7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 1/55
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc. All rights
reserved
Access Management with Aruba ClearPass
Seth Fiermonti
June 2014
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 2/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Agenda
• Introductions & Expectations
• What is ClearPass
• ClearPass – Policy Model
• Authorization – What and Why
• Profile – How does it work
• Clustering & Deployment
• Q & A
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 3/55
ClearPass Overview
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 4/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Evolving IT Landscape
USER CENTRIC, SELF SERVICEIT CENTRIC
Windows
FixedEnvironment
WiredNetwork
IT Managed
SlowRefresh
Multiple Platforms
Work fromanywhere
Wired, Wi-Fi,Cellular
Selection ofdevices & apps
User Timeframes
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 5/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
The ClearPass Solution
Comprehensive Solutions Architecture
WORKFLOW POLICYVISIBILITY
Role-basedEnforcement
Health/Posture
Checks
Device and App
Device Profiling
Troubleshooting
Per SessionTracking
Onboarding,Registration
GuestManagement
MDMIntegration
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 6/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
The ClearPass Access Security Platform
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved6 @arubanetworks
Policy Services
IdentityStores
3rd PartyMDM
AppServers
DIFFERENTIATEDACCESS
UNIFIEDPOLICIES
DEVICEVISIBILITY
GUEST EMPLOYEE
POLICY SERVICES
ENTERPRISE-CLASS AAA
RADIUS, TACACS+
VPN
OnGuardPosture &
Health Checks
OnboardDevice
Provisioning
GuestVisitor Management
MultivendorNetworks
ClearPass Policy Manager
AAA Services ONE IDPolicy Engine
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 7/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Context-Based Access Control
• Differentiated Access
– Role, device type, access method
• Policy-based AAA Services
– Support for 802.1X, MAC, Web (HTTPS) authentication
– Communicate to network devices via RADIUS, RADIUS CoA,
TACACS+, SNMP
– Ability to read from multiple identity stores (AD, LDAP, SQL,
Kerberos, Token Server, Etc.)
– Enforcement Options – Allow/Deny, VLAN, ACL, dACL, urlredirects, SNMP
• Contextual Policy Elements
– Time, location, group, OS version, project
VPN
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 8/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Platform Features – Out of the box
Multivendor DNA• Wired, WLAN, VPN
Core Authentication
• AAA, LDAP, AD, Kerberos, Token, SQL, MAC,
802.1x, TACACS+, HTTPS, SSO (SAML, Okta)
Integrated Profiling
• Device profiling across wired & wireless
• Use directly in authorization policy
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 9/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
ClearPass Core Services
MDM Integration• Leverage information gained
from MDM vendors for profile &
to influence policy
TACACS+ Server
• Replace legacy ACS solutions
Context Aware Authorization
• Device type, User, Time, Location, Posture
• Layer multiple conditions for policy derivation
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 10/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Platform Features – Out of the box
Scale with Clustering
• Supports 1 million endpoints per cluster
• Centralized or distributed architecture
Flexible Licensing• Perpetual licenses
• Subscription licenses
• 25 free endpoint Enterprise license included
Physical or Virtual Appliances
• Sized for variety of customer needs
• Virtual Appliance relies upon VMWare
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 11/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
What’s in ClearPass 6.3
INTEGRATIONINTEROPERABILITY
Auto Sign-On for Apps
• Simple Network authentication for App login
• Opens doors for mobile device SSO opportunities
Guest Advertising Included
• Customizable for gender, season, location
• Larger story in retail, healthcare, entertainment
Enhanced Certificate Distribution
• 3rd Party MDM solutions can now use Onboard CA
• You are the alternative for internal PKI integration
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 12/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
INTEGRATIONINTEROPERABILITY
Remote Support• Setup secure TAC session with a simple click
• Customer support because you asked for it
SPAN Port Profiling
• Any device addressed via DHCP gets profiled
• You get the big picture faster, from one port
Exchange• Built-in tools for integration of third-party systems
• Data exchange with MDM, helpdesk, SIEM apps
made easy
What’s in ClearPass 6.3
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 13/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
ClearPass Auto Sign-On
Only Aruba lets you sign-in once & you’re good to go
• One login for all web/mobile apps
– Uses valid network login
• NO App logins• IBM, Okta, Ping
• ClearPass as Provider (IdP)
– Uses SAML, not RADIUS
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 14/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
ClearPass Exchange
Two-way Third-Party Integration
Syslog Messages / RESTful APIs
Jail-broken
device
detected
Helpdesk
ticket auto
generated
Message to
device auto
generated
1.
2.3.
