#ATM16 Large scale, distributed access management deployment with Aruba ClearPass Venkatraju T V – ClearPass Engineer Steve Eubanks – ClearPass CSE Drew Wyskida – ClearPass CSE March 9, 2016 @ArubaNetworks |
Large scale, distributed access management deployment with aruba clear pass
Jan 08, 2017
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
#ATM16
Large scale, distributed access management deployment with Aruba ClearPassVenkatraju T V – ClearPass EngineerSteve Eubanks – ClearPass CSEDrew Wyskida – ClearPass CSE
March 9, 2016 @ArubaNetworks |
2#ATM16
Agenda
• ClearPass Solution• Cluster and Zones• Deployment Models• Monitoring and Tuning• Operations• Planning a deployment
3
ClearPass Solution
4#ATM16@ArubaNetworks |
ClearPass solution
Models CP-500 CP-5K CP-25K
Maximum devices 500 5,000 25,000Maximum devices in High Capacity Guest
mode1000 10,000 50,000
Policy Manager Guest OnboardOnGuard
5#ATM16
ClearPass solution
Normal mode HCG modeDevices 500 / 5K / 25K 1000 / 10K / 25K
Licenses AllowedPolicy Manager
GuestOnGuardOnboard
Guest
Cleanup Intervals Defaults Reduced
Posture & Audit checks ✔️ ✖️
Restricted EAP methods ➖ FAST, GTC, MSCHAPv2, PEAP, TLS, TTLS
Restricted Service Templates ➖ 802.1X
High Capacity Guest (HCG) mode
6
ClearPass Cluster and Zones
7#ATM16@ArubaNetworks |
ClearPass Cluster
Publisher
C
Standby Subscriber
C C
I
I
Multi-master cache replication
Config database replication
I
C Config database
Insight database
L
L
Session logdatabaseL
Heartbeat to detect failure
L
8#ATM16@ArubaNetworks |
ClearPass Cluster
Publisher
C
Standby Subscriber
C C
I
I
Insight events
I
C Config database
Insight database
Insight
Insight Master
9#ATM16@ArubaNetworks |
ClearPass Cluster
Config database Insight database Session log DB Multi-master cache
Purpose
• Configuration• Provisioning
• Endpoints• Profiles• Guests• Onboard certificates
• Cluster-wide reporting• Bandwidth checks
• Access Tracker• Event Viewer
• Machine authentication• Session information (CoA)• Role and posture cache
Replication Replicated from publisher to all subscribers
Duplicated at each Insight node Not replicated Full mesh replication within a
Zone
Size 50 MB to 500 MB 1 GB to 200+ GB 1 GB to 100 GB 1 MB to 100 MB
Guidance Review Endpoint and Guest cleanup settings
Review database retention settings
Review cleanup settings Configure Zones per location
Databases
10#ATM16@ArubaNetworks |
ClearPass Cluster
• UDP port 123 (NTP)• TCP port 5432 (PostgreSQL)• TCP port 443 (HTTPS)
Publisher Standby
Subscriber
NTP, PostgreSQL, HTTPS
NTP, PostgreSQL, HTTPS
Subscriber
Caveats:• Releases before the latest ClearPass
6.5 release may need additional ports open
• Port 80 is used to render System Monitor data from a remote node. Can be modified using the cluster-wide parameter “Performance Monitor Rendering Port”.
• Subscriber to subscriber communication is not required, as long as the subscriber will not be promoted to publisher
Intra-cluster communication
11#ATM16@ArubaNetworks |
ClearPass Cluster
• Join nodes to AD for MSCHAPv2
• Can join multiple independent AD domains
• Deploy nodes close to AD domain controllers
• Can override AD Password Servers
Active Directory (AD) integration
12#ATM16@ArubaNetworks |
ClearPass Cluster
Publisher
Standby Subscriber Subscriber
Publisher failure
• Subscribers handle authentication requests• Standby node detects failure and promotes to publisher
• Following operations are affected• Policy Manager and Guest configuration / provisioning• Guest, Onboard and Endpoint updates
13#ATM16@ArubaNetworks |
ClearPass Cluster
• Publisher upgrades first
• Subscribers join back post upgrade
• Use the Cluster Upgrade Tool (CUT) *additional details later
• Plan for sufficient downtime
Upgrade
14#ATM16@ArubaNetworks |
ClearPass Zones
Publisher
Subscriber
C
C
Standby Subscriber
Subscriber
C C
C
Zone A
Zone B
Multi-master cache replication
Config database replication
C Config database
Subscriber
C
Subscriber
C
Zone C
15#ATM16@ArubaNetworks |
ClearPass ZonesProfile
Publisher
Subscriber Subscriber
C Subscriber
Subscriber
Zone AZone B
PP
Profile Inputs(DHCP, HTTP UA
etc.)
