aruba’ =e ee) Aruba ClearPass Essentials SNC TUaruba’ NETWORKS Aruba Education Services Aruba ClearPass Essentials Student Guide Volume i February 2020 SKU: EDU-CPE-ILT-v20.11Aruba ClearPass Essentials Student Guide Copyricht © 2020 Aruba Networks, Inc. AiWave@, Aruba Networks®, Aruba Mobiity Management System, Bluescanner, For Wireless That Works®, Mobile Edge Architecture, People Move. Networks Must Follow., RFProtect, The All Wireless Workplace Is Now Open For Business, and The Mobile Edge Company® are trademarks of Aruba Networks, Inc. Al rights reserved. All other tradermarks are the property of their respective owners. Open Source Code Certain Aruba products include, Open Source software code developed by third parties, including software code subject to the GNU General Public License ("GPL"), GAU Lesser General Public License ("LGPL"), or other Open Source Licenses. The Open Source code used can be found at this site: http://www.arubanetworks.conVopen source Legal Notice ‘Theuse of Aruba Networks, Inc. switching platforms and software, by all individuals or corporations, to tenrrinate other vendors’ VPN client devices constitutes complete acceptance of lability by that individual or corporation for this action and indermfies, in ful, Aruba Networks, Inc. from any and all legal actions that might be taken against it with respect to infiingement of copyright on behalf of those vendors. Warranty. This hardware product protected by the standard Aruba warranty of one year parts/labor. For more informetion, refer to the ARUBACARE SERVICE AND SUPPORT ‘TERMS AND CONDITIONS. Ateting this device (such as painting it) voids the warrenty. SKU. EDU-CPE-ILT-v20.11 February 2020EDUCATION is SERVICES Aruba ClearPass Essentials Volume 1 Table of Contents Module 0: Course Introduction Introductions Logistics Course Objectives Course Goals ‘Agenda - Day 1 ‘Agenda - Day 2 ‘Agenda - Day 3 Agenda - Day 4 Agenda - Day 5 Resources Module 1: Introduction Objectives Overview Network Access Control Agile Network Access Security Identity Enforce Protect Aruba360 Secure Fabric ClearPass Use Cases Unified Access Guest Access Solution BYOD Solution Non AAA Access ClearPass System ClearPass Policy Manager ClearPass Guest Endpoint Profiler ClearPass Onboard ClearPass OnGuard Insight Reporting $ev20.11 [9 Copyighi2020 Hewett Packard Enterprise Development LP | Conidental~For Tring Purpones Ory 10 ct 2 3 Py as 16 v7 18 19 20 2 2 23 24 2 26 7 28 23 30 31 2‘Ava ClarPaes Essent Volume 1 ClearPass the Complete Solution Additional Resources Lab Activity Aruba Training Lab Dashboard Labs & Tasks Debrief — Lab 1 Lab 1 Debrief - Remote Lad Connectivity Debrief - Key Points summary Module 2: Authentication, Authorization, Accounting Objectives Overview AAA Explained Fitness Club Example Autnenticaton Account Authorization Second Level Authorization User vs Client Accountability Network Access Information Sources Question #1 Authentication Sources Authentication Sources Internal User Database LDAP Servers LDAP Filters Microsoft Active Directory Locating The Active Directory Server Do You Join CleatPass to the Domain? Joining the Domain Joining the Domain Configuring AD as an Authentication Source Configuring AD as an Authentication Source Contiguning AD as an Authentication Source General Tab General Tab - Cached Timeout Primary Tab Primary Tab - Search Bind DN Primary vs Backup Servers Primary vs Backup Servers Primary Only With DNS Round Robin Attnibutes Tab 33 24 35 36 37 38 39 a a2 43 45 46 a7 43 49 50 51 52 53 54 3 56 57 58 59 61 cy e 6 66 7 cy 6° 70 n n 7 74 78 Confenfal~ For Tring Purposes OryLDAP Filter Configuration Question #2 Question #3 Lab activity Labs & Tasks Debrief - Lab 2 2.4 Debrief — Task 1 2.1 Debrief — Task 1 2.2 Debrief — Task 2 2.3 Debrief — Tasks 3 2.4 Debrief — Tasks 4 2.5 Debrief — Tasks 5 summary Module 3: External Devices objectives, Overview Network Access Devices Network Access Device Adding a New Network Access Device Network Device Groups Network Device Groups Network Device Attributes Adding Network Device Attibutes RadSec Contigunng Radsec Question #1 Messaging Servers Messaging Servers Configuring Email Relay SMS Gateways External Context Servers Security Exchange Partners Help Desk EMM or MDM Server Interaction Any HTTP API ClearPass Exchange Recipes Question #2 Lab Activity Labs & Tasks Debrief — Lab 3 3.1 Debrief— Task 1 3.2 Debrief — Task 2 3.3 Debrief — Task 3 101 102 103 104 106 107 108 109 uo an a2 3 a4 us us uy us Confenfal~ For Tring Purposes Ory‘Ava ClarPaes Essent Volume 1 3.3 Debrief — Task 4 summary Module 4: Endpoint Profiling Objectives: Overview Introducton to Protiing Endpoints Why Profile Endpoints? loT Devices Consider the Fingerprints Order of Importance ClearPass Fingerprints Dictionary Create New Fingerprints Question #1 Question #2 Profiling Collectors Fingerprint Collectors DHCP Fingerprints HTTP User Agents HTTP User Agents HTTP User Agents Cisco Device Sensor TCP Fingerprints Active Collectors 3 Party MDM Question #3 — Match Column 1 with Column 2 Lab Activity Labs & Tasks Debnet - Lab 4 4.1 Debrief — Task 1 4.2 Debrief — Tasks 2 4.3 Debrief — Tasks 3 4.4 Debrief — Tasks 4 summary Module 5: Roles & Enforcement Objectives Overview Services What is a Service Request? Stages of Service Processing Services Interface Enforcement ue 120 aa 122 123 124 125 126 7 128 229 130 aa 122 139 134 135 136 137 138 139 140 aa 142 143 144 145 146 47 143 149 150 151 152 153 asa ass 156 157 158 159 160 ‘Conidentel— For Trang Pupeses Cnty‘Ava ClarPaes Essent Volume 1 What is Enforcement tet Enforcement Policies 162 Enforcement Profiles Fray Enforcement Logic 165 Enforcement Logic 166 Enforcement Policies 167 Inputs to Enforcement 168 Inputs to Enforcement 168 Dynamic RADIUS Authorization 170 Adding the Profiler to the Service ma Configure the Profiler Action mm Endpoint’s Repository: Conflict Attribute 173 IsProfiled vs Not EXIST wa Enforcement Based on Changes in Profile Data vs Question #1 v6 ClearPass Roles 7 Roles Are a Descriptive Tag 178 Why Use ClearPass Roles? 178 Enforcement witnout Roles 180 Enforcement witn Role Mappings Fra Roles in Service Process 182 Defining Roles 183 Role Mapping Rules 14 Role Mapping Rules - Policy Tab 185 Role Mapping Rules - Mapping Rules Tab 186 Question #2 187 Lab Activity 128 Labs & Tasks 109 Debrief — Lab 5 190 5.1 Debrief— Task 1 a1 5.2 Debriel— Task 2 32 5.3-4 Deoriet - Task 3 and4 193 5. Debrief - Task 5-6 194 summary 195 Module 6: Configuring Services 196 Objectives, 197 Overview 198 Service Selection Rules 109 Service Selection Rules 200 Service Selection — Types Of Services zor Service Selection — List Order 202 Service Selection — List Order 203 Service Selection Rules 204 Rer2an ‘ ‘Conidentel— For Trang Pupeses Cnty‘Ava ClarPaes Essent Volume 1 Service Selection Rules Structure Common Service Selection Attributes Question #1 Question #2 Creating Services ‘Three Ways to Create a Service Service Tempiates Service Full Wizards Building a New Service The Service Tab Add More Options Add Service Selection Rules Authenticaton Authorization Roles Enforcement Cached Results Cached Roles and Policies Question #5 Question #6 Lab Activity Labs & Tasks Debrief - Lab 6 6.1 Debrief — Task 1 6.2 Debrief — Task 2 6. Debrief - Task 3-4 summary Module 7: Configuring Web Services Objectives, Overview Content Manager Upload Images and Content Upload Images and Content Preview Files skins Skins - Simple Templates Skins Plugins Enabled Skins Galleria Skins Galleria Skin Customization Galleria Background Galleria Example Question #1 ‘Conidentel— For Trang Pupeses Cnty‘Ava ClarPaes Essent Volume 1 Webpage Editor ClearPass Guest Web Services Uses for Web Services Content Manager Types Of Web Pages Editing Pages Greating a Web Page Page Name and URL Applying a Skin Modifying Text — Simple HTML Inserting Content — Uploaded Images Previewing your Page Question #2 Lab Activity Labs & Tasks Debrief — Lab 7 7.1 Debrief — Task 1 7.2 Debrief — Task 2 7.3 Debriet— Task 3 summary Module 8: Guest Authentication Objectives Overview Captive Portal Process Guest Access Options ‘The Captive Portal Process Captive Portal User Role The Web Login Page Web-Login Pre-Auth Check Post to NAD Credentials Post Process Question #1 ‘Web Logins ‘Add a Web Login Name vs Page Name Vendor Settings, securelogin.arubanetworks.com New HTTPs Certificate Wildcard Certificates on Controllers Configure Pre-Auth Check Look and Fee! Question #2 Question #3 209 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 2m 272 273 274 275 276 a 278 279 280 281 282 283 284 285 286 227 228 289 ‘Conidentel— For Trang Pupeses Cnty‘Ava ClarPaes Essent Volume 1 Guest Accounts Guest Account Management Create New Guest Account Create Multiple Option Guest Account Creation Options Managing Guest Accounts Guest Access with MAC Authentication The Concern With Captive Portal The Better Solution ‘The MAC Cache Process Update Endpoint Known Authenticaton Timeline Guest Authentication with MAC Cache Service Template Guest Authentication with MAC Cache Service Template Guest Authentication with MAC Cache Service Template Guest Authentication with MAC Gache Service Template Guest Authentication with MAC Gache Service Template Guest