ClearPassMANAGING CRITICAL EDGE AND IoT SECURITY

Mindaugas RuginisSystems Engineer

2

Agenda

• Network Access Control

• Profiling

• Onboard - BYOD

• Onguard

• ClearPass Exchange

Aruba Template How-To-Guide

3

ClearPass

Access Policy Management on any network

4

Why ClearPass?

5

6

7

ClearPass products

ClearPass Policy ManagerMonitoring and profiling RADIUS/TACACS/802.1X/MAC-auth

ClearPass GuestAdvanced Guest management

ClearPass OnboardBYOD Certificate self-provisioning

ClearPass OnGuardEndpoint posture

• Appliance

• 500/5K/25K devices

• Hardware or VM

• AD Integration

• ClearPass Exchange

• Profiling

• MDM Integration

• ....

8

Multi-vendor Policy Enforcement

ClearPass Policy Manager

POLICY

ENFORCEMENT:

Policy Enforcement Optimized for Aruba,

But Works with Any network

Any Network

9

Technology OverviewAAA, RADIUS, Security

10

The AAA Model

– Authentication

– Who are you?

– What is your identity?

– Authorization

– What are you allowed to do? What are your permissions?

– What context can I use to make these decisions?

– Accounting

– Record keeping

11

Challenges with legacy RADIUS servers

– Visibility and troubleshooting

– No capability to profile devices connecting to the network.

– No contextual awareness (e.g. posture, device type, asset type).

– Poor per session troubleshooting tools and logs.

– Scalability and reliability

– Limited performance to handle EAP termination or higher loads.

– Poor active clustering technology and centralized management.

– Narrow feature sets

– Limited to core AAA, TACACS+

12

PDP PEP PIP

Identity Stores

Users / Endpoints

Policy Information Points

ClearPass Policy Manager

Policy Enforcement Points

Network Devices

Logical Local or Remote Cluster

Policy Decision Points

13

Layer 2 Authentication

–MAC

–802.1X

–EAP-PEAP

–EAP-MSCHAPv2

–EAP-GTC

–EAP-TLS

–EAP-TTLS

Layer 3 Authentication

–Captive Portal

–VPN

Authentication Methods

14

Onboard

15

Authentication Using Unique Device Certificates

EASY NO PASSWORDSSECURE

User’s deviceredirected to portal

1

BYOD

75%

User enters AD credentials to start onboard

2

Automatically places user on proper

network segment

3

DOCTORNURSE

16

Authentication Using Unique Device Certificates

EASY NO PASSWORDSSECURE

User’s deviceredirected to portal

1

BYOD

75%

User enters AD credentials to start onboard

2

Automatically places user on proper

network segment

3

DOCTORNURSE

• IT determines who can onboard devices

• Access differentiated by role and device

• Devices not entered into active directory

• No need for employees on guest network

17

Single-SSID Onboarding

18

Dual-SSID Onboarding

19

Leverage your guest network!

– You don’t need a dedicated SSID for Onboarding!

– Use your guest network. It’s already there!

– Additional SSIDs add overhead and confusion

20

Differentiated Access Enforcement

CORPORATE TABLET

Authentication EAP-TLS

SSID CORP-SECURE

BYOD TABLET

Authentication EAP-TLS

SSID CORP-SECURE

Internet and Corporate Apps Internet Only

21

CA Purpose-built for BYOD

• Domain

• Key &

Certificate

Enterprise PKI and CA Built-in ClearPass CA

Certificate

Authority

Validation

Authority

Registration

Authority

Active

Directory

IT-Managed

Devices

• Domain

• User

• Device

• Key & Unique

Certificate

IT-Managed

Devices

CA

Certificate

Authority

ADRAVA CA

22

23

Supported Devices

POPULAR OPERATING SYSTEMS

• Mac OX 10.7 and newer, iOS 5.X and newer

• Windows 7, Vista, 8, 10 and 8 Surface Pro

• Android 2.3 and newer

• Chrome OS (requires Management Console)

• Ubuntu

LAPTOPS, TABLETS,

SMART PHONES,

CHROMEBOOKS

24

25

Profiling

26

Device Visibility

– Works across multiple vendors

– Uses multiple active/passive techniques

– Automatic device fingerprint updates

– Use device fingerprints in policy, workflow.

27

Profiling

DHCP

SNMP

SSH

TCPWMI

CDP, LLDP

OnGuard

Accurate Policy Decision

NMAP

Mac OUI

NMAP Scan

Two IoT Endpoints

AfterBefore

Temperature Sensor

Lighting Sensor

28

Create your own Fingerprints!

