Advanced Access Management with Aruba ClearPass
June, 2014
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
2 #AirheadsConf
Agenda
Single Sign-On and Auto Sign-OnClearPass Exchange
HTTP EnforcementMDM IntegrationPost Authentication Engine
What’s new in ClearPass?
3CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Single Sign-On and Auto Sign-On
4CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Identity Access Evolution
Multiple Accounts
Multiple Logins
Multiple Identity Sources
Multiple Logins
Single Account
Multiple Logins
Single Identity Source
Multiple Logins
Single Account
Single Login
Single Identity Source
Single Login
5CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Single Sign-On
• Single source of identity information• Need to authenticate & authorize users
across applicationsSecurity
• Provide the best user experience• Highly mobile users• Smaller screens, virtual keyboards
Usability
• On-Premise and Off-Premise applications
• Move to the cloudMobility
6CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Single Sign-On
• Security Assertion Markup Language (SAML)– Key technology behind SSO
– ClearPass is compliant with SAML v2.0
• Key Roles within SAML– Principal – Typically a user who requests a service
– Identity Provider (IdP) – Provides identity assertions by authenticating the user
– Service Provider (SP) – Requests identity assertions from an IdP
• OpenId (as SSO technology – out of scope)
7CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
SAML – Workflow
Browser
8CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
ClearPass and SSO
• ClearPass as a Service Provider (SP)– ClearPass’ captive portals can act as a Service Provider
– ClearPass will request identity assertions from an IdP
– ClearPass may need to register with the IdP
• ClearPass as an Identity Provider (IdP)– ClearPass can act as an Identity Provider to supply identity
assertions
– Requesting applications (Service Providers) may need to register with ClearPass
9CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
ClearPass as SP
• When and Why?– A SAML IdP exists on the network
– Need for centralized authentication/authorization for web applications
– Portal driven options for network access
– Portal driven options for device registration
– ClearPass examples with portals, use-cases such as reporting, guest sponsors, device reg
10CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
ClearPass as IdP
• When and Why?– Need for centralized authentication/authorization for web
applications
– Multiple internal applications are driven off a web interface
– ClearPass acts as an authentication/authorization engine for network transactions and application SSO
– ClearPass can “chain” itself onto popular IDMs such as Ping Federate and Okta
11CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
ClearPass – IdP
CPPM
CLOUD APPS
CLIENT DEVICE
AD/LDAP
HTTPS
Works on multivendor LAN and WLAN
Redirect to SSO Portal
Open Application
Sign in, use application
SSO enabled for all apps
12CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Auto Sign-On
• What is Auto Sign-On?– Reuse L2 network authentication information for SSO
– Remove manual, repetitive application sign-on
– Provide seamless identity transition from network application
• What do I need to enable this?– ClearPass 6.3 as the L2 RADIUS server
– ClearPass 6.3 as a SAML IdP
– AOS 6.4 on Aruba Mobility Controllers
13CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Auto Sign-On
Authenticate to Wi-Fi
Open a work app
Start working:No manual sign-in
ClearPass
Successful network authentication validates the user for automatic access to SAML enabled web/work apps
1. 2. 3.
14CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Auto Sign-On – Benefits
• No need to repeatedly key in application passwords on all devices!
• Extend “TLS” derived credentials to applications!• Automate application sign-on• Reuse network credentials for SSO• Centralize identity and access management across
L2 and L7
• UI Walkthrough
15CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
ClearPass Exchange
16CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
ClearPass Exchange
AUTOMATE SECURITYTickets, Notifications & Guest Login
ENABLE USERSEnterprise, Guest, BYOD, Apps
Users & Devices
ClearPass Exchange
(REST-based APIs)
Payment Management
Internet Security
Mobile Device Management
SIEM
17CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
ClearPass Exchange
• Inbound APIs• Syslog/SQL Access• Outbound Messaging• Post-Authentication Controls
18CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
ClearPass APIs – Inbound
• Inbound APIs for identity management– Create/Register new users & devices
– Retrieve/Manage users & devices
– Update/Delete users & devices
• Inbound APIs for configuration management– Create/Retrieve/Update/Delete new policy elements
– Includes Services, Authentication/Authorization Sources, Role Mappings, Enforcement, etc.