Authentication with MAC Gache Service Template Allow All MAG AUTH Question #4 Lab Activity Labs & Tasks Debrief - Lab 8A 8A.1 Debrief - Task 1 8A 2 Debrief — Task 2 8A 3 Debrief — Task 3 8A.4 Debrief -— Task 4 8A.5 Debrief — Task 5 Debrief - Lab 8B €B.1 Debrief - Task 1 88.2 Debrief - Task 2 88.3 Debriet - Task 3 summary Module 9: Guest Access Self- Registration Objectives, Overview Selt-Registration Experience Basic Guest Access Guest Access with Setf-Registration Selt- Registration Page Customization Guest User Experience with Seif Registration Question #1 Configuring Self-Registration 201 293 204 295 296 237 288 310 311 312 313 314 315 216 317 aie 319 320 321 322 323 324 325 326 327 228 329 330 331 332 333 ‘Conidentel— For Trang Pupeses CntySelt-Registration Editor Editing Look and Feel Editing Look and Feel Moditying the Form Editing a Form Field Adding Non-Standard Fields Adding Standard Fields Adding Standard Fields Form Field Types Question #2 Selt-Registration Process Guest Access Flow NAS Vendor Settings NNAS Vendor Settings Guest Sponsorship ‘Adding Sponsor Confirmation ‘Adding Sponsor Confirmation Some Options for Sponsor User Login With Sponsor Conformation Question #3 Lab Activity Labs & Tasks Debrief — Lab 9 9.1 Debrief— Task 1 9.2 Depriet— Task 2 9.3 Debrief — Task 3 summary Module 10: Wired Authentication Objectives. Overview Wired Access Port Access Security Dynamic VLAN Assignment Access Control Lists Dynamic Segmentation Question #1 Wired Enforcement Enforcement Profiles \VSA Access Control RADIUS IEF Attributes Downloadable Access Control SNMP Enforcement Wired Services 324 235 336 337 338 339 350 351 352 383 34 255 356 357 358 359 360 361 362 362 364 365 366 367 368 369 370 371 372 373 374 375 376 Confenfal~ For Tring Purposes OryQuestion #2 Profiling on Wired Ports Profiling 802.1X Ports, VLAN Changes Non-AAA Ports Challenges of MAC Authentication Question #3 Lab Activity Labs & Tasks Debrief — Lab 10, 10.1 Debrief — Task 1 10.2 Debrief — Task 2 10.9 Debrief — Task 3 10.4 Debrief — Task 4 summary 377 378 379 380 381 382 383 384 385 386 387 308 39 390 391 Confenfal~ For Tring Purposes OryAruba ClearPass Essentials Rev 20.11 Mobo Course Introduction Aruba ClearPass Essentials Pete © Copyright 2020 HeAruba ClearPass Essentials Rev 20.11 MoDo Introductions ry a ATIC R ollie WCB aking this oS SSEAVIERS sccussisiramis s woo 0-2 © Copyright 2020 Hewlet! Packard Enterprise Development LPAruba ClearPass Essentials Rev 20.11 Mopo Logistics + Breaks + Lunch + Restrooms SELES seniices © Copyright 2020 Hewlet! Packard Enterprise Development LP 3Aruba ClearPass Essentials Rev 20.11 Mobo Course Objectives —Be familiar with CiearPass Define and gather relevant information 10 support the decision process in ClearPass ~Configure guest network access Understand and configure all of the modules inciuded in the ClearPass —Leamn to troubleshoot network and lient access using the tools "provided in ClearPass =Configure ahigh available and secure cluster of multiple ClearPass servers =Configure Reports Alerts and Watchlist in ClearPass SERVICES: MoDo~4 This course guide you through the design and deployment of a secure ClearPass network access solution You will learn how to gather the information required for the decision-making process in ClearPass. You will also be guided through the logic process of implementing organization requirements. velopment LP 4Aruba ClearPass Essentials Rev 20.11 Mobo Course Goals After completing this class you wilt: Be able to Implement ClearPass, network access eclution ~Be able to design and implement effective services and enforcement in ClearPass Effectively troubleshoot a ClearPass ‘solution SERVICES Not Upon completion of this class, you will be able to design and implement ClearPass. velopment LPAruba ClearPass Essentials Rev 20.11 Mopo Agenda - Day 1 SERVICES © Copyright 2020 Hewlet! Packard Enterprise Development LPAruba ClearPass Essentials Rev 20.11 MoD 0 Agenda - Day 2 loa Ped oilers anu Guest Lab 8B Guest Poem A enna) oeke tis MoD0-7 © Copyright 2020 Hewlet! Packard Enterprise Development LPAruba ClearPass Essentials Rev 20.11 Mopo Agenda - Day 3 9 - Guest Ac NT att SLPS SeRices , ; op 0-8 © Copyright 2020 Hewlett Packard Enterprise Development LPAruba ClearPass Essentials Rev 20.11 Mopo Agenda - Day 4 eos) Administration SERVICES MoDO-9 © Copyright 2020 Hewlet! Packard Enterprise Development LPAruba ClearPass Essentials Rev 20.11 MoD 0 Agenda - Day 5 ad erie eee mcm SERVICES Mop 0-10 © Copyright 2020 Hewlett Packard Enterprise Development LP 10Aruba ClearPass Essentials Rev 20.11 Mobo Resources Validated Reference Design (VRD) Guides = mmunily arubanetworks com lidated- Refer igri iAfube-VROS sem Aruba Support ~ hiteilisupport arubanetworks.com/ ~Aitheads ~ huipyicommunity arubanenworks.com/ Aruba Solution Exchange ~ hitp/ase arubanetvorks com SERVICES mopo=11 “1 © Copyright 2020 Hewlett Packard Enter evelopment LPAtuba ClearPass Essentials Rev 20.11 Mop 1 Introduction PNW eB Oe BUI © Copyright 2020 Hewlett Packard Enterprise Development LPAruba ClearPass Essentials Rev 20.11 Mop 1 Objectives Be familiar with ClearPass and its basic functionality Introduce Use Cases for GlearPass deployments Understand how CiearPass Integrates with other products to form the 960 ‘Secure Fabric SERVICES MoD 1-24 (On completion of this module you should be familiar with the basic functionality of CiearPass. You should understand where ClearPass fits in the security depoyment. You will also gain an Undersianding of fhe 360 secure fabric trom Aruba Networks. © Copyright 2020 Hewlett Packard Enterprise Development LP 13Atuba ClearPass Essentials Rev 20.11 Mop 1 Overview ee ee Roe eet ae ee SERVICES MoD 1-34 Network Access Control has become a hot topic in most IT departments today. You need tools that will help you manage secure network access, BYOD environments and guest access. With the rise of personal devices and loT on your networks your job has become more challenging. ClearPass is the tool that can help you manage all of that. ‘AS you go through the first section you will be challenged to change the way you think about network ‘access froma nigid approach to a more agie respanse. The second section will expose you to some of the ways that you can deploy CiearPass in your networks. Finally you will go over a brief discussion of each of the modules that make up the entire ClearPass system. © Copyright 2020 Hewlett Packard Enterprise Development LP ‘4Atuba ClearPass Essentials Rev 20.11 Mop 1 Network Access Control SERVICES MoD 14 © Copyight 2026 Heviieit Raeka re Eniamprisé Deve bpment EPAtuba ClearPass Essentials Rev 20.11 Mop 1 Agile Network Access Security CUE a z Pe loT 2 SERVICES MoD1-5 Not too many years ago the term “agile” was applied to project management to describe a project with affirm objective but reactive methods. Today the term “agile” can be applied to network security. The “objective is to provide seamless and yet secure access to network-based resources while also beng reactive to new expectations brought onto your network Today with the emphasss on BYOD and IoT, network clients are evolving at an unprecedented rate. Thismeans the security landscape of your networks is changing at an unprecedented rate. ClearPass as an integral part ofthe Aruba 360 Secure Fabric that allows you to build a truly agile network security model © Copyright 2020 Hewlett Packard Enterprise Development LP 16Atuba ClearPass Essentials Rev 20.11 Mop 1 Identify Client Devices Users Location TIE) desktops Media Servers ©) smart Devices i lor aintcid LA Laptops Internet Only ‘Campus Location OCYPO SeRvices MoD 16 You cannot control what you don't know. As a network administrator you must know what devices are ‘on your network, who brought them to the network, and where they are joining the network. ‘The identity phase of network access control gathers information about the user, the client device and the location they are accessing the network © Copyright 2020 Hewlett Packard Enterprise Development LP vAtuba ClearPass Essentials Rev 20.11 Mop 1 Enforce [| mip Access intemet Only bo ~ mmm) Access To Internal Servers 08:12:09:43:23:4 > e mmm Access DVR Only SERVICES Moo1-7, You must enforce a proper Giient Access policy based on consistent and predictable user and device ‘access rules. Your o1ganization needs to be prepared to control any number of devices that may be brought onto your network. Proper security no longer revolves around simply identiying the user and ether granting access or denying access based on the user identity. Each device type, user and location combination is an individual decision. Mobility and loT has changed the way people think atout network access. In the past you would butld strong perimeters and rely on security measures on your Servers and resources to protect the inside. Today, many of the Gevices you hast on yur network are not accessing inase resources. Instead, they are drected to the intemet and don't need to access intemal resources. This forces youto Implement secunty at the access control layer on the Inside of your network. YOU Must take control of all aspects of your clients behavior and access protile, On top of that you cannot treat all clients the