Large scale, distributed access management deployment with aruba clear pass
•Als PPTX, PDF herunterladen•
2 gefällt mir•6,273 views
Running or planning on deploying a large ClearPass cluster? See what others are doing in larger environments to improve their deployments This session is designed to help customers that run the largest and most demanding networks learn how to deal with multiple locations, 100k+ endpoints, and strict SLA’s. Come to this session to discuss architecture for distributed deployments and how to better design your install for high performance, high availability needs. This is the one session where we’ll include the most experienced ClearPass team members for what will be a highly interactive session.
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie Large scale, distributed access management deployment with aruba clear pass
Ähnlich wie Large scale, distributed access management deployment with aruba clear pass (20)
Mehr von Aruba, a Hewlett Packard Enterprise company
Mehr von Aruba, a Hewlett Packard Enterprise company (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Large scale, distributed access management deployment with aruba clear pass
- 1. #ATM16 Large scale, distributed access management deployment with Aruba ClearPass Venkatraju T V – ClearPass Engineer Steve Eubanks – ClearPass CSE Drew Wyskida – ClearPass CSE March 9, 2016 @ArubaNetworks |
- 2. 2#ATM16 Agenda • ClearPass Solution • Cluster and Zones • Deployment Models • Monitoring and Tuning • Operations • Planning a deployment
- 4. 4#ATM16@ArubaNetworks | ClearPass solution Models CP-500 CP-5K CP-25K Maximum devices 500 5,000 25,000 Maximum devices in High Capacity Guest mode 1000 10,000 50,000 Policy Manager Guest OnboardOnGuard
- 5. 5#ATM16 ClearPass solution Normal mode HCG mode Devices 500 / 5K / 25K 1000 / 10K / 25K Licenses Allowed Policy Manager Guest OnGuard Onboard Guest Cleanup Intervals Defaults Reduced Posture & Audit checks ✖️ Restricted EAP methods FAST, GTC, MSCHAPv2, PEAP, TLS, TTLS Restricted Service Templates 802.1X High Capacity Guest (HCG) mode
- 6. 6 ClearPass Cluster and Zones
- 7. 7#ATM16@ArubaNetworks | ClearPass Cluster Publisher C Standby Subscriber C C I I Multi-master cache replication Config database replication I C Config database Insight database L L Session log databaseL Heartbeat to detect failure L
- 8. 8#ATM16@ArubaNetworks | ClearPass Cluster Publisher C Standby Subscriber C C I I Insight events I C Config database Insight database Insight Insight Master
- 9. 9#ATM16@ArubaNetworks | ClearPass Cluster Config database Insight database Session log DB Multi-master cache Purpose • Configuration • Provisioning • Endpoints • Profiles • Guests • Onboard certificates • Cluster-wide reporting • Bandwidth checks • Access Tracker • Event Viewer • Machine authentication • Session information (CoA) • Role and posture cache Replication Replicated from publisher to all subscribers Duplicated at each Insight node Not replicated Full mesh replication within a Zone Size 50 MB to 500 MB 1 GB to 200+ GB 1 GB to 100 GB 1 MB to 100 MB Guidance Review Endpoint and Guest cleanup settings Review database retention settings Review cleanup settings Configure Zones per location Databases
- 10. 10#ATM16@ArubaNetworks | ClearPass Cluster • UDP port 123 (NTP) • TCP port 5432 (PostgreSQL) • TCP port 443 (HTTPS) Publisher Standby Subscriber NTP, PostgreSQL, HTTPS NTP, PostgreSQL, HTTPS Subscriber Caveats: • Releases before the latest ClearPass 6.5 release may need additional ports open • Port 80 is used to render System Monitor data from a remote node. Can be modified using the cluster-wide parameter “Performance Monitor Rendering Port”. • Subscriber to subscriber communication is not required, as long as the subscriber will not be promoted to publisher Intra-cluster communication
- 11. 11#ATM16@ArubaNetworks | ClearPass Cluster • Join nodes to AD for MSCHAPv2 • Can join multiple independent AD domains • Deploy nodes close to AD domain controllers • Can override AD Password Servers Active Directory (AD) integration
