clear pass policy manager advanced_ashwath murthy

CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 1 #airheadsconf #airheadsconf

ClearPass Policy Manager – Advanced Ashwath Murthy

03/15/2013

CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 2 #airheadsconf

ClearPass – Policy Model Authorization – What and Why? Profile – How does it work? Clustering & Deployment Q & A

Agenda

CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 3 #airheadsconf #airheadsconf 3

ClearPass Policy Model


•  What constitutes the policy model? •  How does it work? •  What are the interactions between various

components? •  How does the policy model affect configuration

& deployment?




Policy

Identity

Health

Device

Conditions

•  Role •  Department •  Group

•  AV, AS, FW •  Registry Keys •  Services…

•  Device type, status, health •  Address, O/S •  Corp. Owned

•  Time •  Location •  Day of Week


What’s the flow?

Authenticate • Valid Authentication

Authorize • Find Out What’s Allowed

Associate Context

• Device, Time, Location, Posture

Enforce on NAS

• Roles, ACLs, VLANs


What Are The Interactions?

RADIUS Server – Authenticate

Policy Server – Authorize

Policy Server – Associate Context

Policy Server – Decision Tree

RADIUS Server – Enforce


Service Flow – 802.1X

Layer 2 RADIUS Request

Layer 2 Authentication

Layer 2 Authorization

Layer 2 Role

Derivation

Layer 2 RADIUS

Enforcement

Layer 3 Profile

Layer 2 NAP

Layer 3 OnGuard


•  Layer 2 Authentications are completed first –  Full Authorization –  Role Derivation –  NAP (if enabled) –  Layer 2 Enforcement

•  Layer 3 : Profile next –  DHCP Request, DHCP Offer –  RFC 3576 – Change of Authorization •  Another Layer 2 authentication!

–  No RFC 3576 message if “fingerprint” does not change

•  Layer 3 : Collect Posture last (OnGuard) –  Posture over HTTPS –  RFC 3576 based on policy •  Another Layer 2 authentication!

Service Flow – Implications


Authorization – What and Why?


•  Authentication vs. Authorization •  Authorization & ClearPass •  Use Cases

Authorization – What and Why?


Authorization & ClearPass

•  “Authorization” Sources in ClearPass –  Where do I find them? –  How do I use them? –  How often does ClearPass talk to an authorization source? –  What happens in case something goes wrong?


•  An “Authentication Source” is an “Authorization Source” –  RADIUS Server vs. Policy Server

Authorization Sources – Where?


Authorization Sources – How?

Authentication Sources are automatic Authorization Sources

Additional Authorization Sources enabled per Service

No Authorization unless used in Roles!


Authorization Sources – How?

Authorize with Active Directory

Authorize with Profile Data

Rule Algorithm : Evaluate All


•  Ok, great. But will ClearPass flood my AD with authorization requests? –  Authorization data is cached per user –  New request made to fetch data once the cache expires –  Cache timers can be tuned

Authorization – How?

Cache Timeout Default: 10 hours


•  Got it •  But I just made a bunch of changes on my AD.

Should I need to wait 10 hours? –  Tune the cache timers –  “Clear Cache” button on the Authentication Source •  Wipes out cache for all users

–  “Save” button on the Authentication Source •  Wipes out cache for all users

–  Restart Policy Server •  BAD IDEA!!!

Authorization – How?


•  If an Authentication/Authorization Source is not reachable –  Configure Backup Servers –  Configure Fail-Over Timeout

Authorization – Uh-Oh!

Fail-Over Timeout

Backup Servers


Use Cases – Mergers & Acquisitions

Active Directory Domain – avendasys.com

Active Directory Domain – arubanetworks.com


Authentication & Authorization Sources for TLS

Certificate Details used for Authorization

Enable Authorization – Source specified in the Service

Compare Certificate – Source specified in the Service

Use Cases – Certificates & TLS


•  LDAP/SQL Interface to Asset Databases –  Key : MAC Address –  Authorization Attributes •  Ownership – Corporate vs. Personal •  Compliance Status – In/Out of compliance

–  Identify corporate-owned non-Windows devices

Use Cases – Asset Databases


Profile – How does it work?


•  Profile & Network Data •  Automatic Profile “upgrades” •  Using Profile data in policy •  Configuring Profile –  DHCP? HTTP? SNMP?

•  Use Cases

Profile – How does it work?