same. By Implementing a Sound network access control polcy, enforced by ClearPass, you can take ‘control of your network. © Copyright 2020 Hewlett Packard Enterprise Development LP 18Atuba ClearPass Essentials Rev 20.11 Mop 1 Protect Remove or Quarantine and Notity Administrator IF Desktop Not Compliant with Security Rules, Anti Virus Disabled Laptop impersonating a camera BYOD device exceeding download capacity Imit loT device accessing a network it should not HH SERVICES MoD1-3 Dynamc policy controls are the key to a proper network protection scheme. Being able to react to ‘changes in a user's behavior, impose proper restrictions on network activities and have the ability to take corrective action must be part of your nework access control strategy. Simply cortraliing access isnot enough in today’s agile networks. You must have a protection policy in place. © Copyright 2020 Hewlett Packard Enterprise Development LP °Atuba ClearPass Essentials Rev 20.11 Mop 1 Aruba360 Secure Fabric POONA SERVICES MoD 1-9 CiearPass is a key component of the Aruba360 Secure Fabric. Aruba360 provides a complete security solution thatis adaptable, agile, and robust by opening up the 360 Security Exchange to third- party security providers (such as Palo Alto firewalls) and integrating Aruba Networks secunity procuc's (ClearPass) with the Aruba Secure Core (controlers and switches), Image taken trom Aruba Pulse: Aruba360 Secure Fabric video published September 18, 2017 Aruba Networks YouTube channel © Copyright 2020 Hewlett Packard Enterprise Development LP 20Aruba ClearPass Essentials Rev 20.11 Mop 1 ClearPass Use Cases SERVICES MoD 1=10 a Enterprise Development LPAtuba ClearPass Essentials Rev 20.11 Mop 1 Unified Access Headquarier erate Switch / xP (RAP) - GQ coke SERVICES MOD 1-11 ClearPass ges you a centralized location to manage all of your access policies. You no ionge need {0 configure access roles on the edge devices, regardess of device type. Whether it is a wired or wireless network, remote access through VPN or Workers that move between sites, ClearPass keeps your access policies unified and in effect. © Copyright 2020 Hewlett Packard Enterprise Development LP 22Atuba ClearPass Essentials Rev 20.11 Mop 1 Guest Access Solution a my-corp-guest | “7 Ry, @) ae 20 A a a SERVICES Mop 1= 12 Do youneed a scalable guest access solution, cne that's intutive for your users to use and easy for you to maintain? ClearPass provides a complete guest access solution. ClearPass Guesthas the tools {o build and manage impressive guest access solutions for a varety of deployments. For example, a ‘small company just hosting guests for converience, or a conference center handing a huge number of ‘quests all atonce. © Copyright 2020 Hewlett Packard Enterprise Development LP 8Aruba ClearPass Essentials Rev 20.11 Mop 1 BYOD Solution OCYPO SeRvices MoD 1-13 ClearPass ofers a high scalable very configurable BYOB solution. Using the security of TLS certificates and the convenience of an intuitive onboard portal you can make your user's personal device access simple to manage while stil providing security at the highest level. The best part of this, isthat it maintains audit capability, each device is associated to the user that configured it onto the network. © Copyright 2020 Hewlett Packard Enterprise Development LP 24Atuba ClearPass Essentials Rev 20.11 Mop 1 Non AAA Access SERVICES MoD 118 For both wired network and wireless networks, loT is a challenge. Your networks are hosting muttiple devices which have no abilty to perform true authenticaton. This means you have to grant the device ‘access ard leverage the ClearPass protiler to ensure that the devices are what theyre expected to be. ‘Gh Today's network you wil find everything from vending machines in the break room to industial devices in manufacturing that need access to control systems orremote portals. Granting these devices open access is a dangerous option. © Copyright 2020 Hewlett Packard Enterprise Development LP 26Atuba ClearPass Essentials Rev 20.11 Mop 1 ClearPass System SERVICES MoD 1-15 26 © Copyright 2020 Hewlett Packard Enterprise Development LPAtuba ClearPass Essentials Rev 20.11 Mop 1 ClearPass Policy Manager corr 888 waliRccnheny EXCHANGE SERVICES Powerful Context Based Policy Engine Role/Device Based Network Access Enforcement Enforcement and Visibility for Wired, Wireless & VPN Supports Multiple Authentication Sources Advanced Authorization Capability Integrates With Third-party Security Providers MoD 1-18 The ClearPass Policy Manager's the core of the system, Ithouses the policy engine and all of the databases. The Policy Manager was designed to be network agnostic, meaning that it supports wired, wireless and VPN network access. Through the Policy Manager's interaction with the data modules. ‘gather, ClearPass can do multiple levels of dient authorization. One of the Policy Manager's most Versatile and powertul features is Its ability to integrate with exemal systems through APIS or a HITP/rest calls. These exiernal systems add rich context to your authentication logic. a7 © Copyright 2020 Hewlett Packard Enterprise Development LPAruba ClearPass Essentials Rev 20.11 Mop 1 ClearPass Guest {_] Built-in Web Services | Captive Portal Logon |) Self Registration of Guest \— Accounts |) Configurable Operator — Profiles SERVICES GUEST ACCESS | Customizable Branding Social Logins Hotspot Manager for Commercial MoD 117 ClearPass Guest is integrated into the Policy Manager core and is built around a robust web services engine. ClearPass Guest cortains a very versatile wed content management system. This alows you to build custom and semi custom web pages, quests. © Copyright 2020 Hewlett Packard Enterprise Des captive portals, and login pages to present fo your velopment LP 28Atuba ClearPass Essentials Rev 20.11 Mop 1 Endpoint Profiler + Automatic Endpoint Classification + Multiple Levels Of Device Discovery + Passive Profiling Does Not Disrupt The Network + Active Profiling For Static Networks + Can Provide Insight Into What Devices Reside On Your Network SERVICES MoD 1-13 The Endpoint Protler is another module built into ClearPass Policy Manager. The Profiler job is to gather contextual information about any device on your network You can use this information for Teporting, or you can buld it into your access control logic. The Profiler can profile endpoin's passively, meaning that ClearPass just monitors client data as it ‘lows on the network and gathers endpoint context from the data. ClearPass has multiple active Profiling tools that allow you to scan stattc networks or inactve networks. © Copyright 2020 Hewlett Packard Enterprise Development LP 29Atuba ClearPass Essentials Rev 20.11 Mop 1 ClearPass Onboard Qa + Automated Provisioning for Most Devices O + Support For Windows, macOS, iOS, Android, Chromebook And Ubuntu > Unique Device Identity Authentication OF ActiveSync and Windows Application ply) oan Tn8 Beale maa EURO SeRvices = MoD 1-18 ClearPass Onboard is the easiest way to Support aBYOD environment. Based on its own intemal Certficate Authority, Onboard provides an intuitive and easy to use portal for your users to securely ‘configure their devices on your network. To enforce the concept that every device should De granted ‘access on its own unique merits, ClearPass Onboard assigns a unique identity to each device that ‘goes through the Onboard process. For auditing capabilities, this identity includes information about the client device as well as the user that put the device on tne network. “Onboard is an extra licensed module in ClearPass. © Copyright 2020 Hewlett Packard Enterprise Development LP 30Atuba ClearPass Essentials Rev 20.11 Mop 1 ClearPass OnGuard frm -Endpoint Health Checks — ( -Configurable Validation Policies @® -Permanent and Dissolvable Health 5 Check Agents “MH ~Supports Windows, macOS, Linux O -Health Validation for Wired, Wireless Q. and VPN Clients SERVICES oo 1-20 Posture checks and client system health validation are necessary for most networks. Using an agent, ether deployed through a wed browser io the client or as a permanent software applet, ClearPass OnGuard can provide security status validation on your wired, wireless and VPN networks. OnGuard makes it easy to enforce the organization's device compliance polices. (OnGuardis an extra licensed module in ClearPass. 31 Hewlett Packa’ © Copyright 21 ierprise Development LPAtuba ClearPass Essentials Rev 20.11 Mop 1 Insight Reporting + Customizable Reports INcNelaieciemy * Easy To Use Dashboard Reporting + Easy To Use Templates * Provides Information About ale] All ClearPass Modules NAAR) + Granular Alerts + Watch list SPS Seis uoriart ‘The ClearPass Insights reporting toolis integrated into the Policy Manager and provides multiple customized reports, including a quick and easy dashboard that is customizable for each user. The Insight reporting tool includes easy to configure templates and provides in-depin information about each of the modules. You can aso configure alerts in Insight. 