Introduction to Aruba Policy Enforcement
The Aruba Edge Services Platform (ESP) architecture provides the components needed to design and implement a comprehensive, zero-trust network across a modern enterprise. Aruba ESP enables consistent policy enforcement on the campus, across the WAN, within branches, and in the data center.
Table of contents
Purpose of This Guide
This deployment guide covers Policy enforcement in an Aruba Edge Services Platform (ESP) architecture. The guide provides guidance on design choices, with considerations for deploying effective security policies while interoperating with a commonly available user database such as Microsoft Active Directory.
Example reference designs illustrating the hardware, software, and logical workflow for this solution provide an example and aid in understanding the steps needed to secure edge switch ports and wireless access points for Orange Widget Logistics (OWL), the fictional customer described in the Reference Customer page.
Audience
This guide is written for IT professionals responsible for deploying an Aruba ESP campus network. These IT professionals perform a variety of roles:
- Systems engineers who require a standard set of procedures for implementing solutions
- Project managers who develop scopes of work for Aruba implementations
- Aruba partners who sell technology or create implementation documentation.
Not Covered in This Guide
This guide does not cover:
- Detailed VM host configuration
- Detailed Central WLAN configuration
- Detailed supplicant configuration
- Detailed Windows server configuration
Customer Use Case
Network access for OWL employees and guests currently consists of statically configured edge switch ports that rely on physical security to prevent unauthorized access. They offer no visibility to determine which authorized or unauthorized devices are physically connected to their network.
OWL’s IT Infrastructure team is centralized at the Roseville, CA campus. Like many enterprise companies, OWL has no IT Network Engineering presence in other branches or remote office locations.
Campuses and Branches
OWL’s Roseville campus consists of three buildings totaling approximately 100,000 square feet of office and warehouse space. Building 1 contains a high concentration of conference rooms on the first floor; Building 2 houses IT, Finance, and other offices; and Building 3 is the R&D and Training department, as well as the distribution warehouse.
Roseville Campus
Reference Customer Environment
OWL’s Roseville main headquarters campus is designed as a traditional 3-tier topology, with most data traffic carried within VLANs. Wireless traffic is tunneled within GRE to a gateway cluster for centralized policy enforcement. Wired traffic is bridged locally at the ingress switch port.
This design uses Layer 2 access with routed links between the aggregation and core switches.
Policy enforcement occurs at the gateway cluster and at the Layer 2 access switch ports.
Reference Customer’s Need for NAC
A recent incident at the company exposed a network security hole, prompting an IT leadership meeting that uncovered more incidents and highlighted the need for an effective NAC solution. OWL’s documented incidents, which mirror challenges faced by other companies today, include:
- Incident 1: Open Wi-Fi access to the corporate network: After months of dealing with intermittent authentication failures at a branch, the branch manager installed a personal Wi-Fi router for his office laptop. Because the router connected to an access port configured for the laptop’s docking station, all of the personal router’s Wi-Fi clients were granted full access to the corporate network from inside and outside of the building.
- Incident 2: Sales call center interrupted: The sales call center moved floors without notifying IT. No resource was scheduled to configure the cubicle ports for the call center’s VoIP phones.
- Incident 3: Frustrated and embarrassed executives: When the CEO and some of OWL’s top customers visited a new branch, neither the CIO nor CEO could connect to the corporate network because the Wi-Fi and switchport configuration used local settings inconsistent with corporate policy. As a result, they spent an hour troubleshooting, in front of customers, with the IT director by phone, who guided them through configuring the supplicant correctly.
- Incident 4: Weekend trip ruined for on-call network engineer: A power supply failure in one of three switches caused Wi-Fi and wired network outages in a section of OWL’s distribution center. With an outdated network drop list and no configuration backup, the on-call network engineer needed to drive onsite to trace cables and identify each client to determine the individual switchport configuration.
- Incident 5: Reduced productivity and loss of revenue: Internet service was disrupted at several sites across the company during the week of March Madness. The root cause: sales and distribution center staff circumvented Wi-Fi bandwidth restrictions by joining their phones and laptops to the dedicated handheld scanner SSID using a widely known “secret” PSK.