• SQL Access to Insight & “Log” Databases– Read-Only access for supplemental data processing
19CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
ClearPass APIs – Inbound
• Read– https://<server>/tipsapi/config/read/<Entity>
• Write– https://<server>/tipsapi/config/write/<Entity>
• Delete Confirm– https://<server>/tipsapi/config/deleteConfirm/<Entity>
• Delete – https://<server>/tipsapi/config/delete/<Entity>
20CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
ClearPass Exchange – MDM
Device Policies
• Device restrictions• Remote Lock & Wipe• Install Application• Black list Apps
• Firewall Policies• Redirect to enroll• Quarantine devices• Bandwidth Prioritization
Network Policies
Exchange endpoint context & trigger
policies
21CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
MDM Interaction – Inbound
Po
stu
re
Manufacturer: AppleModel: iPad2OS Version: iOS 6.1UDID 1730235f564094186Serial Number 79049XXXA4SIMEI 012416009780168Phone Number 408-534-2819Carrier VerizonMDM Id 130d0f992t34Owner jhowardDisplay Name John HowardOwnership Employee Liable
Inve
nto
ry
MDM Enabled YesCompromised Not JailbrokenEncryption Enabled YesBlacklisted Apps NoRequired Apps YesLast Check in 01/30/2012 9:03am
22CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
MDM Interaction – Outbound
Trigger MDM Action Using Device Information
ClearPass
Endpoint data replicated to ClearPass cluster
ClearPass requests MDM Action
ClearPass
Device type & posture polled for policy decisions &
reporting
MDM
Device Checks in with MDM
Device connects over WiFi
23CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Outbound HTTP Messaging
• Can now combine both RADIUS and HTTP – Enforce on the network with RADIUS
– Enforce via HTTP using RESTful API’s• Reverse action back to MDM server
• Create a helpdesk ticket, post to a web application
24CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Outbound HTTP Messaging
• Typically used for create actions– Most often used with HTTP POST method
• Select the Content-Type– Options includes HTTP, JSON, XML, PLAIN and CUSTOM
• Support parameterized values
25CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Post Authentication Engine
• Policy Control AFTER Authentication?– Bandwidth Control
– Session Control
– Action chaining
– 3rd Party Integration
• Use Cases– Restrict “Guests” to 500MB per day
– Allow only ONE BYOD per employee
– Update identity and forensic data
26CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Post Authentication Engine
• ClearPass can take “actions” after network authentications
• Why?– Asynchronous event processing
– Interrupt-free authentication flows
– Allows ClearPass to undertake high-latency transactions
• Types of actions– Restrict Sessions – Set Bandwidth/Time quotas
– Update ClearPass Entities
– Integrate with 3rd party systems using HTTP• HelpDesk and Communication systems
• MDM, Payment Gateways, …
27CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Session Restrictions
• Bandwidth Limits• Session Limits• Session Duration• PANW Updates• Agent Disconnect
28CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Bandwidth Limits
• Enforce limits on the amount of bandwidth that the user can use
• Date / Time based checks • Disconnect and blacklist the user on exceeding
the bandwidth
29CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Session Limits
• Limit the number of simultaneous sessions for the user
• Fix a scenario to work with Guest MAC Caching flow
• Disconnect the user on exceeding the max sessions
30CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Session Duration
• Enforce limits on the amount of time the user is allowed to access the network.
• Date / Time based checks • Disconnect and blacklist the user on exceeding
the total session duration.• Allow flexibility to reset the session duration by
specifying start/stop date/time.
31CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Update Palo Alto Networks Firewall
• Send userId and registration updates to Palo Alto device
• Integration with NetWatch framework for faster updates
• Ability to send full usernames in userId updates [with domain prefix/suffix]
• HIP support• Extended support for MAC Caching flow
32CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Entity Updates
• Endpoint Updates• Guest Updates [User + Devices]
33CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Example – ServiceNow
34CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Example – SendGrid
35CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
What’s new in ClearPass?
36CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
ClearPass 6.3Key Additions
• Single Sign On– Streamline login to cloud/web applications
– Aruba Auto Sign On
• BYOD and Guest Features– Improved integration with MDM vendors
– AirGroup time and group sharing
• NAC Enhancements– Integration with Patch Management solutions
– Improved dissolvable agent workflows
• Platform Features– Real time outbound HTTP enforcement
– FIPS 140-2, New performance monitoring framework
37CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
ClearPass 6.3BYOD & MDM
– CPPM as the Certificate Authority for leading MDM providers (via SCEP or EST)
– Trigger MDM actions from CPPM via HTTP enforcement– Provision full iOS 7.0 feature set through Onboard
CPPM
38CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
ClearPass 6.3Profiling and Enforcement
• New Profile Options– Profile DHCP via SPAN port
– Profile from Cisco network equipment (requires IOS 15SE1)
– Update Device Fingerprint
• New Enforcement Options– Use Active Directory expiration date
– Custom outbound HTTP actions (JSON, XML, HTTP, PUT, GET)
39CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
ClearPass 6.3Server Certificates
• Dual Certificates for Web Logins and 802.1x– One for RADIUS/802.1X, One for HTTPS/SSL
40CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
ClearPass 6.3BYOD Certificates
41CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
ClearPass 6.3AirGroup
• Group Sharing– Admin defines groups
– Users allowed to access/share based on groups
– New or removed groups/devices enforced automatically
• Time Sharing– Schedule every Tuesday at
4pm for 1 hour with Class A
– Only allow access when schedule permits the group attribute *requires AOS 6.4
42CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
ClearPass 6.3OnGuard
• User Experience– Localization framework for persistent agent
– Dissolvable agent on CP Guest, all new workflow
– Inline update of persistent agent
• New Health Classes– Installed Applications (Windows, OSX)
– Patch Management Solutions (Windows/OSX)
• Enforcement– Per-Application health checks
– Configurable health check period (persistent)
– Monitor mode support for health classes
43CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
ClearPass 6.3Open in AirWave
44CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
ClearPass 6.3Performance Monitoring
45CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
ClearPass 6.3Authentication Simulation
46CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Summary
47CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Summary
WORKFLOW POLICYVISIBILITY
Role-basedEnforcement
Health/PostureChecks
Device Context
Device Profiling
Troubleshooting
Per Session Tracking
Onboarding, Registration
Guest Management
MDMIntegration
48CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Q&A
49CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
50CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Thank You
#AirheadsConf
Top Related