large scale, distributed access management deployment with aruba clear pass

#ATM16

Large scale, distributed access management deployment with Aruba ClearPassVenkatraju T V – ClearPass EngineerSteve Eubanks – ClearPass CSEDrew Wyskida – ClearPass CSE

March 9, 2016 @ArubaNetworks |

2#ATM16

Agenda

• ClearPass Solution• Cluster and Zones• Deployment Models• Monitoring and Tuning• Operations• Planning a deployment

3

ClearPass Solution

4#ATM16@ArubaNetworks |

ClearPass solution

Models CP-500 CP-5K CP-25K

Maximum devices 500 5,000 25,000Maximum devices in High Capacity Guest

mode1000 10,000 50,000

Policy Manager Guest OnboardOnGuard

5#ATM16

ClearPass solution

Normal mode HCG modeDevices 500 / 5K / 25K 1000 / 10K / 25K

Licenses AllowedPolicy Manager

GuestOnGuardOnboard

Guest

Cleanup Intervals Defaults Reduced

Posture & Audit checks ✔️ ✖️

Restricted EAP methods ➖ FAST, GTC, MSCHAPv2, PEAP, TLS, TTLS

Restricted Service Templates ➖ 802.1X

High Capacity Guest (HCG) mode

6

ClearPass Cluster and Zones

7#ATM16@ArubaNetworks |

ClearPass Cluster

Publisher

C

Standby Subscriber

C C

I

I

Multi-master cache replication

Config database replication

I

C Config database

Insight database

L

L

Session logdatabaseL

Heartbeat to detect failure

L

8#ATM16@ArubaNetworks |

ClearPass Cluster

Publisher

C

Standby Subscriber

C C

I

I

Insight events

I

C Config database

Insight database

Insight

Insight Master

9#ATM16@ArubaNetworks |

ClearPass Cluster

Config database Insight database Session log DB Multi-master cache

Purpose

• Configuration• Provisioning

• Endpoints• Profiles• Guests• Onboard certificates

• Cluster-wide reporting• Bandwidth checks

• Access Tracker• Event Viewer

• Machine authentication• Session information (CoA)• Role and posture cache

Replication Replicated from publisher to all subscribers

Duplicated at each Insight node Not replicated Full mesh replication within a

Zone

Size 50 MB to 500 MB 1 GB to 200+ GB 1 GB to 100 GB 1 MB to 100 MB

Guidance Review Endpoint and Guest cleanup settings

Review database retention settings

Review cleanup settings Configure Zones per location

Databases

10#ATM16@ArubaNetworks |

ClearPass Cluster

• UDP port 123 (NTP)• TCP port 5432 (PostgreSQL)• TCP port 443 (HTTPS)

Publisher Standby

Subscriber

NTP, PostgreSQL, HTTPS

NTP, PostgreSQL, HTTPS

Subscriber

Caveats:• Releases before the latest ClearPass

6.5 release may need additional ports open

• Port 80 is used to render System Monitor data from a remote node. Can be modified using the cluster-wide parameter “Performance Monitor Rendering Port”.

• Subscriber to subscriber communication is not required, as long as the subscriber will not be promoted to publisher

Intra-cluster communication

11#ATM16@ArubaNetworks |

ClearPass Cluster

• Join nodes to AD for MSCHAPv2

• Can join multiple independent AD domains

• Deploy nodes close to AD domain controllers

• Can override AD Password Servers

Active Directory (AD) integration

12#ATM16@ArubaNetworks |

ClearPass Cluster

Publisher

Standby Subscriber Subscriber

Publisher failure

• Subscribers handle authentication requests• Standby node detects failure and promotes to publisher

• Following operations are affected• Policy Manager and Guest configuration / provisioning• Guest, Onboard and Endpoint updates

13#ATM16@ArubaNetworks |

ClearPass Cluster

• Publisher upgrades first

• Subscribers join back post upgrade

• Use the Cluster Upgrade Tool (CUT) *additional details later

• Plan for sufficient downtime

Upgrade

14#ATM16@ArubaNetworks |

ClearPass Zones

Publisher

Subscriber

C

C

Standby Subscriber

Subscriber

C C

C

Zone A

Zone B

Multi-master cache replication

Config database replication

C Config database

Subscriber

C

Subscriber

C

Zone C

15#ATM16@ArubaNetworks |

ClearPass ZonesProfile

Publisher

Subscriber Subscriber

C Subscriber

Subscriber

Zone AZone B

PP

Profile Inputs(DHCP, HTTP UA

etc.)

