IN THIS PAGE
Example: Enforcing Security Policies on NFX Series Using Aruba ClearPass as the Authentication Source
This example covers how to configure security to protect your resources and control access to the internet using the NFX Series device integrated ClearPass authentication and enforcement feature, which relies on the Aruba ClearPass Policy Manager as its authentication source. The NFX Series integrated ClearPass feature allows you to configure security policies that control access to company resources and the Internet by identifying users by username, group name, or the name of a role that ties together a group of users and a device type.
Today’s network environments are more open to attacks of various kinds because they support anywhere, anytime, any device access, to a greater or lesser degree, and they allow a user to use multiple concurrently network-connected devices. Because it allows you identify the user by username, the integrated ClearPass authentication and enforcement feature narrows the security gap that these capabilities introduce.
For details on how user authentication and identity information is conveyed from the CPPM to the NFX Series device, see the following topics:
The example covers the following processes:
How to control access at the user level based on username or group name, not device IP address.
You can use the source-identity parameter in a security policy to specify the name of a user or the name of a group of users whose authentication is provided by the CPPM. The policy is applied to traffic generated by the users when they attempt to access a protected resource or the Internet regardless of the device used. The access control is tied to the user’s name, and not directly to the IP address of the user’s device.
Note You can configure different security policies for a single user that specify different actions, differentiated by the zones and the destination addresses specified or a group that the user belongs to.
How to display and interpret the contents of the ClearPass authentication table.
The NFX Series device creates the ClearPass authentication table to contain user authentication and identity information that it receives from the CPPM. The device refers to the table to authenticate a user who requests access to a resource.
The ClearPass authentication table contents are dynamic. They are modified to reflect user activity in response to various events and also in regard to security policies that reference groups.
For example, when a user logs out of the network or in to the network, the ClearPass authentication table is modified, as is the case when a user is removed from a group or a referenced security policy that specifies a group that the user belongs to is deleted. In the latter case, the user entry no longer shows the user as belonging to that group.
In this example, the ClearPass authentication table contents are displayed to depict changes made because of two events. The content for the users is displayed:
Before and after a specific user logs out of the network
Before and after a referenced security policy is deleted
The entry for the user who belonged to the group referenced by the security policy is displayed before and after the policy is deleted.
Requirements
This section defines the software and hardware requirements for the topology for this example. See Figure 1 for the topology design.
The hardware and software components are:
Aruba ClearPass. The ClearPass Policy Manager (CPPM) is configured to use its local authentication source to authenticate users.
Note It is assumed that the CPPM is configured to provide the NFX Series device with user authentication and identity information, including the username, a list of the names of any groups that the user belongs to, the IP addresses of the devices used, and the device posture token.
NFX Series device running Junos OS that includes the integrated ClearPass feature.
A server farm composed of six servers, all in the servers-zone:
marketing-server-protected (203.0.113.23 )
human-resources-server (203.0.113.25 )
accounting-server (203.0.113.72)
public-server (203.0.113.62)
corporate-server (203.0.113.71)
sales-server (203.0.113.81)
AC 7010 Aruba Cloud Services Controller running ArubaOS.
Aruba AP wireless access controller running ArubaOS.
The Aruba AP is connected to the AC7010.
Wireless users connect to the CPPM through the Aruba AP.
Juniper Networks EX4300 switch used as the wired 802.1 access device.
Wired users connect to the CPPM using the EX4300 switch.
Six end-user systems:
Three wired network-connected PCs running Microsoft OS
Two BYOD devices that access the network through the Aruba AP access device
One wireless laptop running Microsoft OS
Overview
In its capacity as the authentication source for the integrated ClearPass feature, the CPPM posts to the NFX Series device user authentication and identity information. When it receives this information, the NFX Series UserID daemon processes it and generates entries for the authenticated users in the Routing Engine authentication table and then synchronizes that information to the ClearPass authentication table on the Packet Forwarding Engine side.