32 ‘opyright 2020 Hewlett Packard Enterprise Development LPAtuba ClearPass Essentials Rev 20.11 Mop 1 ClearPass the Complete Solution 5 ee = SERVICES Mop 1-22 CiearPass provides a complete network access solution in one boxin one place. © Copyright 2020 Hewlett Packard Enterprise Development LP 33Atuba ClearPass Essentials Rev 20.11 Mop 1 Additional Resources support.arubanetworks.com ae tel eae -ceSaomTe Guide Cored alan ValiNvA= av ex-laloi Vel eoRere So eetesVae eer Po eter eee iareel ceric ETT ose meel i) ARUBA icHiance JERS ogee Umees SERS SERVICES oD 1=23 ‘You can find additional ClearPass resources on the Aruba support center. You can check for Tech Notes and user guides. There is also lots of information in the Airheads Community as well as Aruba Solutions Exchange. 34 © Copyright 2020 Hewlett Packard Enterprise Development LPAtuba ClearPass Essentials Rev 20.11 Mop 1 Lab Activity Remote Labs Connectivity CUO | SERVICES 35 opytight 2020 Hewlett Packard Enterprise Development LPAtuba ClearPass Essentials Rev 20.11 Mop 1 Aruba Training Lab Dashboard Lab Inventory + 2CleaPess Servers EEE ClesrPas seni -2571 + ClearPass 1 + ClearPass 2 2 Vitual Desktop + Wired Mami VLT2. + Wireless Client VLT1 Network Infrastructure + Aniba 7030MC + Table Switch + Aruba CAP Data Center Support + Windows Server + AD/DHCPIDNS + Email Server + Mobileiron MOM SERVICES MoD 125% ‘The Aruba Training Lab Dashboard provides all of the connectivity tools required to execute the labs in this course 2s well as all of your IP addresses. Your Ia) inventory contains two ClearPass servers: ClearPass 1 is your primary server which you will Use in most of the labs. ClearPass 2 is used for the clustering lab only. ‘You have two virtual desktops that you will use for different functions. Wired Mgmt VLT2 is your primary desktop. You will use this desktop to connect to all of the web user interfaces in the lab. You will use Wireless Client VLT1 as your test client for wired and wireless connectivity. ‘Your network infrastructure includes the Aruba controller with an Access Paint (AP) and an ArubaOS. ‘witch. You have both console access and web user interface access to the controller and table ‘switch. However, you have only console access the AP. You have no access to the AP switch or the class switch ‘The data center support infrastructure includes a Windows server that is configured for Active Directory, DHCP services and DNS. Theres also an errail se-ver for sending notifications anda mobile iron MDM server. You have limited access to these devices with no administrative access. © Copyright 2020 Hewlett Packard Enterprise Development LP 36Atuba ClearPass Essentials Rev 20.11 Mop 1 Labs & Tasks https://arubatraininglab.com/login 1.1-Training Lab Login to the Aruba Training Lao portal Access 4.2—Aruba Training Explore the Dashboard Lab Interface ‘Open the dashboard menus 1.3 - Testing Open the VLT Desktops Connectivity Connect to the web user interface on ClearPass. ‘Open a console for Aruba 7030 MC and Table Switch Test administrative credentials SERVICES MoD 1-28 ‘There are three parts to the activity. First, you will connect to the Aruba Trairing Lab portal and login with the credentials you've been assigned. Next, you'll explore the Aruba Training Lab Dashboard interface. Lastly, youll comect to and login to all of your devices to text connectivity. © Copyright 2020 Hewlett Packard Enterprise Development LP 37Atuba ClearPass Essentials Rev 20.11 Mop 1 Debrief - Lab 1 Remote Labs Connectivity CUO | SERVICES 38 opytight 2020 Hewlett Packard Enterprise Development LPAtuba ClearPass Essentials Rev 20.11 Mop 1 Lab 1 Debrief - Remote Lab Connectivity PERE eras senate pst eryba | mucron SERVICES = MoD 123% In this lab you connected to the Remote Lab Dashboard and login with your credentials. You also tested access to each of your componentsin the lab. If any of those failed please inform your instructor. If you are taking the course remotely, please notify the self-paced contact and lab support team. © Copyright 2020 Hewlett Packard Enterprise Development LP 39Atuba ClearPass Essentials Rev 20.11 Mop 1 Debrief - Key Points —You should now be familiar with the tools and equipment available to you in the remote lab, SERVICES MoD 1-29 You should now be familiar with manipulating the tools the Aruba Training Lab environment provided you. 40 letprise DevelopmerAtuba ClearPass Essentials Rev 20.11 Mop 1 eter oe Oe coy en oto SERVICES Mop 1-39 Congratulations! Now you have a clear overview of ClearPass functions and what it provides you for network security. a ‘opyright 2020 Hewlett Packard Enterprise Development LPAruba ClearPass Essentials Rey 20.11 MoD 2 ca Authentication, Authorization, Accounting Cait of O(c peo SICAL AS © Copyright 2020 Hewlett Packard Enterprise Development LP. 42Aruba ClearPass Essentials Rey 20.11 MoD 2 Objectives ~To understand the process 0! Authentication, ‘Authorization, and ‘Accounting. =To configure authentication sources in ClearPass ~To configure and customize ClearPass inieraction with Microsoft Active Directory SERVICES Mop. This module will help you gain a deeper understanding of the AAA process. You will be able to configure authentication sources that ClearPass can use to validate clients credentials. Finally you will be able to configure ClearPass to interact with Microsoft Active Directory, Development LP 43 Copyright 2020 Hewlett Packard EnterpriAruba ClearPass Essentials Rey 20.11 MoD 2 Overview AAA Explained Ren eur ey ee Sener + LDAP Vo, unting SEYES senivices Moo2=3 The authentication process defines every aspect of network access control. Therefore, having process that you can trust and rely on is essential for network security. ClearPass provides a simple and effective means of incorporating versatile access processes into reliable services to provide a secure network First, you'll learn how to explain the AAA process and how to take control of network access. Next, you'll leam how to configure authentication sources for ClearPass to use in services. When you have a better grasp of these skills you can lay the proper foundation for a secure network. ‘© Copyright 2020 Hewlett Packard Enterprise Development LP a4Aruba ClearPass Essentials Rey 20.11 MoD 2 AAA Explained SERVICES MoD? —4 opyright 2020 Hewlett Packard Enterprise Development LP 45Aruba ClearPass Essentials Rey 20.11 MoD 2 Fitness Club Example Account Details Account Credentials oO Membership Type= Cardio and Tanring WME Aloned Lotion = 4" Steet Ciub ‘Account Status = Active — ‘Account Status = Active fe} Monership Tipe Racquel and Yoga oO EEE slowed Location = Any Club SERS SERVICES Have you ever thought about examples of the network access model in the real world? In this example you wil find itis ike membership access to a Health and Fitness club. | When you join the club, member services will create a membership account in the database The account describes your relationship to the fitness club and contains information relevant to the account type you purchased as well as the account status. | Next the club will give youa membership card to serve as your credentials for accessing the club. The card can be verified and provides a reference to your account for the status and details of your membership. Copyright 2020 Hewlett Packard Enterprise Development LP 46Aruba ClearPass Essentials Rey 20.11 MoD 2 Authentication care fron Verify Credentials er feerer red Ceri Ban ror eran re) ees Ean) Dee Lend peor re) rcs eee) SERS Senvices mop2=6 Gaining access to the fitness club is very similar to gaining access to the network. When you g0 to use the fitness club you will have to request access, this could be as simple as walking through the front docr. If the club has securty in place, you may need use your scan card for access at the door, or you may need to sign in at the front desk. The access control mechanism will read your credentials and reference your account. Based on the status of your account details, the system wil either grant or deny you access to the club. This represents a basic authentication cycle, where the client requests access, the network queres for credentials and then verifies these credentials, validating the client's account status. The goal of authentication is to establish the relationship between the credentials being submitted and an account representing the client. Functionally authentication will validate the dlient’s credentials and validate the status of the client's account. It could be as simple as the dlient presenting a valid username and matching password that is mapped to a valid account. Copyright 2020 Hewlett Packard Enterprise Development LP AyAruba ClearPass Essentials Rey 20.11 MoD 2 OIE LSAT Account Authorization oO Membership Type= Cardio and Tanning Allowed Location = 4" Street Club Account Status = Active SERVICES The goal of authentication focuses the validity of your account and the credentials presented In most cases a simple view of the user is not enough to ensure proper access control Consider the member who signed up for Cardio and Tanning membership at the 4th Street club location only. Alll of these descriptive details are part of the member's account What would happen if the member tried to play tennis or access the 2nd Ave club? If the system could read the member's account details, the system would know to deny access based on the account information. Based on information stored in your account, the system can tell vihat locations you are allowed to access and refuse to unlock the door if you are not allowed to use the facility. This is all based on two things. First, you have a valid account with valid credentials, authentication completed successfully. Second, your account has the correct attributes to support the type access you're requesting This same process applies to your network. ClearPass can implement logic to control which user account details are important to specific sections or locations in the network. Based on the attributes attached to the user's account, ClearPass can make intelligent access decisions ensuring that only users who need access to the resource are granted access. 