ClearPassdenies access
to device
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 15/55
ClearPass Policy Model
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 16/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
ClearPass Policy Model
• What constitutes the policy model?
• How does it work?
• What are the interactions between various
components?• How does the policy model affect configuration
& deployment?
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 17/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
ClearPass Policy Model
Policy
Identity
Health
Device
Conditions
• Role
• Department
• Group
• AV, AS, FW • Registry Keys
• Services…
• Device type,
status, health
• Address, O/S
• Corp. Owned
• Time
• Location
• Day of Week
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 18/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
What’s the flow?
Authenticate
• Valid Authentication
Authorize
• Find Out What’s Allowed
AssociateContext
• Device, Time, Location, Posture
Enforce onNAS
• Roles, ACLs, VLANs
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 19/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
What Are The Interactions?
RADIUS Server – Authenticate
Policy Server – Authorize
Policy Server – Associate Context
Policy Server – Decision Tree
RADIUS Server – Enforce
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 20/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
ClearPass Policy Enforcement
ClearPassUse external context todefine granular policies
• User / role • Device fingerprint• OS version• Health checks• Jailbreak status
• Location• Trusted or
untrustednetwork
• Time
• Date
• Wired, Wi-Fi, VPNenforcement
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 21/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Service Flow – 802.1X
Layer 2
RADIUS
Request
Layer 2
Authentication
Layer 2
Authorization
Layer 2
Role
Derivation
Layer 2
RADIUS
Enforcement
Layer 3
Profile
Layer 2NAP
Layer 3
OnGuard
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 22/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Service Flow – Implications
• Layer 2 Authentications are completed first
– Full Authorization
– Role Derivation
– NAP (if enabled)
– Layer 2 Enforcement
• Layer 3 : Profile next – DHCP Request, DHCP Offer
– RFC 3576 – Change of Authorization
• Another Layer 2 authentication!
– No RFC 3576 message if “fingerprint” does not change
• Layer 3 : Collect Posture last (OnGuard) – Posture over HTTPS
– RFC 3576 based on policy
– Another Layer 2 authentication!
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 23/55
Authorization – What and Why
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 24/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Authorization – What and Why?
• Authentication vs. Authorization
• Authorization & ClearPass
• Use Cases
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 25/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Authorization & ClearPass
• “Authorization” Sources in ClearPass – Where do I find them?
– How do I use them?
– How of ten does ClearPass talk to an authorization source?
– What happens in case something goes wrong?
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 26/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Authorization Sources – Where?
• An “Authentication Source” is an “AuthorizationSource” – RADIUS Server vs. Policy Server
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 27/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Authorization Sources – How?
Authentication Sourcesare automatic
Authorization Sources
Additional Authorization
Sources enabledper Service
No Authorization unlessused in Roles!
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 28/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Authorization Sources – How?
Authorize withAct ive Directory
Authorize withProfi le Data
Rule Algorithm :
Evaluate All
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 29/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Authorization – How?
• Ok, great. But will ClearPass flood my AD withauthorization requests? – Authorization data is cached per user
– New request made to fetch data once the cache expires
– Cache timers can be tuned
Cache Timeout
Default: 10 hours
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 30/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Authorization – How?
• Got it
• But I just made a bunch of changes on my AD.
Should I need to wait 10 hours? – Tune the cache timers
– “Clear Cache” button on the Authentication Source – Wipes out cache for al l users
– “Save” button on the Authentication Source
• Wipes out cache for all users
– Restart Policy Server
• BAD IDEA!!!
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 31/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Authorization – Uh-Oh!
• If an Authentication/Authorization Source is notreachable – Configure Backup Servers
– Configure Fail-Over Timeout
Fail-Over Timeout
Backup Servers
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 32/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Use Cases – Mergers & Acquisitions
Active Directory
Domain –
avendasys.com
Active Directory
Domain –
arubanetworks.com
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 33/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Authentication &
AuthorizationSources for TLS
Certificate Details
used for
Authorization
Enable Authorization –
Source specified in the
Service
Compare Certificate –
Source specified in the
Service
Use Cases – Certificates & TLS
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 34/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Use Cases – Asset Databases
• LDAP/SQL Interface to Asset Databases
– Key : MAC Address
– Authorization Attributes
• Ownership – Corporate vs. Personal
• Compliance Status – In/Out of compliance
– Identify corporate-owned non-Windows devices
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 35/55
Profile – How Does It Work?
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 36/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Profile – How does it work?
• Profile & Network Data
• Automatic Profile “upgrades”
• Using Profile data in policy
• Configuring Profile
– DHCP? HTTP? SNMP?