Profile Inputs
Profile Inputs
P Profile master node in zone
DB update
Proxy profile input to profile master node
Profile Inputs
16#ATM16@ArubaNetworks |
ClearPass ZonesConfigure OnGuard client subnets per zone
OnGuard
17
Deployment Models
18#ATM16@ArubaNetworks |
Deployment models
Publisher Standby
Subscriber Subscriber Subscriber
Low latency network links
Centralized deployment
19#ATM16@ArubaNetworks |
Deployment models
Publisher
StandbySubscriber
Subscriber
Subscriber
Zone AZone B
WAN
I
I
Config replication
Insight data
Distributed deployment
20#ATM16@ArubaNetworks |
Deployment models
Publisher
Subscriber N
Subscriber 1
Cluster 1 Cluster 2
…
Publisher
Subscriber N
Subscriber 1
…
Remote cluster as authentication source
Multi-cluster deployment
21#ATM16
Consider ReviewCapacity • Number of devices
• LocationsUse cases • Auth methods
• Authentication sources• Guest provisioning• Posture assessment• Peak authentication rate• Complex policies
IO activity • Accounting• Guest/Onboard provisioning• Insight
Redundancy • N+1 or higher at each location Failover • Standby node
Design considerationsDeployment models
22#ATM16
Deployment models
Consider ReviewDedicated publisher node • Cluster size
• Guest/Onboard provisioning• Endpoint and profile updates
Dedicated standby node • Standby node utilizationDedicated Insight nodes • Cluster-wide authentication rate
• Insight as authorization sourceDedicate nodes for use cases • AAA request processing
• Guest registrationLoad balancing • Network device configuration
• External load balancer
Design considerations
23
Monitoring the Cluster
24#ATM16
Monitoring
ClearPass Customers running on the CP 25K server can take advantage of the Integrated Remote Access Controller remote management features (iDRAC7). The iDRAC7 allows administrators to monitor, manage, update, troubleshoot, and remediate CP 25K servers from any location.
iDRAC7
25#ATM16
Monitoring
ClearPass user interfaces enable ClearPass administrators to view Authentication, Authorization, Accounting, and System events. ClearPass has the capability to store these messages, encapsulate them and retransmit them as RFC 5424 compliant Syslog messages to any Syslog Receiver. ClearPass can also format Syslog messages in Log Event Extended Format (LEEF) and Common Event Format (CEF).
ClearPass Syslog
26#ATM16
Monitoring
ClearPass has a Private Enterprise SNMP MIB exposing 70+ OID’s covering....
ClearPass SNMP
• System information• Authentication counters• Authorization counters• Network traffic counters• Traps for various system
and application events
27#ATM16
Monitoring
ClearPass Insight is an advanced application to deliver enhanced analytics, in-depth reporting, and Alerting. Insight provides the ability to track detailed authentication records, audit trails, and develop systematic reports on network-access trends
ClearPass Insight
• Consolidated Reporting• In-depth Analytics• Ready-to-use Templates• Alerts
28
Tuning the Cluster
29#ATM16
Tuning
ClearPass Insight stores detailed authentication records, audit trails, and archived network access logs. Database and report retention should be adjusted to policy
Insight
30#ATM16
Tuning
ClearPass Insight stores detailed authentication records, audit trails, and archived network access logs. Database and report retention should be adjusted to policy
Cleanup Intervals
31#ATM16
Tuning
In high latency environments the Replication Batch Interval may need to be adjusted.