•  What does ClearPass use to profile? –  MAC OUIs –  DHCP Request, DHCP Offer –  HTTP User-Agent –  MDM Fingerprints –  Device Interrogation –  SNMP/CDP/LLDP Data

Profile & Network Data


Fingerprint Updates

•  Subscribe to Fingerprint Updates –  Automatic reclassification –  Updated frequently

•  Tell Aruba! –  Create policy exceptions –  Grab fingerprints from UI –  Send fingerprints to Aruba –  Crowd-sourced, community oriented


•  Automatic 3-level categorization –  Device Category, OS Family, Device Name

•  Using raw profile data –  DHCP Data, HTTP User-Agent, SNMP Data

•  Role Mapping –  What should I use?

•  Enforcement –  How do I enforce? –  What are the benefits?

Using Profile data in policy


•  DHCP Relay –  Where should I setup DHCP relays?

•  Captive Portal Configuration –  Is there a knob for this?

•  Reading SNMP Data –  CDP –  LLDP –  HR MIB –  SysDescr MIB

Configuring Profile – Network Considerations


•  Policy – CEOs & iPads •  Policy – “Headless” Devices •  Visibility – Demystifying BYODs

Use Cases


Use Cases – CEOs & iPads

Assign Roles

Enforce Access


Use Cases – Headless Devices

Identify & Assign Roles To Headless Devices


Use Cases – Visibility


Clustering & Deployment


•  Clustering Technology –  What’s replicated? What’s not?

•  Deploying ClearPass Clusters –  Considerations

•  Operations & Maintenance –  What happens when a ClearPass node is down? –  Events & Alerts –  Rescue & Recovery

Clustering & Deployment


•  What’s replicated? –  All policy configuration elements –  All Audit data –  All identity store data •  Guest Accounts, Endpoints, Profile data

–  Runtime Information •  Authorization status, Posture status, Roles •  Connectivity Information, NAS Details

–  Database replication on port# 5432 over SSL –  Runtime replication on port# 443 over SSL

Clustering Technology


•  What’s not replicated? –  Log files –  Authentication Records –  Accounting Records –  System Events –  System Monitor Data

Clustering Technology


•  How do they connect? –  Requires IP connectivity (bi-directional) •  Port # 5432 (Database over SSL) •  Port# 80 (HTTP) •  Port #443 (HTTPS) •  Port #123 (NTP)

•  How much data should we expect to see crossing the wire? –  Only elements in the configuration database –  First sync is a full database copy –  Subsequent sync – Delta changes propagated

Clustering – Considerations



PUBLISHER

SUBSCRIBER 1

SUBSCRIBER 2

SUBSCRIBER 3

SUBSCRIBER 4

SUBSCRIBER 5

SUBSCRIBER 6

Hub & Spoke



CPPM – Publisher

DNS DHCP

Identity Stores

Main Data Center Mid-size Branch

Regional Office

DMZ

CPPM Subscriber VM

CP Guest CP Onboard

CPPM Subscriber

CPPM Subscriber

•  Central / Distributed Admin Domains •  Redundancy/Load Balancing

•  Cluster wide licenses


•  What happens when a node goes down? –  Operations •  If Deployed Right – Nothing •  RADIUS Backup settings on the NAS

–  If the Publisher goes down •  No Database Writes Allowed!! •  Promote a Subscriber to a Publisher

•  Resume configuration updates

Operations & Maintenance


•  How long before ClearPass figures out something’s wrong? –  24 hours before it automatically “drops” a node from the

cluster –  Cluster Synchronization Warnings •  1 event every hour x 24 hours = 24 events

–  CPU/Memory Usage Warnings Every 2 Minutes –  Server Certificate Warnings Every 24 Hours –  Service Alerts Immediate

•  Email/SMS Alerts using Insight, Syslog & SNMP

Events & Alerts


•  Rescue & Recovery –  Establish cluster connectivity •  Database sync will ensue. Watch for “Last Sync Time”

–  Restore certificates •  Server Certificates are not installed as a part of the sync

–  Restore log entries (If necessary) •  Caveat : High disk activity for an extended period of time

–  Verify fail-back on the NAS •  NAS fail-back timers should kick in

Operations & Maintenance


Q & A

clear pass policy manager advanced_ashwath murthy

Business

authorization layer

aruba networks

confidential copyright

airheadsconf layer

authorization data

timeout authorization

change of authorization

authorization requests