1. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 1 #airheadsconf#airheadsconf
ClearPass Policy Manager â Advanced
Ashwath Murthy
03/15/2013
2. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 2 #airheadsconf
ClearPass â Policy Model
Authorization â What and Why?
Profile â How does it work?
Clustering & Deployment
Q & A
Agenda
3. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 3 #airheadsconf#airheadsconf3
ClearPass Policy Model
4. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 4 #airheadsconf
â˘âŻ What constitutes the policy model?
â˘âŻ How does it work?
â˘âŻ What are the interactions between various
components?
â˘âŻ How does the policy model affect configuration
& deployment?
ClearPass Policy Model
5. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 5 #airheadsconf
ClearPass Policy Model
Policy
Identity
Health
Device
Conditions
â˘âŻRole
â˘âŻDepartment
â˘âŻGroup
â˘âŻ AV, AS, FW
â˘âŻRegistry Keys
â˘âŻServicesâŚ
â˘âŻDevice type,
status, health
â˘âŻAddress, O/S
â˘âŻCorp. Owned
â˘âŻTime
â˘âŻLocation
â˘âŻDay of Week
6. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 6 #airheadsconf
Whatâs the flow?
Authenticate
â˘âŻValid Authentication
Authorize
â˘âŻFind Out Whatâs Allowed
Associate
Context
â˘âŻDevice, Time, Location, Posture
Enforce on
NAS
â˘âŻRoles, ACLs, VLANs
7. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 7 #airheadsconf
What Are The Interactions?
RADIUS Server â Authenticate
Policy Server â Authorize
Policy Server â Associate Context
Policy Server â Decision Tree
RADIUS Server â Enforce
8. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 8 #airheadsconf
Service Flow â 802.1X
Layer 2
RADIUS
Request
Layer 2
Authentication
Layer 2
Authorization
Layer 2
Role
Derivation
Layer 2
RADIUS
Enforcement
Layer 3
Profile
Layer 2
NAP
Layer 3
OnGuard
9. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 9 #airheadsconf
â˘âŻ Layer 2 Authentications are completed first
â⯠Full Authorization
â⯠Role Derivation
â⯠NAP (if enabled)
â⯠Layer 2 Enforcement
â˘âŻ Layer 3 : Profile next
â⯠DHCP Request, DHCP Offer
â⯠RFC 3576 â Change of Authorization
â˘âŻ Another Layer 2 authentication!
â⯠No RFC 3576 message if âfingerprintâ does not change
â˘âŻ Layer 3 : Collect Posture last (OnGuard)
â⯠Posture over HTTPS
â⯠RFC 3576 based on policy
â˘âŻ Another Layer 2 authentication!
Service Flow â Implications
10. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 10 #airheadsconf#airheadsconf10
Authorization â What and Why?
11. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 11 #airheadsconf
â˘âŻ Authentication vs. Authorization
â˘âŻ Authorization & ClearPass
â˘âŻ Use Cases
Authorization â What and Why?
12. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 12 #airheadsconf
Authorization & ClearPass
â˘âŻ âAuthorizationâ Sources in ClearPass
â⯠Where do I find them?
â⯠How do I use them?
â⯠How often does ClearPass talk to an authorization source?
â⯠What happens in case something goes wrong?
13. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 13 #airheadsconf
â˘âŻ An âAuthentication Sourceâ is an âAuthorization
Sourceâ
â⯠RADIUS Server vs. Policy Server
Authorization Sources â Where?
14. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 14 #airheadsconf
Authorization Sources â How?
Authentication Sources
are automatic
Authorization Sources
Additional Authorization
Sources enabled
per Service
No Authorization unless
used in Roles!
15. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 15 #airheadsconf
Authorization Sources â How?
Authorize with
Active Directory
Authorize with
Profile Data
Rule Algorithm :
Evaluate All
16. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 16 #airheadsconf
â˘âŻ Ok, great. But will ClearPass flood my AD with
authorization requests?