The Solution
OWL leadership has approved the implementation of Aruba ClearPass Policy Manager to eliminate or significantly reduce future incidents like the ones above by:
- Preventing unauthorized access to the network to address Incident 1: Aruba access switches, in conjunction with ClearPass, will enforce access policies that include rejecting unauthorized clients based on 802.1X or MAC authentication, thus preventing a home router from gaining access to OWL’s network.
- Eliminating the need for manual access switchport configuration to address Incidents 2 and 4: Configuring port-access security on Aruba switches allows for colorless ports, which dynamically configure a switch port based on the identity of those connected, eliminating the need for manual switchport configuration every time staff moves to different desks or if devices must be moved due to a downed switch.
- Eliminating network access frustrations for traveling employees to address Incident 3: A properly configured corporate WLAN policy authenticated via CPPM across the organization ensures a consistent and secure user experience when connecting to OWL’s corporate network across all sites.
- Preventing users from oversubscribing an internet circuit to address Incident 5: Using Aruba role-based access on the gateways and access switches enables OWL to enforce bandwidth throttling based on client identity, even on the handheld scanner SSID.
Project Requirements and Goals
The new ClearPass solution is developed based on a set of technical and business requirements that guide the decisions of ClearPass appliances’ physical locations, high availability, and AAA configurations.
Technical Requirements
Primary technical objectives include:
- Secure wireless and wired edge ports using 802.1X and MAC authentication
- Identify all devices on the network through device profiling
- Configure switch ports dynamically based on device and user identity
- Centralize configuration management and monitoring from the cloud
- Implement a resilient network policy solution designed for High Availability.
Business Requirements
Business requirements are equally crucial:
- Prevent unauthorized access to the network
- Simplify and secure network access for IoT clients
- Provide a consistent network experience for users traveling between sites, whether connected over Wi-Fi or docked at a hoteling station.
- Reduce deployment timelines, complexity, and cost
- Provide easy guest access for visitors
- Provide appropriate access for contractors
- Improve the time to resolve authentication issues.
Together, these technical and business requirements form the foundation of the new ClearPass solution, ensuring that it is robust, user-friendly, and aligned with the organization’s broader operational goals.
Deployment Overview
The selected solution for OWL is ClearPass Policy Manager due to its comprehensive set of flexible features that cater to the organization’s requirements.
ClearPass Cluster
A cluster is a logical connection of any combination of Policy Manager hardware or virtual appliances. Policy Manager appliances can be deployed as dedicated hardware appliances or as virtual machines running on top of VMware vSphere Hypervisor or Microsoft Hyper-V. OWL uses VMWare.
Find additional information in the Cluster Configuration Options section of the CPPM User Guide.
Publisher/Subscriber Model
Policy Manager uses a Publisher/Subscriber model to provide multiple-box clustering. Another term for this model is hub and spoke, where the hub corresponds to the Publisher, and the spokes correspond to the Subscribers. For OWL, the design calls for a Publisher and Subscriber in the Roseville data center for this phase with a plan to deploy a second pair of servers, configured as Subscribers, in an offsite data center to support branch locations.
- The Publisher server functions as the conductor controller in the cluster. The Publisher is the central point of configuration, monitoring, and reporting, as well as database replication. The Publisher managed all databases.
- This model include one active Publisher with a potentially unlimited number of Subscribers.
- The Publisher server has full read/write access to the configuration database. All configuration changes must be made on the Publisher. The Publisher server sends configuration changes to each Subscriber server.
- The Subscriber servers are worker servers, managing all AAA load, all RADIUS requests, and policy decisions.
- Subscriber servers maintain a local copy of the configuration database, and each Subscriber has read-only access to a local copy of the configuration database.
Authentication Logic
The policy solution aims to provide a secure network access and smooth authentication process for users, regardless if they are using a mobile device or working at their desks. Each time a device tries to connect to the network, through a wired or wireless connection, it is assigned the appropriate level of access based on a predetermined set of rules configured in ClearPass. Rules for each user role(s) are set up in Aruba Central are applied to both the Aruba CX switches and mobility gateways.
