Clear pass policy manager advanced_ashwath murthy
-
Upload
airheads-community -
Category
Business
-
view
1.641 -
download
1
description
Transcript of Clear pass policy manager advanced_ashwath murthy
![Page 1: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/1.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 1 #airheadsconf #airheadsconf
ClearPass Policy Manager – Advanced Ashwath Murthy
03/15/2013
![Page 2: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/2.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 2 #airheadsconf
ClearPass – Policy Model Authorization – What and Why? Profile – How does it work? Clustering & Deployment Q & A
Agenda
![Page 3: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/3.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 3 #airheadsconf #airheadsconf 3
ClearPass Policy Model
![Page 4: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/4.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 4 #airheadsconf
• What constitutes the policy model? • How does it work? • What are the interactions between various
components? • How does the policy model affect configuration
& deployment?
ClearPass Policy Model
![Page 5: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/5.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 5 #airheadsconf
ClearPass Policy Model
Policy
Identity
Health
Device
Conditions
• Role • Department • Group
• AV, AS, FW • Registry Keys • Services…
• Device type, status, health • Address, O/S • Corp. Owned
• Time • Location • Day of Week
![Page 6: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/6.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 6 #airheadsconf
What’s the flow?
Authenticate • Valid Authentication
Authorize • Find Out What’s Allowed
Associate Context
• Device, Time, Location, Posture
Enforce on NAS
• Roles, ACLs, VLANs
![Page 7: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/7.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 7 #airheadsconf
What Are The Interactions?
RADIUS Server – Authenticate
Policy Server – Authorize
Policy Server – Associate Context
Policy Server – Decision Tree
RADIUS Server – Enforce
![Page 8: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/8.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 8 #airheadsconf
Service Flow – 802.1X
Layer 2 RADIUS Request
Layer 2 Authentication
Layer 2 Authorization
Layer 2 Role
Derivation
Layer 2 RADIUS
Enforcement
Layer 3 Profile
Layer 2 NAP
Layer 3 OnGuard
![Page 9: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/9.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 9 #airheadsconf
• Layer 2 Authentications are completed first – Full Authorization – Role Derivation – NAP (if enabled) – Layer 2 Enforcement
• Layer 3 : Profile next – DHCP Request, DHCP Offer – RFC 3576 – Change of Authorization • Another Layer 2 authentication!
– No RFC 3576 message if “fingerprint” does not change
• Layer 3 : Collect Posture last (OnGuard) – Posture over HTTPS – RFC 3576 based on policy • Another Layer 2 authentication!
Service Flow – Implications
![Page 10: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/10.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 10 #airheadsconf #airheadsconf 10
Authorization – What and Why?
![Page 11: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/11.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 11 #airheadsconf
• Authentication vs. Authorization • Authorization & ClearPass • Use Cases
Authorization – What and Why?
![Page 12: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/12.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 12 #airheadsconf
Authorization & ClearPass
• “Authorization” Sources in ClearPass – Where do I find them? – How do I use them? – How often does ClearPass talk to an authorization source? – What happens in case something goes wrong?
![Page 13: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/13.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 13 #airheadsconf
• An “Authentication Source” is an “Authorization Source” – RADIUS Server vs. Policy Server
Authorization Sources – Where?
![Page 14: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/14.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 14 #airheadsconf
Authorization Sources – How?
Authentication Sources are automatic Authorization Sources
Additional Authorization Sources enabled per Service
No Authorization unless used in Roles!
![Page 15: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/15.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 15 #airheadsconf
Authorization Sources – How?
Authorize with Active Directory
Authorize with Profile Data
Rule Algorithm : Evaluate All
![Page 16: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/16.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 16 #airheadsconf
• Ok, great. But will ClearPass flood my AD with authorization requests? – Authorization data is cached per user – New request made to fetch data once the cache expires – Cache timers can be tuned
Authorization – How?
Cache Timeout Default: 10 hours
![Page 17: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/17.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 17 #airheadsconf
• Got it • But I just made a bunch of changes on my AD.
Should I need to wait 10 hours? – Tune the cache timers – “Clear Cache” button on the Authentication Source • Wipes out cache for all users
– “Save” button on the Authentication Source • Wipes out cache for all users
– Restart Policy Server • BAD IDEA!!!
Authorization – How?
![Page 18: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/18.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 18 #airheadsconf
• If an Authentication/Authorization Source is not reachable – Configure Backup Servers – Configure Fail-Over Timeout
Authorization – Uh-Oh!
Fail-Over Timeout
Backup Servers
![Page 19: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/19.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 19 #airheadsconf
Use Cases – Mergers & Acquisitions
Active Directory Domain – avendasys.com
Active Directory Domain – arubanetworks.com
![Page 20: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/20.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 20 #airheadsconf
Authentication & Authorization Sources for TLS
Certificate Details used for Authorization
Enable Authorization – Source specified in the Service
Compare Certificate – Source specified in the Service
Use Cases – Certificates & TLS
![Page 21: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/21.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 21 #airheadsconf
• LDAP/SQL Interface to Asset Databases – Key : MAC Address – Authorization Attributes • Ownership – Corporate vs. Personal • Compliance Status – In/Out of compliance
– Identify corporate-owned non-Windows devices
Use Cases – Asset Databases
![Page 22: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/22.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 22 #airheadsconf #airheadsconf 22
Profile – How does it work?
![Page 23: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/23.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 23 #airheadsconf
• Profile & Network Data • Automatic Profile “upgrades” • Using Profile data in policy • Configuring Profile – DHCP? HTTP? SNMP?