Replication Interval
32
Cluster Operations
33#ATM16
Operations
The Cluster Upgrade Tool is a simple user interface that automates the upgrade procedure for a ClearPass cluster.
Cluster Upgrade Tool (CUT)
What does it do?• Helps administrators upgrade multi node clusters (large or small)• Task automation, reduces operational overhead and time• Provides pre/post upgrade checks to flag/fix potential issues and ensure cluster health
Technical Details• Available as a patch for Publishers running 6.2.6, 6.3.x, 6.4.x• Software images distributed from publisher to subscribers• Database lock time reduced to minutes versus hours• Upgrade multiple subscribers simultaneously• Does not upgrade patches (roadmap feature)
34#ATM16
Operations
Customized upgrade models, choose all or subset of subscribers. If all are chosen they will be started after Publisher completes, staggering start times every 5 minutes
View of entire process as well as access to individual drilldown logging for Publisher and each Subscriber
Cluster Upgrade Tool (CUT)
35#ATM16
Operations
• MDM / EMM solutions• Messaging and / or escalation platforms• Helpdesk and trouble ticketing solutions• Log management/retention systems (syslog)• Network security / compliance engines (bi-directional)
ClearPass Exchange
Leverage ClearPass Exchange to integrate with existing Enterprise management systems.
36#ATM16
Operations
ClearPass Policy Manager provides the ability to push scheduled data backups securely to an external server. You can push the data using the SFTP and SCP protocols.
Backups
37#ATM16
Operations
When you need to review performance or troubleshoot issues in detail, Policy Manager can compile and save transactional and diagnostic data into several log files. These files are saved in Local Shared Folders and can be downloaded to your computer.
Log collection
38#ATM16
Operations
From the Log Configuration menu, you can view and change the verbosity of the data collected into the Log Files.
Available levels include:
DEBUG
INFO
WARN
ERROR
FATAL
Log Configuration
39#ATM16
Operations
Remote Assistance enables the ClearPass administrator to allow an Aruba Networks support engineer to remotely log in using Secured Shell (SSH) to the ClearPass server and also view the UI to debug any issues customer is facing or to perform pro-active monitoring of the server.
Remote Assistance
40
Planning a deployment
41#ATM16
Enterprise ClearPass Deployment
Design Phase• Identify individual use cases• Determine necessary ClearPass Policy Manager (CPPM) Modules• Discover/Determine Customer Environments
• Regional Data Centers• Estimated number of Endpoints per region
• Define Initial CPPM Cluster Architecture• Define Licensing requirements
Use Case Analysis(Design) Planning and Pilot Design
Modifications Production Roll out
42#ATM16
Planning/Pilot Phase• Develop draft roll out plan for Enterprise• Develop communications plan for notifying End Users• Identify pilot locations to meet criteria set in Use Cases• Leverage environment as close to production for pilot testing • Capture pilot results
Use Case Analysis Planning and Pilot Design Modifications Production Roll out
Enterprise ClearPass Deployment
43#ATM16
Design Modification Phase• Analyze pilot results to determine effectiveness of CPPM Modules based on Use
Case requirements• Adjust Architecture Design as necessary
• Additional or missed backend business processes identified• Discovery of new or unexpected environment elements
• Endpoint devices• Infrastructure obstacles
Use Case Analysis Planning and Pilot Design Modifications Production Roll out
Enterprise ClearPass Deployment
44#ATM16
Production Roll out Phase• Adjust deployment plan for production roll out• Begin communication plan to end users with expected changes• Execute deployment according to schedule
Use Case Analysis Planning and Pilot
Design Modifications
Production Roll out
Enterprise ClearPass Deployment
45#ATM16
Join Aruba’s Titans of Tomorrow force in the fight against network mayhem. Find out what your IT superpower is.
Share your results with friends and receive a free superpower t-shirt.
www.arubatitans.com
Thank you
Venkatraju T V – [email protected] Eubanks – [email protected] Wyskida – [email protected]
March 9, 2016
Related Documents