48 Copyright 2020 Hewlett Packard Enterprise Development LPAruba ClearPass Essentials Rey 20.11 MoD 2 Second Level Authorization ° Racquet and Yoga ? —= ion = Any Club No Supporting Dzta Account Status = Active In Account Attributes O Racquet Court Access Requirements . auet Court Ae ie Inspect the member's racquet ; See + Make sure she has proper glasses + Non-marking high traction shoes * Gheck members shoes SERVICES, Moo In many situations there are concitional rules that need to be enforced for safe access to the resource. For example: to play racquetball you need a racquetin good condition, safety glasses and non-marking shoes. This physical, descriptive information is not part of the user's account attributes and will change depending on the situation. Even though this information is not in the member's account details, itis a consideration for proper access. This extra data must be gathered from other authorization sources. In this example, the court attendant inspects the members gear before granting access. Would athe member at the gym showed up at the racquet ball court requesting access while wearing jeans, boots and carrying a quitar? You would probably assume that he's here to play, but not here to play racquetball Today, users expect to be able fo bring any personal owned device onto the organization's network. However, the organization's policy may or may not allow them access to the network. Proper access control requites that you enforce the organization's rules. In reality, not every dient device that presents proper credentials and has the correct account details, needs to have access to the resource. Second level authorization requires that the client device be inspected somehow. This could be profile information yielding context about the device type and operating systems. It can also be information from applications such as OnGuard, where an agent reports on the clent'’s health and securty status. 49 Copyright 2020 Hewlett Packard Enterprise Development LPAruba ClearPass Essentials Rey 20.11 MoD 2 User vs Client SERVICES Whois the true consumer of your network resources? Is it the user, oris it the device? Simple authentication deals with users. In your network, a users simply the account in the authentication source. The user will always have some form of credentials and some details in the system to describe it What about the actual hardware accessing the network? The device may belong to a user who is ultimately responsible for it, or it may be associated to its own identity, such as its MAC address or profile context. In your network you are controlling the client, which is a combination of both the user and the device. The client is the true consumer of network resources. If a single user account is associated to two devices, is it good security practice to treat both devices the same? No: consider all of the potential device types a user could bring onto your network. These include laptops, smartphones or tablets or even entertainment systems like game consoles and wireless speakers. If your access focus is strictly the user, how do you stop a user from putting any device they wish onto the network? You can't. Therefore, on your network you will grant access to clients. 50 Copyright 2020 Hewlett Packard Enterprise Development LPAruba ClearPass Essentials Rey 20.11 MoD 2 Accountability ( Safe Behavior emia eles) Zz _ yb | iis oD 2= 10 Now consider what happens when the members gains access to the club and court. You've confirmed that they have a valid account and access permissions, they also meet the physical requirements for the court. Now what remains? Making the members accountable for their activity on the court. While the members uses the court, the attendant monitors their behavior to determine if they are keeping within the fitness club's rules of conduct. The attendant keeps account of how long the members have access to the court and if they are playing ina safe mannet. In your network, this process starts with RADIUS accounting, but may include other accountability and compliance metrics as well. ‘© Copyright 2020 Hewlett Packard Enterprise Development LP, 51Aruba ClearPass Essentials Rey 20.11 MoD 2 Network Access + UserPassword “TLS cenifieate + Smart Card + Group Momborship + Department + Location + Security Compliance Verification of Device Type + Health Checks. + Start Stop Accounting eet + Interim Accounting + Ongoing Health Checks eae ete SERS SERVICES MoD 2-114 Alllof the functionality in the health club example exis's on your network. When the user joins the organization they are given an account that has details about their relationship to the organization. They are also issued some form of credentials that reference back to their account During authentication, ClearPass checks the user's credentials for validity Next ClearPass authorizes the user’s account details and client device. ClearPass may grant or deny access based on a complete picture of the client, If CleatPass gives the client access to the network, the system wil continue to monitor the client's actvity. This is done through start/stop, interim accounting messages and ongoing compliance checks By leveraging all of the available information and implementing sound access rules, ClearPass becomes a complete access control system ‘© Copyright 2020 Hewlett Packard Enterprise Development LP 52Aruba ClearPass Essentials Rey 20.11 MoD 2 Information Sources + RADIUS Servers + User Database *+ Active Directory UA + Authentication Sources * Inventory Database + Endpoint Compliance 900 — CCC Ee Bett COTM «onions emcee Sarl POLICY MANAGEMENT ei + EMM / MDM Servers: <=. UEBA Security Systems SEBS | Seivices ucotaw ClearPass can make decisions based ona lot of different metrics. There are multiple information sources that can feed into the access decision process. The key is that ClearPass must gather these metrics. Authentication sources contain information related to the client or user accounts and the credentials. Authentication sources include User Databases or Directory Services. Authorization sources provide information about the user account or client device. Often the authorization source can be the authentication source as well, which is the case with the Active Directory (AD). An account stored in the AD will provide credential validation plus account attributes to aid in identification and enforcement. ClearPass services can provide rich context about the cient including the endpoint profiler, OnGuard, Onboard and Guest Services. External Context Servers, such as Enterprise Mobile Managers and Aruba Activate, can provide device validation which informs ClearPass when a device has been compromised ©Copyright 2020 Hewlett Packard Enterprise Development LP 53Aruba ClearPass Essentials Rev 20.11 MoD 2 Question #1 Which of the following does the authentication process validate? —The client's Identity —The client's account status —The client's credentials —The client's hardware type —The client's security status aim, ___Knowledge CheckY SERVICES. sr MoD 2— Tie. The authentication process starts by checking to make sure that the user exists in the system. Next, it checks that the account is enabled and valid and that the credentials presented matched the correct credentials required for the account. The client's hardware type is device profile. The client's security status can be validated through a heath check. Neither of these are authentication because they fall in the realm of authorization Dopyright 2020 Hewlett Packard Enterprise Development LP 54Aruba ClearPass Essentials Rey 20.11 MoD 2 Authentication Sources ‘oruba SERVICES, MoD2—14 © Copyright 2020 Hewlett Packard Enterprise Development LPAruba ClearPass Essentials Rey 20.11 MoD 2 Authentication Sources Internal Database LDAP Servers Active Directory Servers SQL Servers Single Sign On Token Servers SERS SenVices MoD 215 ClearPass uses authentication sources to validate the user’s identity and credentials. The mast basic authentication source is the intemal database which should be avoided unless it is, alast resort. You may use it for a very small installation if necessary. LDAP servers and specifically active directory servers provide easy tools for managing accounts as well as rich context about the user. ClearPass also supports SQL servers, single sign-on situations, and token servers giving ClearPass great versatility in authenticating users. ‘© Copyright 2020 Hewlett Packard Enterprise Development LP 56Aruba ClearPass