The NFX Series device requires the user authentication and identity information to verify that a user is authenticated when the user makes an access request and the traffic generated from the user’s device arrives at the NFX Series device. If a security policy exists that specifies in the source-identity parameter the username or the name of a group that the user belongs to, the NFX Series device searches the contents of its ClearPass authentication table for an entry for that user.
If it does not find an entry for the user in its ClearPass authentication table, the NFX Series device can search its other authentication tables, if you have configured a search order that includes them. See Example: Configuring the NFX Series Integrated ClearPass Feature to Allow the Device to Receive User Authentication Data from ClearPass for information about the authentication table search order.
The integrated ClearPass feature allows you to create identity-aware security policies configured to match traffic issued by users based on their username or the name of a group that they belong to.
You configure role mappings on the CPPM, not on the NFX Series device.
For example, a device type role mapping might tie user identities to company-owned computers. You could specify this role as a group in a security policy configured to apply to all users who are mapped to the rule. In this case, the conditions set by CPPM for the rule—use of company-owned computer—would apply to all users mapped to the rule. The NFX Series device does not consider the conditions, but rather accepts the rule from the CPPM.
The following configurations included in this example cover security policies that are applicable based on the type of device used as defined by the CPPM through rule mappings. It is assumed that the CPPM posted to the NFX Series device the following mapped rules that are used as groups in security policies:
marketing-access-for-pcs-limited-group
Maps jxchan to the device type PC.
The policy that specifies marketing-access-for-pcs-limited-group in its source-identity field allows jxchan, and other users who are mapped to it, access to the marketing-server-protected server using their PC, whether it is company owned or not.
accounting-grp-and-company-device
Maps users who belong to accounting groups using company devices. The CPPM sends the role accounting-grp-and-company-device to the NFX Series device. The mapping is done on the CPPM by role mapping rules.
The policy that specifies accounting-grp-and-company-device in its source identity field allows users who are mapped to the rule to access protected resources on the accounting-server. The group accounting-grp is mapped to the rule. Therefore the mapped rule applies to the members of accounting-grp.
The user viki2 belongs to accounting-grp. If all conditions apply—that is, if viki2 is using a company-owned device and the policy permits access—she is allowed access to the resources on accounting-server. But, recall that the NFX Series device does not analyze the rule. Rather it applies it to all users who are mapped to it by the CPPM.
guest-device-byod
Maps the guest group to the device type byod—that is, any user-owned device brought to the network.
The policy that specifies guest-device-byod in its source identity field denies users who are mapped to the rule access to all servers in the server zone if they are using smartphones or other user-owned devices. The username guest2 is mapped to this rule by the CPPM.
For all cases, if the users are allowed or denied access according to the security policy conditions, you can assume that the following conditions exist:
The CPPM posted the correct authentication information for the users and groups to the NFX Series device.
The NFX Series device processed the authenticated user information correctly and generated entries for the users and groups in its ClearPass authentication table.
Table 1 summarizes the users, their groups, and the zones to which they belong. All users belong to the default GLOBAL domain.
Table 1: Authenticated User Information for Security Policy Example
User | Group | Zone |
|---|---|---|
Abe (abew1) |
| marketing-zone |
John (jxchan) |
| marketing-zone |
Lin (lchen1) |
| human-resources-zone |
Viki (viki2) |
| accounting-zone |
guest1 |
| public-zone |
guest2 |
| public-zone |
Topology
Figure 1 shows the topology for this example.
Configuration
This section covers how to configure the NFX Series device to include security policies that match traffic issued by users authenticated by the CPPM.
CLI Quick Configuration
To quickly configure this example, copy the following statements, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the statements into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
Configuring Interfaces, Zones, and an Address Book
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
Configure the following interfaces and assign them to zones:
ge-1/0/3.0 > marketing-zone
ge-1/0/3.1 > human-resources-zone
ge-1/0/3.2> accounting-zone
ge-1/0/4.0 > public-zone
ge-1/0/4.1 > servers-zone
Because this example uses logical interfaces, you must configure VLAN tagging.
