#ATM15 |
Access Management with Aruba ClearPass Live Walkthrough of Config, Troubleshooting, and User Experience
March 2015
@ArubaNetworks
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved
2 #ATM15 |
Agenda
• Review existing customer deployment
• Customer Challenges and Solutions
• Live Config, Authentication, and Troubleshooting Walkthrough
@ArubaNetworks
3 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved
#ATM15 |
Transition Content
Existing Customer Deployment
• Enterprise environment with: – 802.1X WLAN • EAP-PEAP/MSCHAPv2 with Active Directory
– User authentication
– Corporate laptops • No checks & balances for validation
@ArubaNetworks
4 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved
#ATM15 |
Transition Content
Three new initiatives
@ArubaNetworks
1. MDM Rollout – Client Services Team deploying Mobile Iron – Enrollment of all mobile devices
2. Palo Alto Firewall Deployment – Security Team chose Palo Alto as new
Internet Gateway platform
3. Visitor Network with ClearPass Guest – ClearPass Guest for Visitor Access
5 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved
#ATM15 |
Transition Content
Next-Generation Solutions
@ArubaNetworks
Limit access to only: • MDM-enrolled • Corporate laptops
Granular user/device policies • Only marketing folks permitted to social media sites
Prohibit corporate devices from Guest network • Open HelpDesk incident for violators
6 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved
#ATM15 |
Use ClearPass Exchange! Use Post_Authentication Enforcement Profiles!
Transition Content
How do I integrate with these solutions?
@ArubaNetworks
7 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved
#ATM15 |
Transition Content
ClearPass Exchange Recipes
@ArubaNetworks
Recipe site and tech note available to help you with your integrations:
– Site: • http://community.arubanetworks.com/t5/ClearPass-Exchange-
Recipes/tkbc-p/clearpass-recipes
– TechNote: • http://support.arubanetworks.com/Documentation/tabid/77/
DMXModule/512/Command/Core_Download/Default.aspx?EntryId=15508
– Not to be confused with Aruba Solution Exchange • http://ase.arubanetworks.com • (More on this at the end)
8 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved
#ATM15 |
Lab Setup
@ArubaNetworks
9 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved
#ATM15 |
Lab Workflow – 802.1X
@ArubaNetworks
SSID:CP-Atm-dot1x (PEAP-MSCHAPv2)
Corporate Device?
Redirect to information page
User? Full Internet (Including Social Media)
Marketing
Limited Internet (No Social Media)
Everyone Else
No
Yes
10 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved
#ATM15 |
Enforcement
@ArubaNetworks
RADIUS REQUEST
Service Matching
Authentication
Authorization
Role Mapping
RADIUS RESPONSE
HTTP ENFORCEMENT
RADIUS Accounting New in CP 6.5
Target: Checkpoint, Fortinet, Websense, others via ACCT Proxy
11 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved
#ATM15 |
802.1X Demo
• Audience • Use your personal SmartDevice • You will be redirected.
• Presenter • Connect with corporate SmartDevice • mark is in Marketing. • jsmith is not in Marketing.
@ArubaNetworks
SSID CP-Atm-dot1x Username jsmith or mark Password atm2015
12 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved
#ATM15 |
Transition Content
Lab Workflow - Guest
@ArubaNetworks
SSID:CP-Atm-Guest (open)
Corporate Device?
• AOS: Redirect to corporate security guidelines
• ServiceNow: Open HelpDesk Incident
Guest Self-Reg Workflow
No
Yes
13 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved
#ATM15 |
Transition Content
Three components to HTTP enforcement
@ArubaNetworks
1. Endpoint Context Server – Define the External Server • (i.e. IP Address, credentials)
2. Context Server Action – Define the action to take place • (i.e. Open a helpdesk ticket, send push notification)
3. Enforcement Profile – Joins the External Context Server with the Context
Server Action.