Essentials Rey 20.11 MoD 2 Internal User Database aruba ClerPass Policy Manager ae SERVICES MoD 2=16 The Internal Database is a convenient user database that allows you to create user identities on the ClearPass cluster. This is very useful for small non-dynamic organizations. However, it does lack the robust tools required to easily maintain a large number of users and the account details it provides are limited opyright 2020 Hewlett Packard Enterprise Development LP 57Aruba ClearPass Essentials Rey 20.11 MoD 2 LDAP Servers Lightweight Directory Access Protocol ris reat SERVICES MoD 2— 17% Lightweight Directory Access Protocol (LDAP) is a structured way to store and access data. In ‘a generic format, this data can be anything. However, in relation to ClearPass you can use the LDAP structure for authentication and store data relevant to network clients. The most recognizable LDAP attribute is the directory tree structure which provides organization to the data stored. LDAP systems use a defined multlevel directory structure to organize lower level entities like users. Each entity gets a portion of its identifying attributes from its location or membership in the ditectory tee. There may also be optional attributes: about the entity stored in the form of keyivalue pairs. The LDAP administrator assigns attributes to user entries which can help provide extra context and helps ClearPass make access decisions about the clients. Entries are organized into odjectClasses (types of identities such as user or machine). ObjectClasses are also orgarized into Data Information Trees (DIT- domain structure) You can use LDAP in two main areas. First, LDAP can store identity information about a user account and provide methods to confirm the identity. This is a classic authentication. LDAP. ‘can aso store descriptive information about a client device which can provide context for authorization When connecting ClearPass to an LDAP directory server you will need to configure settings and fiters to instruct ClearPass how to process and ingest Entity Attributes Copyright 2020 Hewlett Packard Enterprise Development LP 58Aruba ClearPass Essentials Rey 20.11 MoD 2 LDAP Filters op 2 sathacintane = (ttt Yan) SERVICES MoD 218 When configuring an LDAP authentication source in ClearPass you will need to configure filters to instruct CiearPass on how to read the attributes from the LDAP server. LDAP filters willbe different for each LDAP server deployment. ‘© Copyright 2020 Hewlett Packard Enterprise Development LP 59Aruba ClearPass Essentials Rey 20.11 MoD 2 Microsoft Active Directory ronseartyhinceas Bocienvece SERVICES coutrcade Streep t0100110008. aytame Inesnerine epost rewproitt MoD2—19 Microsoft Actve Directory is a very widely deployed and documented LDAP directory service. Because of its popularity and wide use, the LDAP filters for Active Directory are prebuit into ClearPass. This makes Microsoft AD very easy to support. ClearPass does have the ability to edit the filters to draw in and evaluate any of the Active Direciory Attributes stored in the directory structure. opyright 2020 Hewlett Packard Enterprise Development LP 80Aruba ClearPass Essentials Rey 20.11 MoD 2 Locating The Active Directory Server Add each AD server by hostname + ClearPass works through the list + Timeouts for Failed Server —How will ClearPass find its closest AD server? —Small Environment use Static List ~Large organization use DNS Add the base domain 8. name as the server name + DNS returns the closest server + Use DNS round robin for failover ‘rub SERVICES, Mop 2= 29 When using Active Directory as an authentication source, you must consider how ClearPass willlocate the AD server. The first option is to build a static list of the AD servers by hostname. ClearPass will attempt to contact the first server in the lst, ifit times out it will attempt the second on the list and continue to advance through the list until it is exhausted. This can become quite cumbersome with multi-server or multi-site environments. For a large organization the better solution is to list the domain as the authentication source, €.g ‘company.domain.com” instead of the hostname of an individual server e.g “dcl company. domain.com’ You will also have to configure the DNS server to retum either the local AD server or a round robin of all servers. In this manner you will get natural failover ifa server is not available. 61 Copyright 2020 Hewlelt Packard Enterprise Development LPAruba ClearPass Essentials Rey 20.11 MoD 2 Do You Join ClearPass to the Domain? + EAP- PEAP MS ° ° ace POLICY + EAP-TLS MANAGEMENT 23/6/2022 1 SERS SERVICES Woo 2=21 ClearPass has the ability to join the AD domain asa server/computer. Joining the domain helps ClearPass negotiate the directory tree for searches. However, ClearPass does not always need tojoin the domain. In general it is best practice to not join ClearPass to the domain when you're using TLS certficates to do all authentications, because the certificate contains the required contest for ClearPass to search the directory tree. However when the users are authenticated with usemames and passwords, you'll need to join ClearPass to the domain. With a Multi-Domain Forest you will join ClearPass to the root domain. ‘© Copyright 2020 Hewlett Packard Enterprise Development LP 62Aruba ClearPass Essentials Rey 20.11 MoD 2 Joining the Domain Sync time with AD server Administrator Account Always join on the closest AD server Join all ClearPass servers to the Domain — SEU SeRVicEs .. MoD 222 There are a few things you will need when joining the domain with ClearPass. First, make sure the system clocks are in sync, Active Directory wil only allowa five minute clock skew. Itis best practice to sync ClearPass and the AD domain to the same time source Second, you will need an administrator account and credentials with rights to join the domain When considering which Active Directory servers to use for the join, Aruba recommends that you use the closest AD server on the network to the ClearPass server you're joining ClearPass is Active Directory Site Aware and can assist you in finding the closest Domain Controller. Finally, you'll need to join all of the ClearPass servers that will send authentication requests to the AD individually ‘© Copyright 2020 Hewlett Packard Enterprise Development LP 63Aruba ClearPass Essentials Rey 20.11 MoD 2 Joining the Domain Enter the FQDN ofthe controller and the short (NETBIOS) name for the domain Domain Contreller: BCLcorpmydomaincon NetBIOS Name: In case of 2 controller name confi: {© Use specties Domain controller © Use Domain Controler returned by ONS cuery © Fail en confiet 1 Use default domain admin u Usemame ad Pasenord 22 SERVICES MoD 223%. Tojoin the domain, navigate to Menu> Administration> Server Manager> Server Configuration> and select the desired ClearPass server from the list. Next you will scroll down to the bottom of the System page and select “Join AD Domain’ In the popup window fill in the Domain Controller Name and the admin user and password then select Save. Note: if you attempt to join onto an Active Directory Server and ClearPass detects there is a Coser AD server, ClearPass will wam you and give the option to “find domain controller.” opyright 2020 Hewlett Packard Enterprise Development LP 64Aruba ClearPass Essentials Rey 20.11 MoD 2 Configuring AD as an Authentication Source ‘orubo ClearPass Policy Manager wo thentieation sources: hod ‘Authentication S > Secccn {ee Tv 8a Semen = HEME son 2.| © Aan tr tt toutsa.ce ‘eerste nit ale Mer non Me. | 0 (ticki Repstoy) toc $9.8 seri een nn wees ve acne Some fa 0 teenie tecisqce ‘ot ors ine ge Gre 5. © count owertmnteni tae sa.00 ‘MAE eve et bc Morger tree ¢ ’ ‘avert ust were ssa oy Naraner SERVICES MoD2=24 For ClearPass to use any extemal authentication source, ike an Active Directory server, you willneed to add it in the Authentication Sources under Configuration opyright 2020 Hewlett Packard Enterprise Development LP 85Aruba ClearPass Essentials Rey 20.11 MoD 2 Configuring AD as an Authentication Source ‘Authentication Sources — — 4 tack to Rthentcation sources SERVICES MoD 2=25 When you select “Add * to configure a new authentication source you will need to give the source a name and then select “Actve Directory’ for the Type. ClearPass has a pre-built “Active Directory’ type, simply select it from the drop down list. Copyright 2020 Hewlett Packard Enterprise Development LP 86Aruba ClearPass Essentials Rey 20.11 MoD 2 Configuring AD as an Authentication Source se te Authorsoton: © Enele to se this Authentiten Source tao fetch role mazingatabutes “€ Beckcte Authentication Sources Es oo oo SERVICES oD 228 After you select the “Active Directory’ type the system will pull up two new tabs: ‘Primary’ to configure ClearPass's connection to the AD server and ‘Attributes’ to configure the descriptive attributes you want to filter from the entity information in the directory data store. 