â⯠Authorization data is cached per user
â⯠New request made to fetch data once the cache expires
â⯠Cache timers can be tuned
Authorization â How?
Cache Timeout
Default: 10 hours
17. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 17 #airheadsconf
â˘âŻ Got it
â˘âŻ But I just made a bunch of changes on my AD.
Should I need to wait 10 hours?
â⯠Tune the cache timers
â⯠âClear Cacheâ button on the Authentication Source
â˘âŻ Wipes out cache for all users
â⯠âSaveâ button on the Authentication Source
â˘âŻ Wipes out cache for all users
â⯠Restart Policy Server
â˘âŻ BAD IDEA!!!
Authorization â How?
18. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 18 #airheadsconf
â˘âŻ If an Authentication/Authorization Source is not
reachable
â⯠Configure Backup Servers
â⯠Configure Fail-Over Timeout
Authorization â Uh-Oh!
Fail-Over Timeout
Backup Servers
19. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 19 #airheadsconf
Use Cases â Mergers & Acquisitions
Active Directory
Domain â
avendasys.com
Active Directory
Domain â
arubanetworks.com
20. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 20 #airheadsconf
Authentication &
Authorization
Sources for TLS
Certificate Details
used for
Authorization
Enable Authorization â
Source specified in the
Service
Compare Certificate â
Source specified in the
Service
Use Cases â Certificates & TLS
21. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 21 #airheadsconf
â˘âŻ LDAP/SQL Interface to Asset Databases
â⯠Key : MAC Address
â⯠Authorization Attributes
â˘âŻ Ownership â Corporate vs. Personal
â˘âŻ Compliance Status â In/Out of compliance
â⯠Identify corporate-owned non-Windows devices
Use Cases â Asset Databases
22. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 22 #airheadsconf#airheadsconf22
Profile â How does it work?
23. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 23 #airheadsconf
â˘âŻ Profile & Network Data
â˘âŻ Automatic Profile âupgradesâ
â˘âŻ Using Profile data in policy
â˘âŻ Configuring Profile
â⯠DHCP? HTTP? SNMP?
â˘âŻ Use Cases
Profile â How does it work?
24. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 24 #airheadsconf
â˘âŻ What does ClearPass use to profile?
â⯠MAC OUIs
â⯠DHCP Request, DHCP Offer
â⯠HTTP User-Agent
â⯠MDM Fingerprints
â⯠Device Interrogation
â⯠SNMP/CDP/LLDP Data
Profile & Network Data
25. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 25 #airheadsconf
Fingerprint Updates
â˘âŻ Subscribe to Fingerprint Updates
â⯠Automatic reclassification
â⯠Updated frequently
â˘âŻ Tell Aruba!
â⯠Create policy exceptions
â⯠Grab fingerprints from UI
â⯠Send fingerprints to Aruba
â⯠Crowd-sourced, community oriented
26. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 26 #airheadsconf
â˘âŻ Automatic 3-level categorization
â⯠Device Category, OS Family, Device Name
â˘âŻ Using raw profile data
â⯠DHCP Data, HTTP User-Agent, SNMP Data
â˘âŻ Role Mapping
â⯠What should I use?
â˘âŻ Enforcement
â⯠How do I enforce?
â⯠What are the benefits?
Using Profile data in policy
27. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 27 #airheadsconf
â˘âŻ DHCP Relay
â⯠Where should I setup DHCP relays?
â˘âŻ Captive Portal Configuration
â⯠Is there a knob for this?
â˘âŻ Reading SNMP Data
â⯠CDP
â⯠LLDP
â⯠HR MIB
â⯠SysDescr MIB
Configuring Profile â Network
Considerations
28. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 28 #airheadsconf
â˘âŻ Policy â CEOs & iPads
â˘âŻ Policy â âHeadlessâ Devices
â˘âŻ Visibility â Demystifying BYODs
Use Cases
29. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 29 #airheadsconf
Use Cases â CEOs & iPads
Assign Roles
Enforce Access
30. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 30 #airheadsconf
Use Cases â Headless Devices
Identify & Assign
Roles To Headless
Devices
32. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 32 #airheadsconf#airheadsconf32
Clustering & Deployment
33. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 33 #airheadsconf
â˘âŻ Clustering Technology
â⯠Whatâs replicated? Whatâs not?
