Clear pass policy manager advanced_ashwath murthy

CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved 1 #airheadsconf#airheadsconf
ClearPass Policy Manager – Advanced
Ashwath Murthy
03/15/2013

CONFIDENTIAL
All rights reserved 2 #airheadsconf
ClearPass – Policy Model
Authorization – What and Why?
Profile – How does it work?
Clustering & Deployment
Q & A
Agenda

CONFIDENTIAL
All rights reserved 3 #airheadsconf#airheadsconf3
ClearPass Policy Model

CONFIDENTIAL
•  What constitutes the policy model?
•  How does it work?
•  What are the interactions between various
components?
•  How does the policy model affect configuration
& deployment?

CONFIDENTIAL
Policy
Identity
Health
Device
Conditions
• Role
• Department
• Group
•  AV, AS, FW
• Registry Keys
• Services…
• Device type,
status, health
• Address, O/S
• Corp. Owned
• Time
• Location
• Day of Week

CONFIDENTIAL
What’s the flow?
Authenticate
• Valid Authentication
Authorize
• Find Out What’s Allowed
Associate
Context
• Device, Time, Location, Posture
Enforce on
NAS
• Roles, ACLs, VLANs

CONFIDENTIAL
What Are The Interactions?
RADIUS Server – Authenticate
Policy Server – Authorize
Policy Server – Associate Context
Policy Server – Decision Tree
RADIUS Server – Enforce

CONFIDENTIAL
Service Flow – 802.1X
Layer 2
RADIUS
Request
Layer 2
Authentication
Layer 2
Authorization
Layer 2
Role
Derivation
Layer 2
RADIUS
Enforcement
Layer 3
Profile
Layer 2
NAP
Layer 3
OnGuard

CONFIDENTIAL
•  Layer 2 Authentications are completed first
–  Full Authorization
–  Role Derivation
–  NAP (if enabled)
–  Layer 2 Enforcement
•  Layer 3 : Profile next
–  DHCP Request, DHCP Offer
–  RFC 3576 – Change of Authorization
•  Another Layer 2 authentication!
–  No RFC 3576 message if “fingerprint” does not change
•  Layer 3 : Collect Posture last (OnGuard)
–  Posture over HTTPS
–  RFC 3576 based on policy
•  Another Layer 2 authentication!
Service Flow – Implications

CONFIDENTIAL

CONFIDENTIAL
•  Authentication vs. Authorization
•  Authorization & ClearPass
•  Use Cases

CONFIDENTIAL
Authorization & ClearPass
•  “Authorization” Sources in ClearPass
–  Where do I find them?
–  How do I use them?
–  How often does ClearPass talk to an authorization source?
–  What happens in case something goes wrong?

CONFIDENTIAL
•  An “Authentication Source” is an “Authorization
Source”
–  RADIUS Server vs. Policy Server
Authorization Sources – Where?

CONFIDENTIAL
Authorization Sources – How?
Authentication Sources
are automatic
Authorization Sources
Additional Authorization
Sources enabled
per Service
No Authorization unless
used in Roles!

CONFIDENTIAL
Authorization Sources – How?
Authorize with
Active Directory
Authorize with
Profile Data
Rule Algorithm :
Evaluate All

CONFIDENTIAL
•  Ok, great. But will ClearPass flood my AD with
authorization requests?
–  Authorization data is cached per user
–  New request made to fetch data once the cache expires
–  Cache timers can be tuned
Authorization – How?
Cache Timeout
Default: 10 hours

CONFIDENTIAL
•  Got it
•  But I just made a bunch of changes on my AD.
Should I need to wait 10 hours?
–  Tune the cache timers
–  “Clear Cache” button on the Authentication Source
•  Wipes out cache for all users
–  “Save” button on the Authentication Source
•  Wipes out cache for all users
–  Restart Policy Server
•  BAD IDEA!!!
Authorization – How?

CONFIDENTIAL
•  If an Authentication/Authorization Source is not
reachable
–  Configure Backup Servers
–  Configure Fail-Over Timeout
Authorization – Uh-Oh!
Fail-Over Timeout
Backup Servers

CONFIDENTIAL
Use Cases – Mergers & Acquisitions
Active Directory
Domain –
avendasys.com
Active Directory
Domain –
arubanetworks.com

CONFIDENTIAL
Authentication &
Authorization
Sources for TLS
Certificate Details
used for
Authorization
Enable Authorization –
Source specified in the
Service
Compare Certificate –
Source specified in the
Service
Use Cases – Certificates & TLS

CONFIDENTIAL
•  LDAP/SQL Interface to Asset Databases
–  Key : MAC Address
–  Authorization Attributes
•  Ownership – Corporate vs. Personal
•  Compliance Status – In/Out of compliance
–  Identify corporate-owned non-Windows devices
Use Cases – Asset Databases

CONFIDENTIAL

CONFIDENTIAL
•  Profile & Network Data
•  Automatic Profile “upgrades”
•  Using Profile data in policy
•  Configuring Profile
–  DHCP? HTTP? SNMP?
•  Use Cases

