Aruba ClearPass Exchange Deep Dive
-
Upload
aruba-a-hewlett-packard-enterprise-company -
Category
Technology
-
view
562 -
download
14
Transcript of Aruba ClearPass Exchange Deep Dive
#ATM16
ClearPass ExchangeGary Jenkins / Abhijit Das - CSE
@ArubaNetworks |
2
What is ClearPass Exchange?
It is a partner ecosystem based on API’s and Syslog messaging that allowscustomers to share context between ClearPass, MDM/EMM, Firewalls,
Wi-Fi equipment, Wired switches, VPN concentrators and othersolutions (SIEM, PMS, Trouble-ticket, etc.).
3
• Included in Base License• Integrates with virtually any web based
application• Allows customers to build their own
integrations • Recipes available on Airheads
Community
• Built-in native integration (over 65 and counting)
• Build-your-own integrations utilizing HTTP RESTful APIs
4
Examples of 3rd party integrations
5
How does the Exchange process work?
6
Palo Alto Networks Firewall example
7
Twilio example
8
How did ClearPass communicate with Twilio?
9
Twilio communication
10
Twilio communication
11
Twilio Actions
12
How did we get the visitor’s phone #?
13
From the Guest database!
14
When do the 3rd party applications update?
15
It happens in post-authentication
16#ATM16
Enforcement Points[Firewalls] PANW, CheckPoint, FortiNet, Intel MLC, Juniper SRX, iboss
@ArubaNetworks |
17#ATM16@ArubaNetworks |
Enforcement
RADIUS REQUEST
Service Matching
Authentication
Authorization
Role Mapping
Enforcement
RADIUS RESPONSE
HTTP ENFORCEMENT
RADIUS Accounting
Target: Checkpoint, Fortinet, Websense, othersvia ACCT Proxy
18#ATM16@ArubaNetworks |
Firewall Integration
– Today’s challenge is to allow traffic based upon contextual data such as username
– Session Notification Enforcement - is introduced in 6.5.0. Notification of a change in IP address can now be sent to any external context server (such as a firewall) by configuring that server as a generic HTTP server and adding the appropriate generic HTTP context server actions. The content of the payload to be posted by CPPM to the external server is based on the REST API defined by the external server for communication.
19#ATM16@ArubaNetworks |
What ClearPass sees that it can send to the firewall
– When a user authenticates to the wireless or wired network using ClearPass we gather information about the user.
• Username
• AD information
• Domain
• IP address and MAC
• Location
• Device Type
• Device OS
Internet
Internal Segment(include Staff, Student, Teacher, etc)
Existing Firewall
Next Gen Firewall
ClearPassMS AD
• V-wire inline mode• Monitoring Internet segment• Provides application visibility• Enabled Threat Prevention ,
URL filtering , Wildfire • User-ID feature
• Standalone mode• Integrated with Firewall• Authentication Users (Students)• 802.1x Authentication for Wi-FI
User
Controller + AP
LAN Switch
20#ATM16@ArubaNetworks |
Event Network Diagram Flow
Internet
Internal Segment(include Staff, Student, Teacher, etc)
Next Gen Firewall
ClearPassMS AD
Controller + AP
LAN Switch
If a device breaks one of the firewall rules it can signal ClearPass that will signal back to the wired or wireless network to move the device to a quarantine network. It can also send a text to them via twilio and open a helpdesk ticket
21#ATM16
Mobile Client Enforcement[MDM] MobileIron, AirWatch, BES, JAMF, Etc., Google Admin Console
@ArubaNetworks |
22#ATM16@ArubaNetworks |
MDM Integration – Google Admin Console – Create account on External
Server
• Client ID and Client SecretManufacturer, Model
– Model, OS version, Serial Number
Owner– Display Name
Ownership– Corporate, Personal
MDM Identifier– MDM Enabled
Security Status– Compromised, Blacklist or
Required App Encryption enabled, Last Check-in
23#ATM16
ReportingSplunk, ArcSight, Qradar
@ArubaNetworks |
24#ATM16@ArubaNetworks |
ClearPass Splunk AppA rich set of dashboards to visualize and navigate the wealth of information captured by ClearPass.
25#ATM16@ArubaNetworks |
ClearPass Splunk App – Customer Example
“I had to apply a new radius cert, and for all of the corporate devices (windows and mobile) we have ways to whitelist the radius server certificate in advance, but personal IOS devices detected a cert change and wouldn’t connect until a user drills into their wifi settings and accept the new cert. Before doing that it just aborts the authentication attempt as soon as it see the radius server cert doesn’t match what it has cached, which just shows as a timeout in ClearPass. The trend graph using Splunk gave a pretty cool visual of what happened when I made that change, and how it diminished as people figured out they weren’t connecting, drilled in, and accepted the cert. Blue arrow is when I made the change.”
26#ATM16
API Explorer
@ArubaNetworks |
27
What about talking to ClearPass from another application?
28
We use the RESTful APIs.
29
Example profiles:
30
So, how do we know how to use the APIs?
31
You can actually try it out in the browser itself by using the API explorer.
32
The API explorer shows you all the functions that are available:
33
Let’s take a look at the Guest method under Guest Manager
34
Under Guest, we can list/add/get/update/replace and delete guests
35
Before we take a look at the list function, how do we authorize the API call?
36
Let’s take a look at how to use the list
37
Results of the call:
38
Response code and headers of the call:
39
How to use it in a script?
40
What’s coming up next in Exchange?
41
Join Aruba’s Titans of Tomorrow force in the fight against network mayhem. Find out what your IT superpower is.
Share your results with friends and receive a free superpower t-shirt.
www.arubatitans.com
Thank [email protected]@hpe.com