- Configure interfaces for the NFX Series device:[edit interfaces]set ge-1/0/3 vlan-taggingset ge-1/0/3.0 vlan-id 300 family inet address 203.0.113.45/24set ge-1/0/3.1 vlan-id 310 family inet address 192.0.2.18/24set ge-1/0/3.2 vlan-id 320 family inet address 192.0.2.14/24set ge-1/0/4 vlan-taggingset ge-1/0/4.0 vlan-id 400 family inet address 192.0.2.16/24set ge-1/0/4.1 vlan-id 410 family inet address 192.0.2.19/24
- Configure zones.[edit security zones]user@host#set security-zone marketing-zone interfaces ge-1/0/3.0 host-inbound-traffic system-services alluser@host#set security-zone marketing-zone interfaces ge-1/0/3.0 host-inbound-traffic protocols alluser@host#set security-zone accounting-zone interfaces ge-1/0/3.1 host-inbound-traffic system-services alluser@host#set security-zone accounting-zone interfaces ge-1/0/3.1 host-inbound-traffic protocols alluser@host#set security-zone human-resources-zone interfaces ge-1/0/3.2 host-inbound-traffic system-services alluser@host#set security-zone human-resources-zone interfaces ge-1/0/3.2 host-inbound-traffic protocols alluser@host#set security-zone public-zone interfaces ge-1/0/4.0 host-inbound-traffic system-services alluser@host#set security-zone public-zone interfaces ge-1/0/4.0 host-inbound-traffic protocols alluser@host#set security-zone servers-zone interfaces ge-1/0/4.1 host-inbound-traffic system-services alluser@host#set security-zone servers-zone interfaces ge-1/0/4.1 host-inbound-traffic protocols all
- Configure an address book containing the IP addresses
of the servers to use as destination addresses in security policies. [edit security address-book servers-zone-addresses]user@host# set address marketing-server-protected 203.0.113.23user@host# set address human-resources-server 203.0.113.25user@host# set address accounting-server 203.0.113.72user@host# set address corporate-server 203.0.113.71user@host# set address public-server 203.0.113.91
- Attach the servers-zone-addresses address book to servers-zone.[edit security address-book]user@host# set servers-zone-addresses attach zone servers-zone
Results
From configuration mode, confirm your configuration for interfaces by entering the show interfaces command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
From configuration mode, confirm your configuration for zones by entering the show security zones command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
From configuration mode, confirm your configuration for the address book by entering the show security address-book command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
Configuring Identity-Aware Security Policies to Control User Access to Company Resources
Step-by-Step Procedure
This task entails configuring security policies that apply to a user’s access to resources based on username or group name, and not the IP address of the device used.
Note that all users belong to the default GLOBAL domain.
- Configure a security policy that specifies marketing-access-for-pcs-limited-group
as the source-identity. It allows the user jxchan, who belongs to
this group, access to any of the servers in the servers-zones when
he is using a PC, whether it is a personal device or a company-owned
device. The username jxchan is mapped by the CPPM to the rule marketing-access-for-pcs-limited-group.[edit security policies]user@host# set from-zone marketing-zone to-zone servers-zone policy marketing-p1 match source-address any destination address anyuser@host# set from-zone marketing-zone to-zone servers-zone policy marketing-p1 match application anyuser@host# set from-zone marketing-zone to-zone servers-zone policy marketing-p1 match source-identity “global\marketing-access-for-pcs-limited-group”user@hoset from-zone marketing-zone to-zone servers-zone policy marketing-p1 then permit
- Configure a security policy that allows the user abew1
access to the marketing-zone-protected server (IP address 203.0.113.23
) in the servers-zone regardless of the device that he uses. [edit security policies]user@host# set from-zone marketing-zone to-zone servers-zone policy marketing-p2 match source-address any destination address marketing-zone-protecteduser@host# set from-zone marketing-zone to-zone servers-zone policy marketing-p2 match application anyuser@host# set from-zone marketing-zone to-zone servers-zone policy marketing-p2 match source-identity “global\abew1”user@host# set from-zone marketing-zone to-zone servers-zone policy marketing-p2 then permit
- Configure a security policy that allows the user viki2
access to the accounting-server (IP address 203.0.113.72) in the servers-zone
when she is using a company-owned device. The user viki2 belongs to
accounting-grp which is mapped to the company-owned-device rule (accounting-grp-and-company-device)
by the CPPM.[edit security policies]user@host# set from-zone accounting-zone to-zone servers-zone policy acct-cp-device match source-address any destination-address accounting-serveruser@host# set from-zone accounting-zone to-zone servers-zone policy acct-cp-device match application anyuser@host# set from-zone accounting-zone to-zone servers-zone policy acct-cp-device match source-identity “global\accounting-grp-and-company-device”user@host# set from-zone accounting-zone to-zone servers-zone policy acct-cp-device then permit
- Configure a security policy that allows users who belong
to the corporate-limited group limited access to the corporate-server
server (IP address 203.0.113.71) in the servers-zone when they are
initiating a request from the human-resources zone.