- 12. 12#ATM16@ArubaNetworks | ClearPass Cluster Publisher Standby Subscriber Subscriber Publisher failure • Subscribers handle authentication requests • Standby node detects failure and promotes to publisher • Following operations are affected • Policy Manager and Guest configuration / provisioning • Guest, Onboard and Endpoint updates
- 13. 13#ATM16@ArubaNetworks | ClearPass Cluster • Publisher upgrades first • Subscribers join back post upgrade • Use the Cluster Upgrade Tool (CUT) *additional details later • Plan for sufficient downtime Upgrade
- 14. 14#ATM16@ArubaNetworks | ClearPass Zones Publisher Subscriber C C Standby Subscriber Subscriber C C C Zone A Zone B Multi-master cache replication Config database replication C Config database Subscriber C Subscriber C Zone C
- 15. 15#ATM16@ArubaNetworks | ClearPass Zones Profile Publisher Subscriber Subscriber C Subscriber Subscriber Zone A Zone B P P Profile Inputs (DHCP, HTTP UA etc.) Profile Inputs Profile Inputs P Profile master node in zone DB update Proxy profile input to profile master node Profile Inputs
- 16. 16#ATM16@ArubaNetworks | ClearPass Zones Configure OnGuard client subnets per zone OnGuard
- 18. 18#ATM16@ArubaNetworks | Deployment models Publisher Standby Subscriber Subscriber Subscriber Low latency network links Centralized deployment
- 19. 19#ATM16@ArubaNetworks | Deployment models Publisher Standby Subscriber Subscriber Subscriber Zone A Zone B WAN I I Config replication Insight data Distributed deployment
- 20. 20#ATM16@ArubaNetworks | Deployment models Publisher Subscriber N Subscriber 1 Cluster 1 Cluster 2 … Publisher Subscriber N Subscriber 1 … Remote cluster as authentication source Multi-cluster deployment
- 21. 21#ATM16 Consider Review Capacity • Number of devices • Locations Use cases • Auth methods • Authentication sources • Guest provisioning • Posture assessment • Peak authentication rate • Complex policies IO activity • Accounting • Guest/Onboard provisioning • Insight Redundancy • N+1 or higher at each location Failover • Standby node Design considerations Deployment models
- 22. 22#ATM16 Deployment models Consider Review Dedicated publisher node • Cluster size • Guest/Onboard provisioning • Endpoint and profile updates Dedicated standby node • Standby node utilization Dedicated Insight nodes • Cluster-wide authentication rate • Insight as authorization source Dedicate nodes for use cases • AAA request processing • Guest registration Load balancing • Network device configuration • External load balancer Design considerations
- 24. 24#ATM16 Monitoring ClearPass Customers running on the CP 25K server can take advantage of the Integrated Remote Access Controller remote management features (iDRAC7). The iDRAC7 allows administrators to monitor, manage, update, troubleshoot, and remediate CP 25K servers from any location. iDRAC7
- 25. 25#ATM16 Monitoring ClearPass user interfaces enable ClearPass administrators to view Authentication, Authorization, Accounting, and System events. ClearPass has the capability to store these messages, encapsulate them and retransmit them as RFC 5424 compliant Syslog messages to any Syslog Receiver. ClearPass can also format Syslog messages in Log Event Extended Format (LEEF) and Common Event Format (CEF). ClearPass Syslog
- 26. 26#ATM16 Monitoring ClearPass has a Private Enterprise SNMP MIB exposing 70+ OID’s covering.... ClearPass SNMP • System information • Authentication counters • Authorization counters • Network traffic counters • Traps for various system and application events
- 27. 27#ATM16 Monitoring ClearPass Insight is an advanced application to deliver enhanced analytics, in-depth reporting, and Alerting. Insight provides the ability to track detailed authentication records, audit trails, and develop systematic reports on network-access trends ClearPass Insight • Consolidated Reporting • In-depth Analytics • Ready-to-use Templates • Alerts
- 29. 29#ATM16 Tuning ClearPass Insight stores detailed authentication records, audit trails, and archived network access logs. Database and report retention should be adjusted to policy Insight
