#ATM16

ClearPass ExchangeGary Jenkins / Abhijit Das - CSE

@ArubaNetworks |

2

What is ClearPass Exchange?

It is a partner ecosystem based on API’s and Syslog messaging that allowscustomers to share context between ClearPass, MDM/EMM, Firewalls,

Wi-Fi equipment, Wired switches, VPN concentrators and othersolutions (SIEM, PMS, Trouble-ticket, etc.).

3

• Included in Base License• Integrates with virtually any web based

application• Allows customers to build their own

integrations • Recipes available on Airheads

Community

• Built-in native integration (over 65 and counting)

• Build-your-own integrations utilizing HTTP RESTful APIs

4

Examples of 3rd party integrations

5

How does the Exchange process work?

6

Palo Alto Networks Firewall example

7

Twilio example

8

How did ClearPass communicate with Twilio?

9

Twilio communication

10

Twilio communication

11

Twilio Actions

12

How did we get the visitor’s phone #?

13

From the Guest database!

14

When do the 3rd party applications update?

15

It happens in post-authentication

16#ATM16

Enforcement Points[Firewalls] PANW, CheckPoint, FortiNet, Intel MLC, Juniper SRX, iboss

@ArubaNetworks |

17#ATM16@ArubaNetworks |

Enforcement

RADIUS REQUEST

Service Matching

Authentication

Authorization

Role Mapping

Enforcement

RADIUS RESPONSE

HTTP ENFORCEMENT

RADIUS Accounting

Target: Checkpoint, Fortinet, Websense, othersvia ACCT Proxy

18#ATM16@ArubaNetworks |

Firewall Integration

– Today’s challenge is to allow traffic based upon contextual data such as username

– Session Notification Enforcement - is introduced in 6.5.0. Notification of a change in IP address can now be sent to any external context server (such as a firewall) by configuring that server as a generic HTTP server and adding the appropriate generic HTTP context server actions. The content of the payload to be posted by CPPM to the external server is based on the REST API defined by the external server for communication.

19#ATM16@ArubaNetworks |

What ClearPass sees that it can send to the firewall

– When a user authenticates to the wireless or wired network using ClearPass we gather information about the user.

• Username

• AD information

• Domain

• IP address and MAC

• Location

• Device Type

• Device OS

Internet

Internal Segment(include Staff, Student, Teacher, etc)

Existing Firewall

Next Gen Firewall

ClearPassMS AD

• V-wire inline mode• Monitoring Internet segment• Provides application visibility• Enabled Threat Prevention ,

URL filtering , Wildfire • User-ID feature

• Standalone mode• Integrated with Firewall• Authentication Users (Students)• 802.1x Authentication for Wi-FI

User

Controller + AP

LAN Switch

20#ATM16@ArubaNetworks |

Event Network Diagram Flow

Internet

Internal Segment(include Staff, Student, Teacher, etc)

Next Gen Firewall

ClearPassMS AD

Controller + AP

LAN Switch

If a device breaks one of the firewall rules it can signal ClearPass that will signal back to the wired or wireless network to move the device to a quarantine network. It can also send a text to them via twilio and open a helpdesk ticket

21#ATM16

Mobile Client Enforcement[MDM] MobileIron, AirWatch, BES, JAMF, Etc., Google Admin Console

@ArubaNetworks |

22#ATM16@ArubaNetworks |

MDM Integration – Google Admin Console – Create account on External

Server

• Client ID and Client SecretManufacturer, Model

– Model, OS version, Serial Number

Owner– Display Name

Ownership– Corporate, Personal

MDM Identifier– MDM Enabled

Security Status– Compromised, Blacklist or

Required App Encryption enabled, Last Check-in

23#ATM16

ReportingSplunk, ArcSight, Qradar

@ArubaNetworks |

24#ATM16@ArubaNetworks |

ClearPass Splunk AppA rich set of dashboards to visualize and navigate the wealth of information captured by ClearPass.

25#ATM16@ArubaNetworks |

ClearPass Splunk App – Customer Example

“I had to apply a new radius cert, and for all of the corporate devices (windows and mobile) we have ways to whitelist the radius server certificate in advance, but personal IOS devices detected a cert change and wouldn’t connect until a user drills into their wifi settings and accept the new cert. Before doing that it just aborts the authentication attempt as soon as it see the radius server cert doesn’t match what it has cached, which just shows as a timeout in ClearPass. The trend graph using Splunk gave a pretty cool visual of what happened when I made that change, and how it diminished as people figured out they weren’t connecting, drilled in, and accepted the cert. Blue arrow is when I made the change.”

26#ATM16

API Explorer

@ArubaNetworks |

27

What about talking to ClearPass from another application?

28

We use the RESTful APIs.

29

Example profiles:

30

So, how do we know how to use the APIs?

31

You can actually try it out in the browser itself by using the API explorer.

32

The API explorer shows you all the functions that are available:

33

Let’s take a look at the Guest method under Guest Manager

34

Under Guest, we can list/add/get/update/replace and delete guests

35

Before we take a look at the list function, how do we authorize the API call?

36

Let’s take a look at how to use the list

37

Results of the call:

38

Response code and headers of the call:

39

How to use it in a script?

40

What’s coming up next in Exchange?

41

Join Aruba’s Titans of Tomorrow force in the fight against network mayhem. Find out what your IT superpower is.

Share your results with friends and receive a free superpower t-shirt.

www.arubatitans.com

Thank yougary.jenkins@hpe.comabhijit.das@hpe.com