Profile Inputs

Profile Inputs

P Profile master node in zone

DB update

Proxy profile input to profile master node

Profile Inputs

16#ATM16@ArubaNetworks |

ClearPass ZonesConfigure OnGuard client subnets per zone

OnGuard

17

Deployment Models

18#ATM16@ArubaNetworks |

Deployment models

Publisher Standby

Subscriber Subscriber Subscriber

Low latency network links

Centralized deployment

19#ATM16@ArubaNetworks |

Deployment models

Publisher

StandbySubscriber

Subscriber

Subscriber

Zone AZone B

WAN

I

I

Config replication

Insight data

Distributed deployment

20#ATM16@ArubaNetworks |

Deployment models

Publisher

Subscriber N

Subscriber 1

Cluster 1 Cluster 2

…

Publisher

Subscriber N

Subscriber 1

…

Remote cluster as authentication source

Multi-cluster deployment

21#ATM16

Consider ReviewCapacity • Number of devices

• LocationsUse cases • Auth methods

• Authentication sources• Guest provisioning• Posture assessment• Peak authentication rate• Complex policies

IO activity • Accounting• Guest/Onboard provisioning• Insight

Redundancy • N+1 or higher at each location Failover • Standby node

Design considerationsDeployment models

22#ATM16

Deployment models

Consider ReviewDedicated publisher node • Cluster size

• Guest/Onboard provisioning• Endpoint and profile updates

Dedicated standby node • Standby node utilizationDedicated Insight nodes • Cluster-wide authentication rate

• Insight as authorization sourceDedicate nodes for use cases • AAA request processing

• Guest registrationLoad balancing • Network device configuration

• External load balancer

Design considerations

23

Monitoring the Cluster

24#ATM16

Monitoring

ClearPass Customers running on the CP 25K server can take advantage of the Integrated Remote Access Controller remote management features (iDRAC7).  The iDRAC7 allows administrators to monitor, manage, update, troubleshoot, and remediate CP 25K servers from any location.

iDRAC7

25#ATM16

Monitoring

ClearPass user interfaces enable ClearPass administrators to view Authentication, Authorization, Accounting, and System events. ClearPass has the capability to store these messages, encapsulate them and retransmit them as RFC 5424 compliant Syslog messages to any Syslog Receiver. ClearPass can also format Syslog messages in Log Event Extended Format (LEEF) and Common Event Format (CEF).

ClearPass Syslog

26#ATM16

Monitoring

ClearPass has a Private Enterprise SNMP MIB exposing 70+ OID’s covering.... 

ClearPass SNMP

• System information• Authentication counters• Authorization counters• Network traffic counters• Traps for various system

and application events

27#ATM16

Monitoring

ClearPass Insight is an advanced application to deliver enhanced analytics, in-depth reporting, and Alerting. Insight provides the ability to track detailed authentication records, audit trails, and develop systematic reports on network-access trends

ClearPass Insight

• Consolidated Reporting• In-depth Analytics• Ready-to-use Templates• Alerts

28

Tuning the Cluster

29#ATM16

Tuning

ClearPass Insight stores detailed authentication records, audit trails, and archived network access logs. Database and report retention should be adjusted to policy

Insight

30#ATM16

Tuning

ClearPass Insight stores detailed authentication records, audit trails, and archived network access logs. Database and report retention should be adjusted to policy

Cleanup Intervals

31#ATM16

Tuning

In high latency environments the Replication Batch Interval may need to be adjusted.

