Breakout - Airheads Macau 2013 - ClearPass Access Management Basics

CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!#airheadsconf!1!

ClearPass Access Management Basics Carlos Gomez Gallego

Ashwath Murthy

CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!2!

ClearPass Basics Controlling Access Advanced Features !

Agenda


Why ClearPass?!

CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!

IT Centric!

LAN/VPN!MS Enterprise!apps!

Mainly Windows!

User Centric!

Multiple!platforms!

Personaldevices!

Mobile!apps!

Web!Apps!

Collaboration!services!

One size no longer fits all….!


ClearPass Core Solution Components!

Policy

• Security • Usage

Workflow

• Automation • Provisioning

• Consolidation • Troubleshooting

Visibility


ClearPass Enables New Workflows!

•  Offload IT Services •  Guest access –  Sponsors, self-service portals. –  One time login –  IT controlled guest privileges.

•  Secure device onboarding –  Automatic device identification. –  One time user registration –  Provisioning of 802.1X settings, certificates.

•  Device/App management – Centralized distribution and policies – Automatic updates


Device Visibility!

–  Works across multi vendor networks –  Uses multiple active and passive techniques for high accuracy –  Device fingerprints updated automatically over the web –  Use device visibility to trigger a workflow, quarantine a device or grant

network access

CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 8 #airheadsconf

Network Policies Based on Context

Policy Example

Use context from ClearPass & external sources to set network policy

• Application installed

• blacklisted

• Device Profile • OS version • Endpoint health • Jailbreak status • Pincode/encryption

• Location • Trusted or

untrusted network

• Time/Date • eg. in semester

• User/group membership


Guest Access!


ClearPass Basics!


•  Guest Accounts •  Self generated access •  Sponsor controlled access •  Differentiated guest access

Who is a Guest?

ClearPass Basics!

CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 12 Download AQ Mobile

Automated Guest Onboarding

1. 3.

Access Network

2. Sponsor prompted to confirm that guest is valid

ClearPass Policy Manager

Account enabled, visitor notified via

screen, SMS, or email Visitor Registers for access, email sent to sponsor

New Visitor

Sponsor

CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 13 Download AQ Mobile

Guest


Controlling Access!


Enterprise Grade RADIUS

and TACACS

ClearPass Platform!


Authentication and Authorization

Controlling Access!


What’s the flow?

Authenticate • Valid Authentication

Authorize • Find Out What’s Allowed

Associate Context

• Device, Time, Location, Posture

Enforce on NAS

• Roles, ACLs, VLANs


Service Flow – 802.1X

Layer 2 RADIUS Request

Layer 2 Authentication

Layer 2 Authorization

Layer 2 Role

Derivation

Layer 2 RADIUS

Enforcement

Layer 3 Profile

Layer 2 NAP

Layer 3 OnGuard


•  Layer 2 Authentications are completed first –  Full Authorization –  Role Derivation –  NAP (if enabled) –  Layer 2 Enforcement

•  Layer 3 : Profile next –  DHCP Request, DHCP Offer –  RFC 3576 – Change of Authorization •  Another Layer 2 authentication!

–  No RFC 3576 message if “fingerprint” does not change

•  Layer 3 : Collect Posture last (OnGuard) –  Posture over HTTPS –  RFC 3576 based on policy •  Another Layer 2 authentication!

Service Flow – Implications


Controlling Access!

A world of possibilities!!

Time Based Access!

Asset Tracking Database!

Location Based Roles!

MDM!

Aruba Activate!

LogDB!Endpoints Repository!

Profile Information!

Domain User Groups!

Static Host List!


Why does it matter

Controlling Access!

?!

CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 22 #airheadsconf #airheadsconf 22

Authorization – What and Why?


•  Authentication vs. Authorization •  Authorization & ClearPass •  Use Cases

Authorization – What and Why?


Authorization & ClearPass

•  “Authorization” Sources in ClearPass –  Where do I find them? –  How do I use them? –  How often does ClearPass talk to an authorization source? –  What happens in case something goes wrong?


•  An “Authentication Source” is an “Authorization Source” –  RADIUS Server vs. Policy Server

Authorization Sources – Where?


Authorization Sources – How?

Authentication Sources are automatic Authorization Sources

Additional Authorization Sources enabled per Service

No Authorization unless used in Roles!


Authorization Sources – How?

Authorize with Active Directory

Authorize with Profile Data

Rule Algorithm : Evaluate All


Use Cases – Mergers & Acquisitions

Active Directory Domain – avendasys.com

Active Directory Domain – arubanetworks.com


Authentication & Authorization Sources for TLS

Certificate Details used for Authorization

Enable Authorization – Source specified in the Service

Compare Certificate – Source specified in the Service

Use Cases – Certificates & TLS


•  LDAP/SQL Interface to Asset Databases –  Key : MAC Address –  Authorization Attributes •  Ownership – Corporate vs. Personal •  Compliance Status – In/Out of compliance

–  Identify corporate-owned non-Windows devices

Use Cases – Asset Databases


•  Profile & Network Data •  Automatic Profile “upgrades” •  Using Profile data in policy •  Configuring Profile –  DHCP? HTTP? SNMP?

•  Use Cases

Profile – How does it work?


•  What does ClearPass use to profile? –  MAC OUIs –  DHCP Request, DHCP Offer –  HTTP User-Agent –  MDM Fingerprints –  Device Interrogation –  SNMP/CDP/LLDP Data

Profile & Network Data


Fingerprint Updates

•  Subscribe to Fingerprint Updates –  Automatic reclassification –  Updated frequently

•  Tell Aruba! –  Create policy exceptions –  Grab fingerprints from UI –  Send fingerprints to Aruba –  Crowd-sourced, community oriented


•  Automatic 3-level categorization –  Device Category, OS Family, Device Name

•  Using raw profile data –  DHCP Data, HTTP User-Agent, SNMP Data

•  Role Mapping –  What should I use?

•  Enforcement –  How do I enforce? –  What are the benefits?

Using Profile data in policy


•  DHCP Relay –  Where should I setup DHCP relays?

•  Captive Portal Configuration –  Is there a knob for this?

•  Reading SNMP Data –  CDP –  LLDP –  HR MIB –  SysDescr MIB

Configuring Profile – Network Considerations


•  Policy – CEOs & iPads •  Policy – “Headless” Devices •  Visibility – Demystifying BYODs

Use Cases


Use Cases – CEOs & iPads

Assign Roles

Enforce Access


Use Cases – Headless Devices

Identify & Assign Roles To Headless Devices


Use Cases – Visibility


The ClearPass Solution

Workflow!Automation!

App Security!

Onboarding, Registra0on

Profile-‐based App Distribu0on

Guest Management

ConsolidatedVisibility/Policy!

Device Profiling

User, Device Role-‐mapping

MDM

Integra0on Per Session Tracking

Mobile App Management

Encryp0on, VPN Services

All things Network, Device and App Management!


ClearPass Summary

Complete Multivendor Solution on your existing network

Designed to Support IT-Managed and BYOD Use Cases

Highly flexible Self Service and Workflow automation portals


Q & A!


Thank You!

Breakout - Airheads Macau 2013 - ClearPass Access Management Basics

Business

Transcript of Breakout - Airheads Macau 2013 - ClearPass Access Management Basics