CONFIDENTIAL
•  What does ClearPass use to profile?
–  MAC OUIs
–  DHCP Request, DHCP Offer
–  HTTP User-Agent
–  MDM Fingerprints
–  Device Interrogation
–  SNMP/CDP/LLDP Data
Profile & Network Data

CONFIDENTIAL
Fingerprint Updates
•  Subscribe to Fingerprint Updates
–  Automatic reclassification
–  Updated frequently
•  Tell Aruba!
–  Create policy exceptions
–  Grab fingerprints from UI
–  Send fingerprints to Aruba
–  Crowd-sourced, community oriented

CONFIDENTIAL
•  Automatic 3-level categorization
–  Device Category, OS Family, Device Name
•  Using raw profile data
–  DHCP Data, HTTP User-Agent, SNMP Data
•  Role Mapping
–  What should I use?
•  Enforcement
–  How do I enforce?
–  What are the benefits?
Using Profile data in policy

CONFIDENTIAL
•  DHCP Relay
–  Where should I setup DHCP relays?
•  Captive Portal Configuration
–  Is there a knob for this?
•  Reading SNMP Data
–  CDP
–  LLDP
–  HR MIB
–  SysDescr MIB
Configuring Profile – Network
Considerations

CONFIDENTIAL
•  Policy – CEOs & iPads
•  Policy – “Headless” Devices
•  Visibility – Demystifying BYODs
Use Cases

CONFIDENTIAL
Use Cases – CEOs & iPads
Assign Roles
Enforce Access

CONFIDENTIAL
Use Cases – Headless Devices
Identify & Assign
Roles To Headless
Devices

CONFIDENTIAL
Use Cases – Visibility

CONFIDENTIAL

CONFIDENTIAL
•  Clustering Technology
–  What’s replicated? What’s not?
•  Deploying ClearPass Clusters
–  Considerations
•  Operations & Maintenance
–  What happens when a ClearPass node is down?
–  Events & Alerts
–  Rescue & Recovery

CONFIDENTIAL
•  What’s replicated?
–  All policy configuration elements
–  All Audit data
–  All identity store data
•  Guest Accounts, Endpoints, Profile data
–  Runtime Information
•  Authorization status, Posture status, Roles
•  Connectivity Information, NAS Details
–  Database replication on port# 5432 over SSL
–  Runtime replication on port# 443 over SSL
Clustering Technology

CONFIDENTIAL
•  What’s not replicated?
–  Log files
–  Authentication Records
–  Accounting Records
–  System Events
–  System Monitor Data
Clustering Technology

CONFIDENTIAL
•  How do they connect?
–  Requires IP connectivity (bi-directional)
•  Port # 5432 (Database over SSL)
•  Port# 80 (HTTP)
•  Port #443 (HTTPS)
•  Port #123 (NTP)
•  How much data should we expect to see
crossing the wire?
–  Only elements in the configuration database
–  First sync is a full database copy
–  Subsequent sync – Delta changes propagated
Clustering – Considerations

CONFIDENTIAL
PUBLISHER
SUBSCRIBER
1
SUBSCRIBER
2
SUBSCRIBER
3
SUBSCRIBER
4
SUBSCRIBER
5
SUBSCRIBER
6
Hub & Spoke

CONFIDENTIAL
CPPM – Publisher
DNS
DHCP
Identity
Stores
Main Data Center
Mid-size Branch
Regional Office
DMZ
CPPM
Subscriber
VM
CP Guest
CP Onboard
CPPM
Subscriber
CPPM
Subscriber
•  Central / Distributed Admin Domains
•  Redundancy/Load Balancing
•  Cluster wide licenses

CONFIDENTIAL
•  What happens when a node goes down?
–  Operations
•  If Deployed Right – Nothing
•  RADIUS Backup settings on the NAS
–  If the Publisher goes down
•  No Database Writes Allowed!!
•  Promote a Subscriber to a Publisher
•  Resume configuration updates
Operations & Maintenance

CONFIDENTIAL
•  How long before ClearPass figures out
something’s wrong?
–  24 hours before it automatically “drops” a node from the
cluster
–  Cluster Synchronization Warnings
•  1 event every hour x 24 hours = 24 events
–  CPU/Memory Usage Warnings  Every 2 Minutes
–  Server Certificate Warnings  Every 24 Hours
–  Service Alerts  Immediate
•  Email/SMS Alerts using Insight, Syslog & SNMP
Events & Alerts

CONFIDENTIAL
•  Rescue & Recovery
–  Establish cluster connectivity
•  Database sync will ensue. Watch for “Last Sync Time”
–  Restore certificates
•  Server Certificates are not installed as a part of the sync
–  Restore log entries (If necessary)
•  Caveat : High disk activity for an extended period of time
–  Verify fail-back on the NAS
•  NAS fail-back timers should kick in
Operations & Maintenance

CONFIDENTIAL
Q & A

CONFIDENTIAL

Clear pass policy manager advanced_ashwath murthy

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Clear pass policy manager advanced_ashwath murthy (20)

More from Aruba, a Hewlett Packard Enterprise company (20)

Recently uploaded (20)

Clear pass policy manager advanced_ashwath murthy