- 30. 30#ATM16 Tuning ClearPass Insight stores detailed authentication records, audit trails, and archived network access logs. Database and report retention should be adjusted to policy Cleanup Intervals
- 31. 31#ATM16 Tuning In high latency environments the Replication Batch Interval may need to be adjusted. Replication Interval
- 33. 33#ATM16 Operations The Cluster Upgrade Tool is a simple user interface that automates the upgrade procedure for a ClearPass cluster. Cluster Upgrade Tool (CUT) What does it do? • Helps administrators upgrade multi node clusters (large or small) • Task automation, reduces operational overhead and time • Provides pre/post upgrade checks to flag/fix potential issues and ensure cluster health Technical Details • Available as a patch for Publishers running 6.2.6, 6.3.x, 6.4.x • Software images distributed from publisher to subscribers • Database lock time reduced to minutes versus hours • Upgrade multiple subscribers simultaneously • Does not upgrade patches (roadmap feature)
- 34. 34#ATM16 Operations Customized upgrade models, choose all or subset of subscribers. If all are chosen they will be started after Publisher completes, staggering start times every 5 minutes View of entire process as well as access to individual drilldown logging for Publisher and each Subscriber Cluster Upgrade Tool (CUT)
- 35. 35#ATM16 Operations • MDM / EMM solutions • Messaging and / or escalation platforms • Helpdesk and trouble ticketing solutions • Log management/retention systems (syslog) • Network security / compliance engines (bi-directional) ClearPass Exchange Leverage ClearPass Exchange to integrate with existing Enterprise management systems.
- 36. 36#ATM16 Operations ClearPass Policy Manager provides the ability to push scheduled data backups securely to an external server. You can push the data using the SFTP and SCP protocols. Backups
- 37. 37#ATM16 Operations When you need to review performance or troubleshoot issues in detail, Policy Manager can compile and save transactional and diagnostic data into several log files. These files are saved in Local Shared Folders and can be downloaded to your computer. Log collection
- 38. 38#ATM16 Operations From the Log Configuration menu, you can view and change the verbosity of the data collected into the Log Files. Available levels include: DEBUG INFO WARN ERROR FATAL Log Configuration
- 39. 39#ATM16 Operations Remote Assistance enables the ClearPass administrator to allow an Aruba Networks support engineer to remotely log in using Secured Shell (SSH) to the ClearPass server and also view the UI to debug any issues customer is facing or to perform pro-active monitoring of the server. Remote Assistance
- 41. 41#ATM16 Enterprise ClearPass Deployment Design Phase • Identify individual use cases • Determine necessary ClearPass Policy Manager (CPPM) Modules • Discover/Determine Customer Environments •Regional Data Centers •Estimated number of Endpoints per region • Define Initial CPPM Cluster Architecture • Define Licensing requirements Use Case Analysis (Design) Planning and Pilot Design Modifications Production Roll out
- 42. 42#ATM16 Planning/Pilot Phase • Develop draft roll out plan for Enterprise • Develop communications plan for notifying End Users • Identify pilot locations to meet criteria set in Use Cases • Leverage environment as close to production for pilot testing • Capture pilot results Use Case Analysis Planning and Pilot Design Modifications Production Roll out Enterprise ClearPass Deployment
- 43. 43#ATM16 Design Modification Phase • Analyze pilot results to determine effectiveness of CPPM Modules based on Use Case requirements • Adjust Architecture Design as necessary •Additional or missed backend business processes identified •Discovery of new or unexpected environment elements •Endpoint devices •Infrastructure obstacles Use Case Analysis Planning and Pilot Design Modifications Production Roll out Enterprise ClearPass Deployment
