One thing that gives the Aruba Networks ClearPass Policy Manager (CPPM) its power is also one of its most misunderstood items, Enforcement. Remember those word problems in math that you hated? Well they are back. Really it is not as bad but if you think of enforcement in a similar way you will be better off.
As a trainer I find that the students with programming experience seem to get the process of enforcement. It boils down to something like ‘if – then’ statements. Remember CPPMs job is to control access to network devices. It does this by gathering information about the client, the user and the network, and then it makes decisions. Well actually it does none of this on its own. You have to build all of the logic. That logic is called ‘Enforcement’
The key to Enforcement is to define an access flow and then implement that flow logically. Lets look at a few examples:
- The company wants to implement simple 802.1x authentication for the wireless network and assign different VLANs and user roles to users based on what department they work for.
- The company wants to support users on wired and wireless networks with 802.1x authentication but for simplicity sake they want to use WiFi printers on the same wireless network.
- The company has a manufacturing and warehouse facility with a wireless network, this network hosts a combination of barcode scanners, thermal printers, manufacturing stations, Wi-Fi cameras and guest users. But the network audits show that the guest users are impacting the production functions thus they need to be controlled.
I hope the first thing you noticed is that nothing listed above is complete enough to implement. In truth Enforcement cannot exist in a vacuum it is a key element in a system but only a part. Lets break down what I am talking about. Enforcement in CPPM has two parts; there is the Enforcement Policies that make up the logic, and the Enforcement Profiles that define the actions. In short the policies define the way the profiles will be applied.
I tend to look at design inside out. I start with the end result in mind but jump into the center of the process and this seems to work with CPPM Enforcement. Knowing that under certain conditions I need to affect certain controls on a client allows me to break Enforcement down into three areas.
- What Actions do I need to take to affect the result?
- What information do I need to gather to make my decision?
- What are my logic paths to support the result?
The first thing in the list is about how can I affect my desired controls. This requires that you understand the capability of your network access devices. Different devices can accomplish different things, and each is implemented differently. The Aruba Networks controller has a full blown application based firewall that can be used to control user traffic, other devices can simply flip a client into different VLANs and rely on other devices to control the user someplace upstream.
Second you need to be able to identify what of information that CPPM gathers is important. CPPM can get ingest information from Active Directory, the network access device, and many other sources. In truth it can become information overload really quickly. But not all of it is relevant to the decision.
And the last part is about the logic implementation. Lets look again at the first of the scenarios above.
- The company that wants to implement simple 802.1x authentication based on Active Directory accounts and has the Aruba Networks Controllers. Can very easily implement enforcement.
- On the controller define the desired user roles and user VLANs.
Engineering and VLAN 100
Sales and VLAN 200
Customer_Service and VLAN 3002
- Build the Enforcement profiles in CPPM
- Determine what information about the user/client can be evaluated in order to make the decision.
Each user has a corporate AD account
Each user’s department is designated in the attribute ‘department’
- Finally what is the logic to implement the result?
If AD:department = Engineering return ‘aruba-user-role = Engineering’ and ‘aruba-user-vlan = 100’
If AD:department = Sales return ‘aruba-user-role = Sales’ and ‘aruba-user-vlan = 200’
If AD:department = Customer Service return ‘aruba-user-role = Customer_service’ and ‘aruba-user-vlan = 300’
Granted this is a simple example but it does give a good start into what needs to be considered when building Enforcement in ClearPass Policy Manager. Stay tuned for more advanced examples in future posts.