87 Copyright 2020 Hewlelt Packard Enterprise Development LPAruba ClearPass Essentials Rey 20.11 MoD 2 General Tab Authentication Sources Primary see Atnoaaion: _SEnele 0 ue this utentatien Sauce tals fet ole mapang tbs 4 Bacto Authentication Source, me oo oo SERVICES, woo 2=27 On the General tab you may want to consider the “Server Timeout.” and “Cache Timeout” settings. The server timeout sets the length of time that ClearPass will attempt to contact the primary server before switching to a backup (if one is specified.) Shortening the timeout will make failover more responsive in a well connected network However, itis best practice to not exceed 15 seconds as this may interfere with the client’s ‘own timeout settings. Meaning that the client may time out before ClearPass has time to contact a second AD server. Copyright 2020 Hewlett Packard Enterprise DeyelopmentLP 68Aruba ClearPass Essentials Rey 20.11 MoD 2 General Tab —- Cached Timeout Server Timeout 10 }seconds cacne Timeout: (50000 | seconds Fetch Attributes Cache = 10 hrs Fetch Attributes First Authentication Second Authentication First Authentication Valdate Credentials Validate Credentials Validate Credentiats Fetch Attributes Use Cached Attributes Fetch Atributes SERVICES Moo 7-23 The cache timeout setting tells ClearPass how often to fetch authorization attributes from the AD server. With the default of 36,000 seconds, consider what will happen when ClearPass authenticates a client for the first time? Itwill check the user credentials and request the AD attributes for the account. These attributes are cached for that user account inside of ClearPass and used for the next 10 hours. During that 10 hour period, any time the same user authenticates, ClearPass will always check the credentials but use the cached attributes. This can dramatically reduce the volume of data tratfic to and from the AD server on a busy network The attribute cache has the effect of delaying any changes made to the user account's attributes that ClearPass uses until the cache expires oris cleared. However, if an account is disabled the user will aways fail authentication. To clear the cache, navigate to the authentication source and select the clear cache option Copyright 2020 Hewlett Packard Enterprise Development LP 89Aruba ClearPass Essentials Rey 20.11 MoD 2 Primary Tab Aencaton Sources Nesinene Terman cr or: 29 Force nation, ure 626) erty Serve crtiate rable to vey Server Carte fo secure conection THEN EROSaaran co {esr sauttarvtrgianpie oom OX cimesriicbalojoieucaw aivarrpla denen) ‘in User "Alo tind ing Us davon Cock te Authentication Sores SERVICES MoD 223% The Primary tab is the workspace that you will use to configure the settings for ClearPass to be able to tak to the AD server. | First you will need the AD server's hostname and what connection security type to use | Next you need an account for ClearPass to use to access the directory tree. This account needs to be a service type account and only requires read access tothe directory. If the password on this account expires or the account gets locked out, CleatPass will no longer be able to access the directory. This wil cause all authentications to fail |'You will also want to evaluate the scope of the search that ClearPass does of the directory tree. By setting the base DN deeper in the tree you can make the search more efficent. Select the "Search Base DN" option to open the search tool Copyright 2020 Hewlett Packard Enterprise Development LP 70Aruba ClearPass Essentials Rey 20.11 MoD 2 Primary Tab - Search Bind DN ase ON: ourengineering,ce we Cres NeComputers B cu=enchneering3 Homeuser ifrasructure eS Seis wean In a large directory tree structure you can have ClearPass start the search at a specific OU in the tree and search down from there. This makes the directory tree search more efficiently, but you need to plan this carefully to ensure that all of the relevant accounts are exposed to ClearPass. For example, what if you have all of your users in @ single OU and your computer accounts in a second OU? When you select the user OU as the Base DN, ClearPass will not be able to use this authentication source to verify the computer accounts as those accounts are outside the scope of the search. Copyright 2020 Hewlett Packard Enterprise Development LP nmAruba ClearPass Essentials Rey 20.11 MoD 2 Primary vs Backup Servers ‘Authentication Sources ~ AD1 somey EESEE ren some wos ees] _ Woe Acie orezor Le for Asterzalon: fable ee thi Anerson Souce ato feeh oe mang abuts T esckto Aarts Soares SERVICES oD 231% You need to consider failover for your AD servers. One option is to list the first AD server on the Primary tab and then add the required backup servers on the General tab. | By adcing the primary server information first, the backup tabs will be a clone of the primary tab and you will simply need to change the hostname to the backup server. 72 Copyright 2020 Hewlelt Packard Enterprise Development LPAruba ClearPass Essentials Rey 20.11 MoD 2 Primary vs Backup Servers == | Always Use Primary First — Primary AD Server If Primary and Backup 1 Time-Out Try Backup 2 — Backup AD Server 2 SERVICES MoD2=32 When you configure a primary server and one or more backup servers in the Authentication source , ClearPass will always attempt to use the primary server frst. ClearPass will only attempt to use a backup server when the connection to the primary server times out. This means that the backup server may not get used This configuration is advantageous because ifthe users credentials fail or the primary server returns @ user not found, the authentication source assumes that the account will fail on the backup servers and will not send a request. Also, in this method there is no load balancing: ClearPass always uses server 1 if itis available, Copyright 2020 Hewlett Packard Enterprise Development LP 73Aruba ClearPass Essentials Rev 20.11 MoD 2 Primary Only With DNS Round Robin SSE 3] DC1.Corp.Domain.com — Primary AD Server DC2.Corp.Domain.Com Corp.Domain.Com Backup AD Server 1 DC3.Corp.Domein. Com Lj Backup AD Server 2 SERVICES MoD2~33 In most cases, your best option is to configure the primary server with the base domain name and not a specific single server hostname. On the DNS server, you can configure the round robin to cycle through the AD servers that are available. With th’s configuration there is a certain level of failure resistance in that if one service is offline, you only lose the authentication requests that are sent to that specific server. You also have the option to configure a backup server to.help.with this process. This method gives the added beneft of load balancing traffic across all of the avzilable servers. 74 opyright 2020 Hewlett Packard Enterprise Development LPMoD 2 Aruba ClearPass Essentials Rey 20.11 Attributes Tab ‘Authentication Sources several _pinaey ESIEEEEI) summery osc te eres wed a Fch outherscston nd worn abe AD Attributes department Deparment eon = — ; 2 cow © crovne a es stostane etna aching coeatrasiten Oxersinasvetem 3 = € Back to authentication Sources Piec-] =a SERVICES Moo 2— 344 When you select the “Active Directory” authentication source type, ClearPass preloads the LDAP filters for the standard objectClass “user” and “computer” plus three other pre-built filters. | The filters are set for a common block of AD attributes that many organizations use. If your ‘organization needs different attributes from what is in the common list itis simple to add them. | Start by selecting the page icon and opening the LDAP browser. The LDAP browser has a few useful tools that allow you to browse the directory tree, look at user attributes and modify the attribute list Sopyright 2020 Hewlett Packard Enterprise Development LP 78Aruba ClearPass Essentials Rey 20.11 MoD 2 LDAP Filter Configuration 2, eScardnopmtonbtat 0102107000902 shplpeme nave SERVICES MoD 2354 The easiest way to add attributes to the AD authentication source is on the Attributes tab in the LDAP browser. From the Attributes tab you have various search tools that you can use to find the AD aitrivute. Simply select the attribute to add itto the list. | In this example you want to add the user's attribute countryCode as part of the evaluated attributes. You can locate countryCode in the list and select it by clicking on itin the list. This will put it in the list of attributes that ClearPass will fetch. I This makes adding attributes easy. You can also use the LDAP browser as a troubleshooting tool when trying to determine why a useris getting a certain type of access. opyright 2020 Hewlett Packard Enterprise Development LP 76Aruba ClearPass Essentials Rey 20.11 MoD 2 Question #2 The Local User Database on ClearPass provides a simple way to manage users in most environments. + Databs fens ewe ga, ___ Knowledge CheckG SERVICES MoD 2-354 This is False: The Local User Database should only be used in limited cases where there is a small number of users and the organization is not very dynamic ©Copyright 2020 Hewlett Packard Enterprise Development LP 7Aruba ClearPass Essentials Rey 20.11 MoD 2 Question #3 You should join ClearPass to the AD domain only when using EAP-PEAP or MS-CHAPv2 authentication methods. —True False eve gas, __KNowledge CheckY MoD 2=37 The Correct Answer is True. pyright 2020 Hewlett Packard Enterprise Development LPAruba ClearPass Essentials Rey 20.11 MoD 2 Lab Activity Configuring Authentication Sources boon a 79Aruba ClearPass Essentials Rey 20.11 MoD 2 Labs & Tasks 2.1—Explore the