If the source-address were specified as “any”, the policy would apply to other users who also belong to the corporate-limited group.
[edit security policies]user@host# set from-zone human-resources-zone to-zone servers-zone policy human-resources-p1 match source-address any destination-address corporate-serveruser@host# set from-zone human-resources-zone to-zone servers-zone policy human-resources-p1 match application anyuser@host# set from-zone human-resources-zone to-zone servers-zone policy human-resources-p1 match source-identity “global\corporate-limited”user@host# set from-zone human-resources-zone to servers-zone policy human-resources-p1 then permit - Configure a security policy that allows the user abew1
access to the corporate-server (IP address 203.0.113.71) server in
the servers-zone. The user abew1 belongs to marketing-access-limited-grp
to which the security policy applies. [edit security policies]user@host# set from-zone marketing-zone to-zone servers-zone policy marketing-p0 match source-address any destination-address corporate-serveruser@host# set from-zone marketing-zone to-zone servers-zone policy marketing-p0 match application anyuser@host# set from-zone marketing-zone to-zone servers-zone policy marketing-p0 match source-identity “global\marketing-access-limited-grp”user@host# set from-zone marketing-zone to-zone servers-zone policy marketing-p0 then permit
- Configure a security policy that allows users who belong
to the sales-limited-group access to the human-resources-server (IP
address 203.0.113.81) server when they initiate a request from the
marketing-zone. The user jxchan belongs to sales-limited-group.[edit security policies]user@host# set from-zone marketing-zone to-zone servers-zone policy marketing-p3 match source-address any destination-address human-resources-serveruser@host# set from-zone marketing-zone to-zone servers-zone policy marketing-p3 match application anyuser@host# set from-zone marketing-zone to-zone servers-zone policy marketing-p3 match source-identity “global\sales-limited-group”user@host# set from-zone marketing-zone to-zone servers-zone policy marketing-p3 then permit
- Configure a security policy that allows users who belong
to the guest group access to the public-server (IP address 203.0.113.91)
in the servers-zone.[edit security policies]user@host# set from-zone public-zone to-zone servers-zone policy guest-allow-access match source-address any destination address public-serveruser@host# set from-zone public-zone to-zone servers-zone policy guest-allow-access match application anyuser@host# set from-zone public-zone to-zone servers-zone policy guest-allow-access match source-identity “global\guest”user@host# set from-zone public-zone to-zone servers-zone policy guest-allow-access then permit
- Configure a security policy that denies users who belong
to the guest-device-byod group access to any servers in the servers-zone
when they use their own devices. [edit security policies]user@host# set from-zone public-zone to-zone servers-zone policy guest-deny-access match source-address any destination-address anyuser@host# set from-zone public-zone to-zone servers-zone policy guest-deny-access match application anyuser@host# user@host# set from-zone public-zone to-zone servers-zone policy guest-deny-access match source-identity “global\guest-device-byod”user@host# set from-zone public-zone to-zone servers-zone policy guest-deny-access then deny
Results
From configuration mode, confirm your security policies configuration for integrated ClearPass by entering the show security policies command.
