Integrated ClearPass Authentication and Enforcement Overview
The SRX Series and NFX Series devices associate with ClearPass to control the user access from the user level based on their usernames or by the groups that they belong to, not the IP address of the device.
Understanding the Integrated ClearPass Authentication and Enforcement Feature
This topic introduces the integrated ClearPass authentication and enforcement feature in which the device and Aruba ClearPass collaborate to protect your network resources by enforcing security at the user identity level and controlling user access to the Internet. The ClearPass Policy Manager (CPPM) can authenticate users across wired, wireless, and VPN infrastructures. The integrated ClearPass feature allows the CPPM and the device to collaborate in multiple environments in which they are deployed together.
Why You Need to Protect Your Environment With the Integrated ClearPass Authentication and Enforcement Feature
The proliferation of mobile devices and cloud services and securing them has become a fundamental strategic part of enterprise cybersecurity. Use of company smartphones poses one of the biggest IT security risks to businesses. The integrated ClearPass feature protects against malicious intrusions introduced through use of mobile devices and multiple concurrently connected devices.
In a work environment that supports mobile devices, knowing the identity of the user whose device is associated with an attack or threat provides IT administrators with improved advantage in identifying the source of the attack and stemming future potential attacks that follow the same strategy.
Attackers can gain access to nearby company-owned mobile devices and install malware on them that they can then use to capture data at any time. Whether reconnaissance or malicious, attacks against network resources are commonplace in today’s computing environment. Attackers can launch information-gathering ventures, stop business activity, and steal sensitive corporate data.
Today’s network environments are more open to attacks of various kinds because they support anywhere, anytime, any device access, to a greater or lesser degree, and they allow a user to use multiple concurrently network-connected devices.
The integrated ClearPass authentication and enforcement feature can protect you against attacks and intrusions by allowing you to configure security policies that identify users by their usernames or by the groups that they belong to. It also identifies threats and attacks perpetrated against your network environment and provides this information to the CPPM. As administrator of the CPPM, you can better align your security enforcement to protect against possible future attacks of the same kind. If a user is logged in to the network with more than one device, you can keep track of their activity based on their identity, not only by their devices, and you can more easily control their network access and any egregious activity on their behalf, whether intended or not.
How the Integrated ClearPass Authentication and Enforcement Feature Can Protect Your Network Environment
The integrated ClearPass authentication and enforcement feature gives you granular control at the user level, not the device’s IP address, over user access to protected resources and the Internet. As administrator of the device, you can now specify in the source-identity parameter of identity-aware security policies a username or a role (group) name that the CPPM posts to the device. You are no longer restricted to relying solely on the IP address of the device as a means of identifying the user. Honing in on the user of the device, rather than only the device, enhances your control over security enforcement.
In addition to providing the SRX Series device with authenticated user information, the CPPM can map a device type to a role and assign users to that role. It can then send that role mapping to the SRX Series device. This capability allows you to control through security policies a user’s access to resources when they are using a specific type of device.
For example, suppose that the administrator of the CPPM configured a role called marketing-company-device and mapped to that role both company devices and members of the Marketing department. As administrator of the device, you could specify that role in a security policy as if it were a group. The security policy would then apply to all users mapped to the role, inherently controlling their network activity when they use that type of device type.
The integrated ClearPass feature delivers the protection of the SCREENS, IDP and UTM features to defend your network against a wide range of attack strategies. In addition to protecting the company’s network resources, the device can make available to the CPPM log records generated by these protective security features in response to attack or attack threats. Knowing about threats and specific attacks that have already occurred can help IT departments to identify noncompliant systems and exposed areas of the network. With this information, they can harden their security by enforcing device compliance and strengthening protection of their resources.
SRX Series security policies protect the company’s resources and enforce access control at a fine-grain level, taking advantage of the user authentication and identity information sent to the device from the CPPM. The CPPM acts as the authentication source. It uses its own internal RADIUS server to authenticate users. It can also rely on an external authentication source to perform the authentication for it, such as an external RADIUS server or Active Directory.
