University of Ottawa iPad Deployment - Airheads …community.arubanetworks.com/aruba/attachments/aruba/Chinese/367/1...– SSO support for SAML 2.0 (Service Provider), ... ClearPass-Supported

7/31/2014

1

CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.

All rights reserved


All rights reserved

ClearPass Policy Manager Overview

Xin Mei

[email protected]


All rights reserved 2

PC, Tablet and MobilePhone Shipments



Personal devices for work

By: Dimensional Research 2011



The Network Access Challenge

Complex to deploy and manage

Poor security and app management

Lack of visibility of employee & guests personal devices



IT Confusion

How do I get personal devices provisioned?

NAC?

MDM?

MAM?

How do I keep corporate data safe?

How do I protect my network?

What if a mobile device is lost?

How do I maintain user privacy?



Trusted • Company-owned

• Fully managed

• Fully controlled

Corporate

Liable

Employee

Liable

Tolerated • Company or

Employee owned

• Limited visibility

• Limited control

How do I: • Maintain visibility

& control?

• Deliver secure,

differentiated

access?

• Simplify device

provisioning?

Requirement: Securely Support all Devices

Managing Corp and Personal Devices

7/31/2014

2



The Solution: Best in Class Enterprise Network Access and Policy Management

- Always Connected - Voice & Video Optimized - Employee & Corp Owned

Simple & Flexible Workflows

Policies for Network, Device & Apps

Device and App Security & Management



ClearPass Security Architecture

Users / Endpoints

Identity Stores

► ► Publisher / PAP / PDP

Logical Local or Remote Cluster

► Subscriber 1 / PDP

Network Devices

Policy Information Points

Policy Information Points Policy Enforcement Points

Network

ClearPass Policy Manager


Mobility

Controller



Unified Access Control and Visibility


Employee Mac

Employee Mac

Guest PC

Captive

Portal

DNS/DHCP

Identity Stores Enterprise Data

Simplified Policy

Deployment

Real-time

Visibility

and

Analysis



OnGuard

• Posture / Health Checks (computers)

Guest • Secured Guest Access

Onboard

• Device Configuration / Provisioning

Profiler

ClearPass

Policy

Manager

ClearPass Packaging

• Device Identification and Classification

•Policy-based AAA Services •RADIUS

•TACACS+

•SSO-SAML2.0

•Contextual Policy Elements • Time,location,device etc.

• 3rd party additional context



Built-in Advanced Services



SSO & ASO

Leverage network state for application authentication

User requests Cloud App

802.1x Network Auth

SAML based SSO

App Access Granted

7/31/2014

3



Multi-vendor Policy Enforcement


POLICY

ENFORCEMENT:

Policy Enforcement Optimized for Aruba,

But Works with Any

Any Network


All rights reserved


All rights reserved




Core AAA Feature support

• Policy-based AAA Services – Support for 802.1X, MAC, Web (HTTPS), Certificate based auth

– EAP support: PEAP, TLS, TTLS, GTC, FAST

– Read from multiple authentication sources (AD, LDAP, SQL,

Kerberos, Oracle LDAP, Token Server,)

– SSO support for SAML 2.0 (Service Provider), Okta

– Enforcement Options – Aruba Role, VLAN, dACL, VSA,

SNMP,HTTP

– Full TACACS+ services

– XML API’s to trigger CoA from 3rd party applications

• Contextual Policy Elements – Time, location, device, OS version, posture, asset type, etc.

– Connect to 3rd party systems for additional context

VPN



Setting Network Policy Based on Context

Policy Example

Use context from ClearPass & external sources to set network policies

• Application installed

• blacklisted

• Device Profile • OS version • Endpoint health • Jailbreak status • Pincode/encryption

• Location • Trusted or

untrusted network

• Time/Date

• eg. in semester

• User/group membership



Use Context to build rich policies

– Layer Profiling, Authentication and multiple Authorization conditions

into one policy

– Enforce at the access layer and use CoA for ongoing Authorization


All rights reserved

5 - 18

Policy/Services Model

• Define Multiple Methods and Sources

• AD, LDAP, SQL, Token Server, Internal db Authentication

• Same process as above

• Multiple attributes from multiple sources Authorization

• Define identity or device based roles

• Define rules and conditions to assign role Roles

• Endpoint health collection

• Define level of checks and method Posture

• Rules based on role, condition

• Multiple options - VLAN, ACL, SNMP, SSH,HTTP

Enforcement

7/31/2014

4


All rights reserved


All rights reserved

ClearPass Guest



ClearPass Guest - Access Features

Self-registration

• Customizable, automated workflows

• Notification via SMS, email, badge printer

• One time registration

Sponsored Guest Access

• Reception sponsor interface

• Email sponsor approval workflow

• Enable any employee to instantly sponsor

Pre-registration

• Bulk import from file eg. Excel, text

• Generate visitor badges or notify via branded email templates

3rd Party Integration

• XML API’s for integration with existing applications



Highly Secure Guest Access

Customizable branding

and data entry fields

• No IT involvement

• Automated SMS/email

credential delivery

• Sponsor privileges with

access verification

• Per session access

controls



Automated Guest Self-service

1. 3.