If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
Verification
This section verifies the ClearPass authentication table contents after certain events occur that cause some of its user authentication entries to be modified. It also shows how to ensure that the ClearPass authentication table has been deleted successfully after you issue the delete command. It includes the following parts:
Displaying the ClearPass Authentication Table Contents Before and After an Authenticated User Logs Out of the Network
Purpose
Display the ClearPass authentication table contents when a specific, authenticated user is logged in to the network and after the user logs out.
Action
Enter the show services user-identification authentication-table authentication-source authentication-source command for the ClearPass authentication table, which is referred to as aruba-clearpass. Notice that the ClearPass authentication table includes an entry for the user viki2.
show services user-identification authentication-table authentication-source
aruba-clearpassDomain: GLOBAL Total entries: 6 Source IP Username groups(Ref by policy) state 203.0.113.21 viki2 accounting-grp-and-company-dev Valid 203.0.113.89 abew1 marketing-access-limited-grp Valid 203.0.113.52 jxchan marketing-access-for-pcs-limit Valid 203.0.113.53 lchen1 corporate-limited Valid 203.0.113.54 guest1 Valid 203.0.113.55 guest2 Valid
Enter the same command again after viki2 logs out of the network. Notice that the ClearPass authentication table no longer contains an entry for viki2.
Domain: GLOBAL Total entries: 6 Source IP Username groups(Ref by policy) state 203.0.113.89 abew1 marketing-access-limited-grp Valid 203.0.113.52 jxchan marketing-access-for-pcs-limit Valid 203.0.113.53 lchen1 corporate-limited Valid 203.0.113.54 guest1 Valid 203.0.113.55 guest2 Valid
Displaying the Authentication Table Contents Before and After a Referenced Security Policy Is Deleted
Purpose
Display the ClearPass authentication table contents for a specific user—lchen1—who belongs to a group that is referenced by a security policy. Delete that security policy, then display the entry for that user again.
Action
Enter the show service user-identification authentication-table authentication-source user user-name command to display the ClearPass authentication table entry for a specific user, lchen1. Notice that it includes the group corporate-limited.
show service user-identification authentication-table
authentication-source user lchen1Domain: GLOBAL Source IP Username groups(Ref by policy) state 203.0.113.53 lchen1 corporate-limited Valid
The human-resources-p1 security policy source-identity field refers to the group corporate-limited. As shown above in the ClearPassauthentication entry for him, the user lchen1 belongs to that group. Here is the configuration for the human-resources-p1 referenced security policy:
from-zone human-resources-zone to-zone servers-zone {
policy human-resources-p1 {
match {
source-address any;
destination-address corporate-server;
application any;
source-identity "global\corporate-limited";
}
then {
permit;
}
}
}After you delete the human-resources-p1 security policy, whose source-identity parameter refers to the group called corporate-limited, enter the same command again. Notice that the authentication entry for lchen1 does not contain the corporate-limited group.
show service user-identification authentication-table
authentication-source aruba-clearpass user lchen1Domain: GLOBAL Source IP Username groups(Ref by policy) state 203.0.113.53 lchen1 Valid
Take a different approach in verifying the ClearPass authentication table state after the modification. Display the entire table to verify that the group—corporate-limited—is not included in any of the user entries. Note that if more than one user belonged to the corporate-limited group, authentication entries for all of the affected users would not show that group name.
From operational mode, enter the show services user-identification authentication-table authentication-source aruba-clearpass command.
show services user-identification authentication-table authentication-source
aruba-clearpassDomain: GLOBAL Total entries: 6 Source IP Username groups(Ref by policy) state 203.0.113.21 viki2 accounting-grp-and-company-dev Valid 203.0.113.89 abew1 marketing-access-limited-grp Valid 203.0.113.52 jxchan marketing-access-for-pcs-limit Valid 203.0.113.53 lchen1 Valid 203.0.113.54 guest1 Valid 203.0.113.55 guest2 Valid