14 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved
#ATM15 |
Endpoint Context Server
@ArubaNetworks
1. Endpoint Context Server
15 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved
#ATM15 |
Transition Content
Context Server Action
@ArubaNetworks
2. Context Server Action
16 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved
#ATM15 |
Enforcement Profile
@ArubaNetworks
3. Enforcement Profile
17 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved
#ATM15 |
Transition Content
Using Dynamic Variables in ClearPass
• Almost all of the “context” that is collected by ClearPass can be called up and used via dynamic “namespace” variables.
• For example: • %{Radius:Aruba:Aruba-Location-Id} • %{Connection:Client-Mac-Address-Colon} • %{Endpoint:AD_Name}
• These can be used in: • Service Matching • Role mapping • Enforcement profiles and policies • Auth source filters/queries • Context Server Actions
• When used, the value is replaced with information pertaining to that device or user dynamically
@ArubaNetworks
18 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved
#ATM15 |
Context Examples
19 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved
#ATM15 |
Transition Content
Using Dynamic Variable Examples
@ArubaNetworks
{"short_description":"Corporate Device on the Guest Network","priority":"3","description":"Offending Device:\n User: %{Endpoint:AD_Name}\n Mac Address: %{Connection:Client-Mac-Address-Colon}\n Location: %{Radius:Aruba:Aruba-Location-Id}","u_category":"71feaf0f8c00d100a4e1ee6a09f9bc72","u_subcategory":"02feaf0f8c00d100a4e1ee6a09f9bc29":"assigned_to":"mobileadmin"
}
Context Server Action – POST to ServiceNow.
20 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved
#ATM15 |
ServiceNow Configuration & Demo
• Let’s configure ServiceNow • Use Case: Open HelpDesk Incident when corporate device
connects to Guest network
• Use your SmartDevice • Register for an account
@ArubaNetworks
SSID CP-Atm-Guest
21 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved
#ATM15 |
Transition Content
Web Login Page Customization
• Many customization/personalization options exist in WebLogin pages
• (Different from your Skin)
• Built in capability to: • Leverage “FontAwesome” fonts • Insert other page links • Inject PHP code into header/footer • Leverage user/device/session variables
• For this, create a “dump” page to see what’s available
@ArubaNetworks
22 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved
#ATM15 |
Transition Content
Variable Dump Page
@ArubaNetworks
https://10.0.0.25/guest/dump.php?mac=64:20:0c:3d:8f:d7
23 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved
#ATM15 |
Transition Content
Variable use in WebLogin Pages
• Using HTTP User-Agent:
• Using Endpoint attributes:
@ArubaNetworks
<p align=center>You are attempting to Onboard your {$_wpl.browser.uaparser.os.family} device with {$_wpl.browser.uaparser.ua.family}, {if $_wpl.browser.uaparser.os.family == "Mac OS X"} please try again using the Safari browser.</p>
<p>Attention {$_endpoint.AD_Name}, This device is a corporate asset and therefore should not be accessing the visitor network. </p>
24 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved
#ATM15 |
Guest – Weblogin customization
• Let’s explore weblogin customizations • How did we pull the Username onto the page? • Let’s see the ‘dump’ page.
@ArubaNetworks
25 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved
#ATM15 |
Lab Setup
4th Gen Intel NUC D54250WYK – Core i5, 16GB RAM, 512GB SSD – ESXi 5.5 (custom install with Intel
ethernet driver net-e1000e)
Aruba 7005 Controller IAP-205 (in CAP Mode)
@ArubaNetworks
Internet DHCP
Con
trolle
r N
AT
99
99 99 99 100
99 100 1
ESXi PA-VM
CP-VA-EVAL Win2k8
26 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved
#ATM15 |
Transition Content
Aruba Solution Exchange
ase.arubanetworks.com Configuration Made Simple Undo Configs AOS, Instant, MAS, ClearPass, Juniper, Cisco…
@ArubaNetworks