- 44. 44#ATM16 Production Roll out Phase • Adjust deployment plan for production roll out • Begin communication plan to end users with expected changes • Execute deployment according to schedule Use Case Analysis Planning and Pilot Design Modifications Production Roll out Enterprise ClearPass Deployment
- 45. 45#ATM16 Join Aruba’s Titans of Tomorrow force in the fight against network mayhem. Find out what your IT superpower is. Share your results with friends and receive a free superpower t-shirt. www.arubatitans.com
- 46. Thank you Venkatraju T V – venkatraju@hpe.com Steve Eubanks – steve.eubanks@hpe.com Drew Wyskida – drew.wyskida@hpe.com
- 47. March 9, 2016
Hinweis der Redaktion
- Cluster for scale and redundancy One Publisher, multiple subscribers Writes allowed only on the publisher Publisher is typically the single point for all management operations Always setup a Standby that will take over the publisher role on publisher failure
- Insight – cluster-wide reporting, analytics and alerts - Most deployments should enable Insight on two nodes in the cluster for fault-tolerance - Insight data is duplicated (not replicated). All ClearPass nodes in the cluster stream events to all nodes in the cluster - Insight is not “Zone” aware - Typical deployment: enable Insight on Publisher and Subscriber - Limit use of Insight database as an authorization source where possible - The node designated as ”Insight master” generates reports and alerts
- Each ClearPass must be joined to the Active Directory domain for EAP-PEAP MSCHAPv2 authentications Nodes can be joined to multiple independent AD forests or domains Deploy ClearPass nodes close to AD domain controllers and join to local AD Configure AD Password Servers for each node to use a local/nearby AD domain controller
- Publisher upgrades first Subscribers join back post upgrade Plan adequate downtime depending on DB size, number of nodes and nature of deployment Use the Cluster Upgrade Tool (CUT) to automate upgrade workflow
- Zone: Groups of nodes can be assigned to a “Zone”. Zones are typically geographic boundaries. Cache replication is limited to nodes within a zone Other features like Profile and OnGuard are also affected by Zone definition
- Profile: classifies endpoints using attributes obtained from software components called “Collectors” Profile nodes form temporary clusters per zone: A master node is elected per zone Any node in the cluster can handle incoming profile data (ex. any node can be setup to receive DHCP traffic) All nodes in the zone proxy profiling requests to current active master Master correlates profile information, runs profile rules and updates Publisher DB Updated profile information from publisher DB replicates to all nodes in the cluster (config DB replication)
- * Simplest and most convenient deployment * All nodes in the cluster are in the same location / data center * Nodes are connected by low latency, high bandwidth network links Typical deployment: Large university
- Multiple locations, possibly connected by high latency network links Publisher and Standby in a central location One or more nodes at each location based on capacity and redundancy requirements Each location is configured as a Zone Recommendation: Deploy ClearPass nodes close to authentication source. Recommendation: Whitelist ClearPass traffic in WAN accelerators / firewalls between nodes
- Multiple independent clusters Con: Multiple independent points for configuration and reporting One cluster could use another cluster as an Authentication source Use cases: Functional clusters: Ex. Separate AAA and Guest cluster; HCG cluster and AAA cluster Regional clusters: Cluster per region / location Large clusters: Recommend limiting cluster size to 30 nodes Recommend latency of <200ms between nodes in a cluster
- ClearPass Access Tracker, Audit Viewer and Event Viewer user interfaces enable ClearPass administrators to view Authentication, Authorization, Accounting, and System events. ClearPass has the capability to store these messages, encapsulate them and retransmit them as RFC 5424 compliant Syslog messages to any Syslog Receiver. ClearPass can also format Syslog messages in Log Event Extended Format (LEEF) and Common Event Format (CEF).