Wait for new Fingerprints to be made and/or manually

override devices 1:1

Enhanced Profiling and Policy – Solving IoT Issues

29

ClearPass OnConnect

Aruba

ClearPass

SNMP

Enforcement

Printer Vlan Infusion Pump Vlan

Existing 802.1X

wired/wireless support

No 802.1X

• Built-in device-centric security for all non-AAA ready customers

• Easy to configure on legacy multivendor switches

• Leverages ClearPass profiling for wired/wireless - IoT, laptops, mobile

phones.

30

Onguard

31

Detect unsecure

devices

• Block access to network resources

across wired, wireless & remote

• Auto-Remediate the device

Minimizes Risk to Network

Access Network

ClearPass Policy

Manager with OnGuard

Control Compromised Devices

VPN

32

Posture Checking

Persistent and

dissolvable agents for

laptops and desktops

33

OnGuard Is Better Than Ever

– Better Policy Manipulation

– Support for regular expressions (RegEx) in registry and installed application health classes.

– Better OS Support

– Persistent agent can now run as a system service on Windows

– Native dissolvable agent auto upgrade support

– OnGuard can now check if Mac OSX clients are missing any patches or not and if auto-remediation is enabled install missing patches.

34

OnGuard Persistent Agent

– OnGuard Persistent Agent is available for:

– Windows (both .exe and .msi files available)

– Often installed via GPO by an adminsitrator. Or hosted as a download for end-users

– Mac OS X

– Linux (Ubuntu)

– The Agent can be combined with the Aruba VIA component

– VIA is Aruba’s VPN solution

– Health checks can be performed on VPN clients

– Persistent Agent can auto-remediate.

– For example: The Persistent Agent will enable the firewall.

35

OnGuard Dissolvable Agent

– OnGuard Dissolvable Agent runs once and exits

– OnGuard Dissolvable Agent now uses native code

– Translation: No client-side java requirements!

– Tied to weblogin page

– Think: Guest configuration and captive portal

– Popular browsers are supported:

36

Guest access

37

Guest Registration Use Cases

37

Pre-registration

• Bulk import from file eg. Excel, text

• Generate visitor badges or notify via branded email templates

Self-registration

• Customizable, automated workflows

• Notification via SMS, email, badge printer

• Can require sponsor approval

Sponsored Guest Access

• Enable multiple employees to sponsor

• Receptionists, managers

38

Self Service Portal

39

Social Login

40

ClearPass Exchange

41

ClearPass Exchange Ecosystem

Infrastructure

MDM / EMM

Network

controls using

real-time

device data

Visibility into

location and

time with

granular

controls

Next-Gen

Perimeter Defense

SIEM, Automation, MFA

Granular

traffic control

with user and device data

Visibility and

interactive

control

features

42

Ingress Engine Third-party Threat Protection

Adaptive Trust Defense based on real-time threat detection

** Firewall / IPS

LAN/WLAN

User connects and

uploads threat

NGFW/IPS sends

event to ClearPass

ClearPass isolates

client

• Offers enhanced user experience as ClearPass can initiate user

notifications, help-desk tickets, and update third-party security solutions

• ** Device in step 2 can be MDM/EMM, SIEM, etc.

1 2 3

43

MDM Device Context in Action

44

More Ways to Talk To ClearPass

45

Information Resources

–Aruba Community

– http://community.arubanetworks.com/

–ClearPass Recipes

– http://community.arubanetworks.com/t5/ClearPass-Recipes/tkb-p/clearpass-recipes

–Aruba Solution Exchange– https://ase.arubanetworks.com

ClearPass is recognized as best among NAC’s here is a reporthttp://www.prnewswire.com/news-releases/frost--sullivan-recognizes-hpe-aruba-leadership-in-the-network-access-control-market-300317643.html

46

Global Wins

46

Worldwide ACS Replacement

for RADIUS and TACACS+Increased security &

simplified BYOD onboarding

ACS replacement for Policy

Mgmt & Guest

ACS Replacement for Policy

Mgmt, NAC, & BYOD

Worldwide Guest and Device

Auth in Cisco / Juniper network

Leveraged ArcSight Installation

to drive AAA replacement

47

Evaluation licenses

You can contact me via email and I will create you a 90-day evaluation license.

DEMOor

Thank youIf you have questions contact: mindaugas.ruginis@hpe.com