• Use Cases
Profile – How does it work?
![Page 24: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/24.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 24 #airheadsconf
• What does ClearPass use to profile? – MAC OUIs – DHCP Request, DHCP Offer – HTTP User-Agent – MDM Fingerprints – Device Interrogation – SNMP/CDP/LLDP Data
Profile & Network Data
![Page 25: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/25.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 25 #airheadsconf
Fingerprint Updates
• Subscribe to Fingerprint Updates – Automatic reclassification – Updated frequently
• Tell Aruba! – Create policy exceptions – Grab fingerprints from UI – Send fingerprints to Aruba – Crowd-sourced, community oriented
![Page 26: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/26.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 26 #airheadsconf
• Automatic 3-level categorization – Device Category, OS Family, Device Name
• Using raw profile data – DHCP Data, HTTP User-Agent, SNMP Data
• Role Mapping – What should I use?
• Enforcement – How do I enforce? – What are the benefits?
Using Profile data in policy
![Page 27: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/27.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 27 #airheadsconf
• DHCP Relay – Where should I setup DHCP relays?
• Captive Portal Configuration – Is there a knob for this?
• Reading SNMP Data – CDP – LLDP – HR MIB – SysDescr MIB
Configuring Profile – Network Considerations
![Page 28: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/28.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 28 #airheadsconf
• Policy – CEOs & iPads • Policy – “Headless” Devices • Visibility – Demystifying BYODs
Use Cases
![Page 29: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/29.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 29 #airheadsconf
Use Cases – CEOs & iPads
Assign Roles
Enforce Access
![Page 30: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/30.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 30 #airheadsconf
Use Cases – Headless Devices
Identify & Assign Roles To Headless Devices
![Page 31: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/31.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 31 #airheadsconf
Use Cases – Visibility
![Page 32: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/32.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 32 #airheadsconf #airheadsconf 32
Clustering & Deployment
![Page 33: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/33.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 33 #airheadsconf
• Clustering Technology – What’s replicated? What’s not?
• Deploying ClearPass Clusters – Considerations
• Operations & Maintenance – What happens when a ClearPass node is down? – Events & Alerts – Rescue & Recovery
Clustering & Deployment
![Page 34: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/34.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 34 #airheadsconf
• What’s replicated? – All policy configuration elements – All Audit data – All identity store data • Guest Accounts, Endpoints, Profile data
– Runtime Information • Authorization status, Posture status, Roles • Connectivity Information, NAS Details
– Database replication on port# 5432 over SSL – Runtime replication on port# 443 over SSL
Clustering Technology
![Page 35: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/35.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 35 #airheadsconf
• What’s not replicated? – Log files – Authentication Records – Accounting Records – System Events – System Monitor Data
Clustering Technology
![Page 36: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/36.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 36 #airheadsconf
• How do they connect? – Requires IP connectivity (bi-directional) • Port # 5432 (Database over SSL) • Port# 80 (HTTP) • Port #443 (HTTPS) • Port #123 (NTP)
• How much data should we expect to see crossing the wire? – Only elements in the configuration database – First sync is a full database copy – Subsequent sync – Delta changes propagated
Clustering – Considerations
![Page 37: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/37.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 37 #airheadsconf
Clustering – Considerations
PUBLISHER
SUBSCRIBER 1
SUBSCRIBER 2
SUBSCRIBER 3
SUBSCRIBER 4
SUBSCRIBER 5
SUBSCRIBER 6
Hub & Spoke
![Page 38: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/38.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 38 #airheadsconf
Clustering – Considerations
CPPM – Publisher
DNS DHCP
Identity Stores
Main Data Center Mid-size Branch
Regional Office
DMZ
CPPM Subscriber VM
CP Guest CP Onboard
CPPM Subscriber
CPPM Subscriber
• Central / Distributed Admin Domains • Redundancy/Load Balancing
• Cluster wide licenses
![Page 39: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/39.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 39 #airheadsconf
• What happens when a node goes down? – Operations • If Deployed Right – Nothing • RADIUS Backup settings on the NAS
– If the Publisher goes down • No Database Writes Allowed!! • Promote a Subscriber to a Publisher
• Resume configuration updates
Operations & Maintenance
![Page 40: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/40.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 40 #airheadsconf
• How long before ClearPass figures out something’s wrong? – 24 hours before it automatically “drops” a node from the
cluster – Cluster Synchronization Warnings • 1 event every hour x 24 hours = 24 events
– CPU/Memory Usage Warnings Every 2 Minutes – Server Certificate Warnings Every 24 Hours – Service Alerts Immediate
• Email/SMS Alerts using Insight, Syslog & SNMP
Events & Alerts
![Page 41: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/41.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 41 #airheadsconf
• Rescue & Recovery – Establish cluster connectivity • Database sync will ensue. Watch for “Last Sync Time”
– Restore certificates • Server Certificates are not installed as a part of the sync
– Restore log entries (If necessary) • Caveat : High disk activity for an extended period of time
– Verify fail-back on the NAS • NAS fail-back timers should kick in
Operations & Maintenance
![Page 42: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/42.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 42 #airheadsconf #airheadsconf 42
Q & A
![Page 43: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/43.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 43 #airheadsconf #airheadsconf
Thank You
![Page 44: Clear pass policy manager advanced_ashwath murthy](https://reader038.fdocuments.us/reader038/viewer/2022110115/54b7d5dd4a79595a348b45f9/html5/thumbnails/44.jpg)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 44 #airheadsconf #airheadsconf 44