Access Network

2. Sponsor prompted

to confirm that

guest is valid


Account enabled,

visitor notified via

screen, SMS, or email Collect visitor

information

New Visitor

Sponsor



Customized page



Guest access with MAC cache

MAC auth

7/31/2014

5

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

ClearPass-Supported Social Login Providers

Facebook

Twitter

Bitbucket

Box

Disqus

Dropbox

Eventful

Fitbit

Flickr

Foursquare

Google

Google Apps

Instagram

LinkedIn

Microsoft

Reddit

RightSignature

Salesforce

Scoop.it

StockTwits

SurveyMonkey

Tumblr

VK

Withings

XING

Yahoo


All rights reserved


All rights reserved

ClearPass Onboard



Network Access

Provisions 802.1X

configuration

Access to

Secure Network

User Experience

Self-serve connectivity

Windows, Mac, iOS, Android

Impact to IT

Eliminates time to provision new devices

Allows for faster updates

OR

Simple 802.1X Device Configuration

Captive Portal

Local or Remote

Access



• IT creates configuration and certificate data

• Authorizes BYOD enrollment

• Maintains device database for policies and device revocation


Simplified Enrollment and Provisioning

User

• User connects device and is redirected to portal

• Enters AD credentials to begin onboarding device

• Accepts certificate and connects to secure network

IT

ClearPass Onboard



Intermediate CA

Onboard CA

Profile Signing Certifica

te

Server Certifica

te

Device Certifica

te …

Root CA

Enterprise certificates

Other certificates Unique device credentials

Onboard Provisioning



Built in CA for BYOD

Revoke Device

Network Access

Device

Inventory Data

Built in CA

7/31/2014

6


All rights reserved


All rights reserved

ClearPass Onguard



Compliance Control for Laptops/Desktops

Full Access

Quarantine / Remediation

• Firewall on

• Out of date A/V, A/S Restricted / Denial of Access

• VM not allowed

• Firewall off

• USB Device not allowed

• Encrypted disk

• Current A/S, A/V Dat file

• All Services on

Ch

ecks p

rio

r to

Access

Wireless, Wired, VPN



Supported Endpoint Computers

• All Windows Versions

• Checks for A/V, A/S, FW, registry keys,

services, patch mgmt, processes, peer-to-peer

apps, USB storage devices, Hot Fixes, VMs,

network interfaces, and more…

• Red Hat, CentOS, Fedora, SUSE

• Status of services, anti-virus and firewall

• Persistent agent only

• Mac OS X

• Status of anti-virus, anti-spyware and firewall

Persistent and Dissolvable Agents



ClearPass Posture Screen Views



Example: ClearPass OnGuard Configuration

Over 150 supported

Antivirus products



OnGuard with Aruba Agent

Windows w/OnGuard Agent ClearPass Policy Manager Aruba Controller

Authentication request is forwarded to CPPM

CPPM sends Quarantine Role to Controller Controller places endpoint in quarantine

1

A. OnGuard returns Good health information, or

B. OnGuard enables auto-remediation (if enabled on CPPM) and re-authenticates, or

C. User addresses compliance issues and tries to manually re-authenticate

CPPM sends Full Access Role to Controller Controller sends role and Full access

When health is good or remediation is successful

Information is send back to CPPM

7/31/2014

7


All rights reserved


All rights reserved

Clearpass profiler



AC

CU

RA

CY

BASELINE FINGERPRINTING

EVENTS-CENTRIC FINGERPRINTING

NETWORK HEURISTICS PROFILING

IDENTITY CENTRIC

PROFILING

DEVICE

PROVISIONING

iPad 1

iOS 5.0.1

5-Tier Device Profiling

Data Collectors

SNMP DHCP HTTP

Enterprise Infrastructure

ActiveSync

IF-MAP

AD

Policy Manager

Mobility Controller

OnGuard



What is Profiled

ClearPass

Profile

Smart

Devices

Laptops/

Desktops

Network/

Non Login

Devices



Profile Dashboard View

Active

Filtering Detailed

Session

Info

Device

Visibility

Per

Classification

Real-time

tracking



Fingerprint Dictionary

Updates

visibility

Over 110 device

dictionaries


All rights reserved

7 - 42 CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.

All rights reserved

Clearpass Others

7/31/2014

8



AirGroup Use-cases

AppleTV in the

meeting room

Printer in

Administrator's office

AppleTV in

the classroom

Printer in the

copy room

Admin’s iPad

Laptop in close

proximity

Teacher

Macbook

iPhone in close

promixity

Personal AirGroup “CFO”

Local AirGroup “Apple TVs”

Shared AirGroup “Teachers”

Local AirGroup “Printers”

Aruba Access Network



Reporting: Insight 2.0



Summary

Complete Visibility, Workflow and Security Access Management

One Platform for all things Access

Multi-vendor Independence

Scalability to One Million Endpoints


All rights reserved


All rights reserved

Thank you!

Documents

University of Ottawa iPad Deployment - Airheads …community.arubanetworks.com/aruba/attachments/aruba/Chinese/367/1...– SSO support for SAML 2.0 (Service Provider), ... ClearPass-Supported