Replication Interval

32

Cluster Operations

33#ATM16

Operations

The Cluster Upgrade Tool is a simple user interface that automates the upgrade procedure for a ClearPass cluster.

Cluster Upgrade Tool (CUT)

What does it do?• Helps administrators upgrade multi node clusters (large or small)• Task automation, reduces operational overhead and time• Provides pre/post upgrade checks to flag/fix potential issues and ensure cluster health

Technical Details• Available as a patch for Publishers running 6.2.6, 6.3.x, 6.4.x• Software images distributed from publisher to subscribers• Database lock time reduced to minutes versus hours• Upgrade multiple subscribers simultaneously• Does not upgrade patches (roadmap feature)

34#ATM16

Operations

Customized upgrade models, choose all or subset of subscribers. If all are chosen they will be started after Publisher completes, staggering start times every 5 minutes

View of entire process as well as access to individual drilldown logging for Publisher and each Subscriber

Cluster Upgrade Tool (CUT)

35#ATM16

Operations

• MDM / EMM solutions• Messaging and / or escalation platforms• Helpdesk and trouble ticketing solutions• Log management/retention systems (syslog)• Network security / compliance engines (bi-directional)

ClearPass Exchange

Leverage ClearPass Exchange to integrate with existing Enterprise management systems.

36#ATM16

Operations

ClearPass Policy Manager provides the ability to push scheduled data backups securely to an external server. You can push the data using the SFTP and SCP protocols.

Backups

37#ATM16

Operations

When you need to review performance or troubleshoot issues in detail, Policy Manager can compile and save transactional and diagnostic data into several log files. These files are saved in Local Shared Folders and can be downloaded to your computer.

Log collection

38#ATM16

Operations

From the Log Configuration menu, you can view and change the verbosity of the data collected into the Log Files. 

Available levels include:

DEBUG

INFO

WARN

ERROR

FATAL

Log Configuration

39#ATM16

Operations

Remote Assistance enables the ClearPass administrator to allow an Aruba Networks support engineer to remotely log in using Secured Shell (SSH) to the ClearPass server and also view the UI to debug any issues customer is facing or to perform pro-active monitoring of the server.

Remote Assistance

40

Planning a deployment

41#ATM16

Enterprise ClearPass Deployment

Design Phase• Identify individual use cases• Determine necessary ClearPass Policy Manager (CPPM) Modules• Discover/Determine Customer Environments

• Regional Data Centers• Estimated number of Endpoints per region

• Define Initial CPPM Cluster Architecture• Define Licensing requirements

Use Case Analysis(Design) Planning and Pilot Design

Modifications Production Roll out

42#ATM16

Planning/Pilot Phase• Develop draft roll out plan for Enterprise• Develop communications plan for notifying End Users• Identify pilot locations to meet criteria set in Use Cases• Leverage environment as close to production for pilot testing • Capture pilot results

Use Case Analysis Planning and Pilot Design Modifications Production Roll out

Enterprise ClearPass Deployment

43#ATM16

Design Modification Phase• Analyze pilot results to determine effectiveness of CPPM Modules based on Use

Case requirements• Adjust Architecture Design as necessary

• Additional or missed backend business processes identified• Discovery of new or unexpected environment elements

• Endpoint devices• Infrastructure obstacles

Use Case Analysis Planning and Pilot Design Modifications Production Roll out

Enterprise ClearPass Deployment

44#ATM16

Production Roll out Phase• Adjust deployment plan for production roll out• Begin communication plan to end users with expected changes• Execute deployment according to schedule

Use Case Analysis Planning and Pilot

Design Modifications

Production Roll out

Enterprise ClearPass Deployment

45#ATM16

Join Aruba’s Titans of Tomorrow force in the fight against network mayhem. Find out what your IT superpower is.

Share your results with friends and receive a free superpower t-shirt.

www.arubatitans.com

Thank you

Venkatraju T V – venkatraju@hpe.comSteve Eubanks – steve.eubanks@hpe.comDrew Wyskida – drew.wyskida@hpe.com

March 9, 2016