- Policy Manager sends SNMP traps that expose the following server information: System up-time— Provides information about how long the system is running. Network interface statistics [up/down]— Provides information if the network interface is up or down. Process monitoring information— Check for the processes that should be running. Sends traps if there is a change in value of maximum and minimum numbers. Disk usage— Check for disk space usage of a partition. The agent can check the amount of available disk space and make sure it is above the set limit. CPU load information— Check for unreasonable load average values. For example, if 1-minute CPU load average exceeds the configured value [in percentage] then system sends a trap to the configured destination. Memory usage— Report the memory usage of the system.
- ClearPass Insight is an advanced application to deliver enhanced analytics, in-depth reporting, and Alerting. Insight provides the ability to track detailed authentication records, audit trails, and develop systematic reports on network-access trends. Additional features associated with Insight are described below. Consolidated Reporting. Insight is capable of aggregating data from multiple Policy Manager appliances, or external stores, containing archived network access logs. It presents a powerful combination of near real-time analytics, as well as the ability to look into the past to satisfy historical analysis and compliance needs. In-depth Analytics. Insight uses a powerful analytics engine that mines network access logs in order to generate trending report on various parameters. Network managers can utilize these trends to get an overview of authentication and access activity, elaborate client access distribution, load-averages, and analyze authentication traffic flow through various network devices. Ready-to-use Templates. Insight includes several ready-to-use templates that help reduce the time associated with creating custom reports. The templates guide users through the process of capturing data for a number of use cases with minimal configuration. Alerts. Insight can generate near real-time alerts on anomalous network activity. Network managers can configure alerts based on a number of various parameters. Alerts can be delivered via SMS or e-mail notification to multiple recipients to prompt action.
- Make networks mobility-defined instead of fixed
- Make networks mobility-defined instead of fixed
- This is a sample Two Pictures with Captions slide ideal for including two pictures with brief descriptive statements. To Replace the Pictures on this Sample Slide (this applies to all slides in this template that contain replaceable pictures) Select the sample picture and press Delete. Click the icon inside the shape to open the Insert Picture dialog box. Navigate to the location where the picture is stored, select desired picture and click on the Insert button to fit the image proportionally within the shape. Note: Do not right-click the image to change the picture inside the picture placeholder. This will change the frame size of the picture placeholder. Instead, follow the steps outlined above. Tip: use the Crop tool to reposition a picture within a placeholder. From the Picture Tools Format tab on the ribbon, click the Crop button. Click and drag the picture within the placeholder to reposition. To scale the picture within the placeholder (while Crop is active), grab a round corner handle and drag to resize. Hold Shift key to constrain picture aspect ratio when resizing.
- Make networks mobility-defined instead of fixed
- Contest Overview - Aruba is running a marketing campaign where we ask “What is your IT superpower?” - Go to arubatitans.com to take a quick quiz to discover your superpower. - Share your results with friends and encourage others to play the game - Once you share, go to the Social and Community Hub, Gracia Commons, 3rd fl to pick up your free superpower shirt. FAQ 1. What do I have to do to get a shirt? Share your IT superpower results with friends and encourage them to play the game. Then come to the Social & Community Hub, 3rd Floor Gracia Commons to pick up your shirt. We just need your name and badge for verification. 2. Where do I get my shirt? Come to the #ATM16 Social & Community hub located at Gracia Commons on the 3rd Floor 3. Do I have to be at the event to get the shirt? Yes. You have to be at #ATM16 to get a shirt. 4. Can I get my colleague a shirt? He/she is in a session right now. Unfortunately not. We encourage your colleague to participate so that they can win a shirt for themselves. 5. Can I bring a shirt home for my colleague? Unfortunately not. You have to be at #ATM16 to get a shirt. 6. You don’t have a shirt in my size, can you ship the right size to me later? Unfortunately not. Please select the best size from our inventory on site.