tell Aruba!– Create policy exceptions

– Grab fingerprints from UI

– Send fingerprints to Aruba

– Crowd-sourced, community oriented

Page 39: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Using Profile data in policy

• Automatic 3-level categorization– Device Category, OS Family, Device Name

• Using raw profile data– DHCP Data, HTTP User-Agent, SNMP Data

• Role Mapping– What should I use?

• Enforcement– How do I enforce?

– What are the benefits?

Page 40: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Configuring Profile – Network Considerations

• DHCP Relay– Where should I setup DHCP relays?

• Captive Portal Configuration– Is there a knob for this?

• Reading SNMP Data– CDP

– LLDP

– HR MIB

– SysDescr MIB

Page 41: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Use Cases

• Policy – CEOs & iPads

• Policy – “Headless” Devices

• Visibility – Demystifying BYODs

Page 42: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Use Cases – CEOs & iPads

Assign Roles

Enforce Access

Page 43: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Use Cases – Headless Devices

Identify & Assign Roles To Headless Devices

Page 44: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Use Cases – Visibility

Page 45: Access Management with Aruba ClearPass

Clustering & Deployment

Page 46: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Clustering & Deployment

• Clustering Technology– What’s replicated? What’s not?

• Deploying ClearPass Clusters– Considerations

• Operations & Maintenance– What happens when a ClearPass node is down?

– Events & Alerts

– Rescue & Recovery

Page 47: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Clustering Technology

• What’s replicated?– All policy configuration elements

– All Audit data

– All identity store data• Guest Accounts, Endpoints, Profile data

– Runtime Information• Authorization status, Posture status, Roles

• Connectivity Information, NAS Details

– Database replication on port# 5432 over SSL

– Runtime replication on port# 443 over SSL

Page 48: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Clustering Technology

• What’s not replicated?

– Log files

– Authentication Records

– Accounting Records

– System Events

– System Monitor Data

Page 49: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Clustering – Considerations

• How do they connect?– Requires IP connectivity (bi-directional)• Port # 5432 (Database over SSL)

• Port# 80 (HTTP)

• Port #443 (HTTPS)

• Port #123 (NTP)

• How much data should we expect to see crossing the wire?– Only elements in the configuration database

– First sync is a full database copy

– Subsequent sync – Delta changes propagated

Page 50: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Clustering – Considerations

Hub & Spoke

Page 51: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Clustering – Considerations

• Central / Distributed Admin Domains

• Redundancy/Load Balancing

• Cluster wide licensesCPPM – Publisher

DNSDHCP

IdentityStores

Main Data CenterMid-size Branch

Regional Office

DMZ

CPPMSubscriberVM

CP GuestCP Onboard

CPPMSubscriber

CPPMSubscriber

Page 52: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Operations & Maintenance

• What happens when a node goes down?

– Operations

• If Deployed Right – Nothing

• RADIUS Backup settings on the NAS

– If the Publisher goes down

• No Database Writes Allowed!!

• Promote a Subscriber to a Publisher

• Resume configuration updates

Page 53: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Events & Alerts

• How long before ClearPass figures out something’s wrong?– 24 hours before it automatically “drops” a node from the

cluster

– Cluster Synchronization Warnings• 1 event every hour x 24 hours = 24 events

– CPU/Memory Usage Warnings Every 2 Minutes

– Server Certificate Warnings Every 24 Hours

– Service Alerts Immediate

• Email/SMS Alerts using Insight, Syslog & SNMP

Page 54: Access Management with Aruba ClearPass

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Operations & Maintenance

• Rescue & Recovery– Establish cluster connectivity• Database sync will ensue. Watch for “Last Sync Time”

– Restore certificates• Server Certificates are not installed as a part of the sync

– Restore log entries (If necessary)• Caveat : High disk activity for an extended period of time

– Verify fail-back on the NAS• NAS fail-back timers should kick in

Page 55: Access Management with Aruba ClearPass

#AirheadsLocal