Review and moti the dashboard ClearPass user Navigate the sidebar menu interface Use the QuickLink manu to lag into different medules 2.2-4- Configure Join ClearPass server to Active Directory Doman ClearPass to Configure Active Directory Authentication Source interface with detive Directory Salect custom attributes 2.5 — Test Active Using Policy Simulator test a valid Active Directory account Directory Using Policy Simulator test a failed Active Directory account Authentication Source SERVICES Wop 2— 39 This lab activity is divided into three sections. In the first section you will complete a simple exploration of the interface in the ClearPass Policy Manager. During the second phase you will jpin ClearPass to the Active Directory Domain and configure an Active Directory authentication with custom attributes. Lastly, you'll use the policy simulation functonality in the Policy Manager to test your Active Directory Authentication Source. Copyright 2020 Hewlett Packard Enterprise Development LP 80Aruba ClearPass Essentials Rey 20.11 MoD 2 Debrief — Lab 2 Configuring Authentication Sources SERVICES 81 opyright 2020 Hewlett Packard Enterprise Development LPAruba ClearPass Essentials Rey 20.11 MoD 2 2.1 Debrief - Task 1 ~The dashboard provides quick CLIT PAT OTIS information. You can customize the dashboard with the widgets that are valuable to you —You can change the number of widget that are on the dashboard —The Sidebar Menu gives access toall of the Policy Manager features. —The Quick Menu in the upper right corner gives quick aczess to all of the ClearPass modules. aruba | ucarion SERVICES = MoD2— 41 In task 1, you explored the dashboard and menus in the Policy Manager. You can configure the dashboard for each individual administrator or operator. For convenience once a dashboard is configured for a user, the next time you login you'll see the same dashboard. The {quick link menu in the interface’s upper right corner is aan easy way to switch between ClearPass modules such as ClearPass Onboard or ClearPass Insight without having to open anew browser. ©Copyright 2020 Hewlett Packard Enterprise Development LP 82Aruba ClearPass Essentials Rey 20.11 MoD 2 2.1 Debrief - Task 1 —The dashboard provides quick information. You can customize the dashboard with the widgets that are valuable to you —You can change the number of widget that are on the dashboard —The Sidebar Menu gives access toall of the Policy Manager features. —The Quick Menu in the upper right corner gives quick aczess to all of the ClearPass modules. aruba | ucarion SERVICES = MoD 2— 42 gee In task 1, you explored the dashboard and menus in the Policy Manager. You can configure the dashboard for each individual administrator or operator. For convenience once a dashboard is configured for a user, the next time you login you'll see the same dashboard. The {quick link menu in the interface’s upper right corner is aan easy way to switch between ClearPass modules such as ClearPass Onboard or ClearPass Insight without having to open anew browser. ©Copyright 2020 Hewlett Packard Enterprise Development LP 83Aruba ClearPass Essentials Rey 20.11 MoD 2 2.2 Debrief - Task 2 —Steps to join Active -Errors while joining the domain Directory Domain —ClearPass cannot resolve the —Syne Date and Time NetBIOS name of the domain Lust the domain centrolier's census BNG eontigiradonion rosiname ClowrPase ° Administrator Credentia's ‘als fal results ool wee Administrator credentials fail. to the domain =Chesk to make sure you have a valid usemame and password. —Each ClearPass server must Operation times out jain the domain individually During busy times for the active directory ssorver. It may timeout. Try again at a less busy time cee lis wot Joining the Active Directory Domain isa straightforward task. First, ClearPass and the domain controller need to be on the same time. If there is greater than a five minute clock skew this, operation will fail. The administrator account needs to have the ability to join computers into the Active Directory Domain. Remember that each ClearPass server must join the domain. When troubleshooting errors in domain join operations, consider the time and whether ClearPass could find a domain controller. The ClearPass server does domain discovery based on DNS service records. If you haven't properly configured DNS, ClearPass will not be able to find the domain controller Aiter that is simply a matter of making sure you have the correct, admin credentials and that the domain controller is available. ©Copyright 2020 Hewlett Packard Enterprise Development LP 84Aruba ClearPass Essentials Rev 20.11 MoD 2 2.3 Debrief — Tasks 3 —Create an Active Directory Authentication Scurces - Remote Lab AD Authentication Source —Ensure that you have the correct — —_- ‘sorver hostname ae oe The Bind DN accaunt needs to have Sn eee "Read Access" to the direciory mae (emnsrecasan Plan your Base DN to make for a —o efficient directory tree searches ns oman anes nn ‘bene ane e cevbe SeRVvices 0 Woo2—44 ClearPass uses authentication sources in the service to validate user credentials. The requirements for creating an AD authentication source is similar to joining the active directory domain. First, you need a proper hostname and an account in the domain. In this case the bind DN account needs to have read access rights to be able to search the active directory ‘ree. Next, youcan set the Base DN to make your active directory searches more efficient. ©Copyright 2020 Hewlett Packard Enterprise Development LP 85Aruba ClearPass Essentials Rey 20.11 MoD2 2.4 Debrief - Tasks 4 Modifying the Active —_ Directory Filter a —Add attributes that are — {| rolovant to your enforcement a logic =Use understandable Alias, — : Names : ‘| Consider adding the << attributes as a role GEO SEVIS MoD 245 The Active Directory Authentication Source uses a default set of filters to gather attributes from the Active Directory. However, as you saw in the lab, itis simple to add new attributes. ©Copyright 2020 Hewlett Packard Enterprise Development LP 86Aruba ClearPass Essentials Rey 20.11 MoD 2 2.5 Debrief - Tasks 5 Policy Simulation —Very versatile and helpful tool open Py Stn = At Policy Simulation Poly simulation can be ‘configured for testing services and other aspects of the policy manager aruba | ucarion SERVICES cory sninin ent tnt MoD 245 The Policy Simulation in ClearPass Policy Manager is a versatile and functional tool that you can use to test many aspects of ClearPass services. In this lab you used the Policy Simulation to post your Active Directory Authentication Source. ©Copyright 2020 Hewlett Packard Enterprise Development LP a7Aruba ClearPass Essentials Rey 20.11 MoD 2 ary onfiguring authentication OCURO SERVICES MoD 2—47 Congratulations! You should now be able to explain the process for AAA and be able to configure authentication sources, including Active Directory, for ClearPass to use in services. ©Copyright 2020 Hewlett Packard Enterprise Development LP 88Aruba ClearPass Essentials Rey 20.11 MoD 3 External Devices Aruba ClearPass Essentials 29 © Copyright 2020 Hewett Packard Enterprise Development LPAruba ClearPass Essentials Rey 20.11 MoD 3 Objectives Be familiar with types of devices that ClearPass can interface with. —Contigure ClearPass to ‘accept authentication requests from network daviees SERVICES When you finish this module you will be able to explain how ClearPass interacts with external devices. You will also be able to configure and secure your network access device's access to ClearPass. Lasily, you wil be able to configure external messaging servers and external context servers. 90 Copyright jewett Packard Enterprise Development LPAruba ClearPass Essentials Rey 20.11 MoD 3 Overview eee itehsoaen Te eCuc ir eng remo Cur Rec lce SERVICES MoD 334 When implementing ClearPass in your environment, all of the network access devices will need to send requests to ClearPass for processing. As part of a proper security structure you will want to contro! which devices are allowed to send requests. First, you'll focus on configuring Network Access Devices in ClearPass. Nest, you'll learn how to configure email servers and SMS gateways to send alerts and guest messages to clients and administrators. Lastly, you'll see how the Security Context Exchange works between ClearPass and external partners, m4 © Copyright 2020 Hewett Packard Enterprise Development LPAruba ClearPass Essentials Rey 20.11 MoD 3 Network Access Devices ‘oryba SERVICES MoD3—4 Copyright 2020 Hewett Packard Enterprise Development LPAruba ClearPass Essentials Rey 20.11 MoD 3 Network Access Device Accose Switches = O oO oO (©) stem Alone APs 000 Users and Client Devices SERVICES Mon3-5 Network Access Devices (NAD), also called Network Admission Servers (NAS), are made up of the wred access switches and the wireless infrastructure devices that clients use to access the network. NADs provide clients with access to the network while ClearPass controls the access. NADs need to know how to communicate with ClearPass to effectively send authentication requests. You also need to provision ClearPass so that it knows which NADs itis allowed to provide service. 93 Copyright 2020 Hewett Packard Enterprise Development LP