â˘âŻ Deploying ClearPass Clusters
â⯠Considerations
â˘âŻ Operations & Maintenance
â⯠What happens when a ClearPass node is down?
â⯠Events & Alerts
â⯠Rescue & Recovery
Clustering & Deployment
34. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 34 #airheadsconf
â˘âŻ Whatâs replicated?
â⯠All policy configuration elements
â⯠All Audit data
â⯠All identity store data
â˘âŻ Guest Accounts, Endpoints, Profile data
â⯠Runtime Information
â˘âŻ Authorization status, Posture status, Roles
â˘âŻ Connectivity Information, NAS Details
â⯠Database replication on port# 5432 over SSL
â⯠Runtime replication on port# 443 over SSL
Clustering Technology
35. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 35 #airheadsconf
â˘âŻ Whatâs not replicated?
â⯠Log files
â⯠Authentication Records
â⯠Accounting Records
â⯠System Events
â⯠System Monitor Data
Clustering Technology
36. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 36 #airheadsconf
â˘âŻ How do they connect?
â⯠Requires IP connectivity (bi-directional)
â˘âŻ Port # 5432 (Database over SSL)
â˘âŻ Port# 80 (HTTP)
â˘âŻ Port #443 (HTTPS)
â˘âŻ Port #123 (NTP)
â˘âŻ How much data should we expect to see
crossing the wire?
â⯠Only elements in the configuration database
â⯠First sync is a full database copy
â⯠Subsequent sync â Delta changes propagated
Clustering â Considerations
38. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 38 #airheadsconf
Clustering â Considerations
CPPM â Publisher
DNS
DHCP
Identity
Stores
Main Data Center
Mid-size Branch
Regional Office
DMZ
CPPM
Subscriber
VM
CP Guest
CP Onboard
CPPM
Subscriber
CPPM
Subscriber
â˘âŻ Central / Distributed Admin Domains
â˘âŻ Redundancy/Load Balancing
â˘âŻ Cluster wide licenses
39. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 39 #airheadsconf
â˘âŻ What happens when a node goes down?
â⯠Operations
â˘âŻ If Deployed Right â Nothing
â˘âŻ RADIUS Backup settings on the NAS
â⯠If the Publisher goes down
â˘âŻ No Database Writes Allowed!!
â˘âŻ Promote a Subscriber to a Publisher
â˘âŻ Resume configuration updates
Operations & Maintenance
40. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 40 #airheadsconf
â˘âŻ How long before ClearPass figures out
somethingâs wrong?
â⯠24 hours before it automatically âdropsâ a node from the
cluster
â⯠Cluster Synchronization Warnings
â˘âŻ 1 event every hour x 24 hours = 24 events
â⯠CPU/Memory Usage Warnings ď Every 2 Minutes
â⯠Server Certificate Warnings ď Every 24 Hours
â⯠Service Alerts ď Immediate
â˘âŻ Email/SMS Alerts using Insight, Syslog & SNMP
Events & Alerts
41. CONFIDENTIAL
Š Copyright 2013. Aruba Networks, Inc.
All rights reserved 41 #airheadsconf
â˘âŻ Rescue & Recovery
â⯠Establish cluster connectivity
â˘âŻ Database sync will ensue. Watch for âLast Sync Timeâ
â⯠Restore certificates
â˘âŻ Server Certificates are not installed as a part of the sync
â⯠Restore log entries (If necessary)
â˘âŻ Caveat : High disk activity for an extended period of time
â⯠Verify fail-back on the NAS
â˘âŻ NAS fail-back timers should kick in
Operations & Maintenance