Wireless 802.1X Authentication
The flowchart below shows a high-level representation of the expected authentication logic used when a client device attempts to connect to OWL’s new CorpNet SSID.
Wired 802.1X and MAC Authentication
The flowcharts below illustrate the authentication logic to expect when a client device is connected to a port configured for 802.1X and MAC authentication.
Wired 802.1X Authentication Flowchart
Wired MAC Authentication Flowchart
Deployment Overview
CPPM implementation is carried out in phases to help IT continue monitoring, administering, and supporting client access while also mitigating the risk of network service outages.
Deployment Outline
The outline below presents the high-level process used to deploy ClearPass Policy Manager for the reference customer OWL.
Note that that ClearPass is a versatile solution with many capabilities beyond the scope of this document. This deployment example serves as a guide for understanding the requirements for implementing CPPM.
Preparing for ClearPass Deployment
- Licensing
- License gathering and activation
- Software download
- Infrastructure information gathering
- From the network administrator:
- Authentication servers, network devices, groups, and external authentication sources
- For the VM server administrator:
- ESXi virtual appliance software and requirements
- From the VM server administrator:
- Console access information
- For the network administrator:
- Network ports to permit and IP helper addresses
- From the network administrator:
- Client device information gathering
- User role/CPPM role and VLAN information
Appliances and Cluster Configuration
- Appliance configuration
- Add/activate licenses with System Configuration Wizard
- Cluster configuration
- Add subscribers, configure virtual IP addresses, join domain, enable insight, and update cluster software
- Configure certificates
- Create Certificate Signing Request (CSR) and import certificates
Client Authentication Services Configuration
- Configure common components
- Add AD authentication sources, network devices, and device groups
- Configure wireless 802.1X authentication service
- Configure wired 802.1X authentication service
- Configure wired MAC authentication service
- Configure switch in Aruba Central
- Organize services
- Configure wired client
- Validate authentication
In Scope for the Project (Not this Guide)
The last part of the outline lists steps required to implement ClearPass for the reference customer. Following these deployment steps provides the information necessary to fulfill the remainder of this NAC implementation process.
Pilot Deployment
Pilot IDF Rollout
- Select an IDF, floor, or select group of switcports for the pilot phase.
- Communicate rollout schedule and expectations to stakeholders.
Pilot Deployment and Monitoring
- Configure pilot switches in Aruba Central.
- Monitor system performance record user feedback.
- Adjust configuration based on observations and feedback.
Full-Scale Deployment
Production Switches Configuration
- Apply successful pilot configuration to production devices.
- Schedule phased deployment to minimize network disruptions.
Rollout Execution
- Execute the deployment phase on schedule.
- Continuously monitor network performance and security logs.
Staff Training and Documentation
- Train network staff on new configurations and troubleshooting.
- Update network documentation with new settings and policies.
Phased Rollout into Production
Required Equipment
Phase 1
- Enable AAA on port and configure them to fail to open
- Enable monitor mode
Phase 2
- Remove fail to open on the port
- Keep monitor mode
Phase 3
- Remove monitor mode
- Initiate full enforcement
For IT:
For Users:
High Level Design
Low Level Design
####
Key Terms
ClearPass
The guide assumes a completion of foundational ClearPass training and familiarity with the following related terms.
Hardware
- Servers
- ClearPass
- Cluster
- Publisher
- Subscriber
- Microsoft Active Directory
- Domain Controller (DC)
- Domain Name Services (DNS)
- Dynamic Host Configuration Protocol (DHCP)
- Certificate Authority (CA)
- ClearPass
- Authenticators
- Gateway
- Switch
- Access Point (AP)
- Supplicants
- Laptop
- Printer
- Desktop
- IP Phone
- Mobile Device
Software
Configuration
- AAA
VLAN
DHCP relay/IP helper
User roles
Redundancy
Virtual IP
CoA
- MAC authentication
- Web authentication
- 802.1X
- Identity store