• Use Cases
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 37/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Profile & Network Data
What does ClearPass use to profile? – MAC OUIs
– DHCP Request, DHCP Offer
– HTTP User-Agent
– MDM Fingerprints – Device Interrogation
– SNMP/CDP/LLDP Data
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 38/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Fingerprint Updates
• Subscribe to Fingerprint Updates – Automatic reclassification
– Updated frequently
• Tell Aruba!
– Create policy exceptions
– Grab fingerprints from UI
– Send fingerprints to Aruba
– Crowd-sourced, community oriented
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 39/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Using Profile data in policy
• Automatic 3-level categorization – Device Category, OS Family, Device Name
• Using raw profile data
– DHCP Data, HTTP User-Agent, SNMP Data
• Role Mapping
– What should I use?
• Enforcement
– How do I enforce?
– What are the benefits?
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 40/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Configuring Profile – Network Considerations
• DHCP Relay – Where should I setup DHCP relays?
• Captive Portal Configuration
– Is there a knob for this?
• Reading SNMP Data
– CDP
– LLDP
– HR MIB
– SysDescr MIB
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 41/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Use Cases
• Policy – CEOs & iPads
• Policy – “Headless” Devices
• Visibility – Demystifying BYODs
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 42/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Use Cases – CEOs & iPads
Assign Roles
Enforce Access
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 43/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Use Cases – Headless Devices
Identify & Assign
Roles To Headless
Devices
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 44/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Use Cases – Visibility
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 45/55
Clustering & Deployment
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 46/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Clustering & Deployment
• Clustering Technology – What’s replicated? What’s not?
• Deploying ClearPass Clusters
– Considerations
• Operations & Maintenance
– What happens when a ClearPass node is down?
– Events & Alerts
– Rescue & Recovery
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 47/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Clustering Technology
• What’s replicated? – All policy configuration elements
– All Audit data
– All identity store data
• Guest Accounts, Endpoints, Profile data
– Runtime Information
• Authorization status, Posture status, Roles
• Connectivity Information, NAS Details
– Database replication on port# 5432 over SSL
– Runtime replication on port# 443 over SSL
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 48/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Clustering Technology
• What’s not replicated?
– Log files
– Authentication Records
– Accounting Records
– System Events
– System Monitor Data
C C
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 49/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Clustering – Considerations
• How do they connect? – Requires IP connectivity (bi-directional)
• Port # 5432 (Database over SSL)
• Port# 80 (HTTP)
•
Port #443 (HTTPS)• Port #123 (NTP)
• How much data should we expect to see
crossing the wire?
– Only elements in the configuration database
– First sync is a full database copy
– Subsequent sync – Delta changes propagated
Cl t i C id ti
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 50/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Clustering – Considerations
Hub & Spoke PUBLISHER
SUBSCRIBER1
SUBSCRIBER2
SUBSCRIBER3
SUBSCRIBER4
SUBSCRIBER5
SUBSCRIBER6
Cl t i C id ti
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 51/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Clustering – Considerations
• Central / Distributed Admin Domains
• Redundancy/Load Balancing
• Cluster wide licensesCPPM – Publisher
DNS
DHCP
IdentityStores
Main Data Center Mid-size Branch
Regional Office
DMZ
CPPMSubscriber
VMCP Guest
CP Onboard
CPPMSubscriber
CPPMSubscriber
O ti & M i t
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 52/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Operations & Maintenance
• What happens when a node goes down?
– Operations
• If Deployed Right – Nothing
• RADIUS Backup settings on the NAS
– If the Publisher goes down
• No Database Writes Allowed!!
• Promote a Subscriber to a Publisher
•
Resume configuration updates
E t & Al t
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 53/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Events & Alerts
• How long before ClearPass figures outsomething’s wrong?
– 24 hours before it automatically “drops” a node from the
cluster
– Cluster Synchronization Warnings• 1 event every hour x 24 hours = 24 events
– CPU/Memory Usage Warnings Every 2 Minutes
– Server Certificate Warnings Every 24 Hours
– Service Alerts Immediate
• Email/SMS Alerts using Insight, Syslog & SNMP
O ti & M i t
7/25/2019 HP Aruba 2014 _ Access Management With Aruba ClearPass
http://slidepdf.com/reader/full/hp-aruba-2014-access-management-with-aruba-clearpass 54/55
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Operations & Maintenance
• Rescue & Recovery – Establish cluster connectivity
• Database sync will ensue. Watch for “Last Sync Time”
– Restore certificates
•
Server Certificates are not installed as a part of the sync – Restore log entries (If necessary)
• Caveat : High disk activity for an extended period of time
– Verify fail-back on the NAS
• NAS fail-back timers should kick in
Top Related