ClearPass design scenarios that solve the toughest security policy requirements

#ATM15 |

ClearPass Design ScenariosAustin Hawthorne

Feb 26, 2015

CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved2#ATM15 |

Agenda

1. Better user experience and tighter security, is that possible?

2. Employees on Guest Network

3. The headless device dilemma

3#ATM15 |

Security and Usability Cohabitation

4 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Better user experience and tighter security, is that possible?

Solutions:

1. Status updates and notifications

2. Provide self-service workflows

3. Dynamically Update other network security systems

4. Implement proactive problem identification and resolution


The User Problem….

How do I get my device my on the

network?

What is a MAC Address?

Why is the network not working?


Common Security Concerns

Who does this device belong to?

Does this device meet minimum corporate compliance standards?

Can I really support this technology?


1. Communicate with your users

Don’t just REJECT a connection if something goes wrong!

Sure that’s secure, but what does the user think?

Let a user know what went wrong:

SMS

Web Notification Page (Walled Garden)

Push Notification

Phone Call

OnGuard Message

Email

• Most can be done even if you still send a REJECT


2. Provide Self Service Workflows

BYOD Provisioning and Management (Onboard)

802.1x Supplicant Configuration (QuickConnect)

Device Registration and Management

Guest Self Registration and Management

AirGroup Registration and Management

Posture Check (OnGuard DA)

Posture Remediation (OnGuard PA)


3. Dynamically Prepare the Rest of the Network

Getting past the front door is one thing…. How many more “identity” controlled doors do you have?

DHCP/DNS Controls?

Firewalls?

IDS/IPS?

Proxies?

Application Logins (SSO)?


Example

Update WLAN

AD/LDAP

Update Firewall

EMM/MDM

Adaptive Trust Identity

Update Web Proxy / Filter

Logon to Applications (SSO)

Update EMM/MDM

Who: Bob

Group: Faculty

Device: Personal iPad

Location: Room 104

Time: 9am, Monday

Compliance: Healthy

Mac Address: X

IP Address: Y

Airgroup Permissions


4. Proactive Problem Identification and Resolution

Use ClearPass to notify/alert helpdesk systems The right teams with the right information

As soon as a problem happens

Not just Syslog/SNMP Email

HelpDesk Ticketing Systems

SMS/Voice


Example

Radius Action to force

notification page

Send user

SMS

notification

Update Palo Alto

Firewall

Open Help

Desk Ticket

Sound

the alarm!Send Email to

security team

13#ATM15 |

Employees on Guest Network


Why is it a bad idea?

1. Users/Devices are exposed to cyber-attacks

2. SSID Confusion

3. User circumvent web policy at work

Protect your users and devices


Get visibility and control on your Guest SSID

Wireless Controller

ADSQL Store

ClearPass

MDM

RADIUS

LDAPSQL

1

2

3User

4AP

SSID: GuestMAC Authentication

MAC | 11:22:33:44:55:66


How can we identify corporate devices?

ClearPass Policy Manager

DATA CENTER

Network Infrastructure

WIRELESS WIRED VPNREMOTE

OFFICEOUTDOOR

ADORACLECMDBEndpoint

DatabaseMDM JAMF

Authorization Sources


CP Exchange – Integration with MDM


CP Exchange – Integration with CMDB

SELECT MAC_ADDR as cmdb_mac where MAC_ADDR =

‘%{Connection:Client-Mac-Address-Hyphen}’


Endpoint Attribute Tagging

ClearPass

AD/LDAP

Device

Authentication

SSID: SecureWPA2-AES

[MACHINE AUTHENTICATED]

Certificate:Issuer-CN

Update Endpoint

Ownership:

Corporate

MAC | 11:22:33:44:55:66

Authorization


Update Endpoint Enforcement


Let’s build a Role Mapping Policy (Tagging)


Policy Enforcement Options

Auto-generate

Helpdesk Ticket

Notify user:

SMS & voice

call to phone

IT administrator:

Email alert

Redirect to Captive

Portal

ENFORCEMENT

WORKFLOWS

Employee connects to

Guest SSIDCLEARPASS IDENTIFIES

Corp-Device Role

ClearPass

SSID: GuestMAC Authentication


Let’s build an Enforcement Policy (Actions)


Corporate Device Warning Page


Enforcement Profile– SMS with twilio


Enforcement Profile – Helpdesk Ticket

{"short_description":”Corporate Device

Event","priority":"3","description":"The

following Corporate device has attempted to

connect to the Guest WiFi network:\nMac Address:

%{Connection:Client-Mac-Address}\nEnrolled User:

%{Authentication:Full-Username}\nDevice Serial:

%{Endpoint:Serial Number}\nMobile:

%{Endpoint:Model}\nOS Version: %{Endpoint:OS

Version}\nLocation: %{Radius:Aruba:Aruba-

Location-

Id}","u_category":"%{u_category}","u_subcategory

":"%{u_subcategory}","assigned_to":"mobileadmin"

}

3232#ATM15 |

Headless Devices on Wired/Wireless


Is 802.1X the only option?

1. Many wired/wireless devices do not support 802.1x authentication

2. How do we make sure only the desired devices get access?

3. What about MAC Spoofing?


Supporting “Headless” Devices

For devices that do not support 802.1X: Wireless: Need a PSK SSID with MAC Authentication

Wired: Need to use MAB on the port

Two mechanisms for authentication:1. Device Profiler

2. Device Registration


1. Endpoint Profiler

• Authorize devices like IP Phones, Hand Scanners, Printers, or Access Points.



Profiling “Unknowns”

Recommended Best Practice: Allow DHCP, SNMP, and maybe redirects HTTP to CPPM

Once profiled, re-authenticate against new information


Example Profiling Policy

• Create an enforcement profile and policy rule to send the dACL (in the case of, say, a Cisco LAN switch)



Pulling it all together


2. Device Registration

• The default device registration page looks like this:



MAC Spoofing

What if someone spoofs their device MAC

address?


ClearPass can detect device conflicts

THANK YOU

42#ATM15 |


Sign up, save $200!

arubanetworks.com/atmosphere2016

Give feedback!

… Before You Go

atmosphere

2016

ClearPass design scenarios that solve the toughest security policy requirements

Technology

Transcript of ClearPass design scenarios that solve the toughest security policy requirements