The CPPM authentication is triggered by requests from NAS devices such as switches and access controllers. The CPPM uses the XML portion of the RESTful Web services that the device exposes to it to send in POST request messages to the device authenticated user identity and device posture information.
The device and Aruba ClearPass simplify the complex and complicated security tasks required to safeguard company resources and enforce Internet access policy for mobile devices. This security is essential in a network environment that supports the mobile experience and that gives the user latitude to use a wide range of devices, including their own systems, smartphones, and tablets.
Starting with Junos OS Release 15.1X49-D130, the SRX Series device supports the use of IPv6 addresses associated with source identities in security policies. If IPv4 or IPv6 entry exists, policies matching that entry are applied to the traffic and access is allowed or denied.
Understanding the Invalid Authentication Table Entry Timeout Setting
Timeout Setting for Invalid Authentication Entries
Starting in Junos OS Release 15.1X49-D100, for SRX Series devices and vSRX, you can protect invalid user authentication entries in an authentication table from expiring before the user can be validated by configuring a timeout setting that is specific to invalid entries. The invalid authentication entry timeout setting is separate from the common authentication entry timeout setting that is applied to valid entries.
Authentication entries in both the Windows Active Directory authentication table and the ClearPass authentication table contain a timeout value after which the entry expires. Prior to introduction of this feature, a single, common timeout setting was applied to valid and invalid authentication entries. That is, if an invalid authentication entry was created in either of these tables, the current setting of the common timeout for the table—which applied to all of the table’s entries—was applied to it.
For both the Active Directory authentication table and the ClearPass authentication table, the invalid entry could expire before the user’s identity could be validated. Here is what could cause that event to occur in each case:
Windows Active Directory uses a mechanism to probe an unauthenticated user’s device for user identity authentication information based on the IP address of the device. It is not uncommon for Windows to trigger a WMI probe that fails because it occurs before the user logs in. After an unsuccessful probe, the system generates an entry in the authentication table with an INVALID state for the IP address of the device. If you configured a value for the invalid timeout setting, that timeout is applied to the entry. If you did not configure a value for the invalid entry timeout setting, then its default timeout of 30 minutes is applied.
The invalid authentication entry timeout setting is separate from the common authentication entry timeout setting that is applied to valid entries.
Starting in Junos OS Release 17.4R1, the integrated user firewall supports IPv6 device addresses in the Windows Active Directory authentication table. Prior to Junos OS Release 17.4R1, only IPv4 addresses were supported.
For the ClearPass feature, if an unauthenticated user attempts to join the network and the IP address of the user’s device is not found—that is, it is not in the Packet Forwarding Engine—the device queries Aruba ClearPass for the user’s information. If the query is unsuccessful, the system generates an INVALID authentication entry for the user. If you configured a value for the invalid timeout setting, that timeout is applied to the entry. If you did not configure the invalid entry timeout, then its default timeout of 30 minutes is applied to the new entry.
The invalid entry timeout is also applied to entries whose state is changed from valid or pending to INVALID.
You configure the timeout setting to be applied to invalid authentication entries in the Windows Active Directory authentication table and the ClearPass authentication table separately. If you do not configure a timeout setting, the invalid authentication entry timeout default value of 30 minutes is applied. The application and effect of the timeout value is determined differently for these authentication sources.
How the Invalid Authentication Entry Timeout Works for Windows Active Directory
Use the following command to configure the invalid authentication entry timeout setting for entries in the Windows Active Directory authentication table. In this example, the invalid authentication entry timeout value is set to 40 minutes. That timeout value is applied to new invalid entries.
The new timeout value is also applied to existing invalid entries but within the context of the current timeout value assigned to them and the timeout state. Suppose that the authentication table contains existing invalid entries to which an invalid authentication entry timeout setting or the default was previously applied. In this case, the new invalid entry timeout setting has effect on the timeout for these entries, but in a different way. For these entries, the original timeout setting—the time that has expired since the original timeout value was applied–and the new timeout setting collude to produce the resulting timeout value that is applied to the existing entry.
As Table 1 shows, in some cases the resulting timeout is extended, in some cases it is shortened, and in some cases it causes the original timeout to expire and the invalid authentication entry to which is applies to be deleted.
Table 1: How New Invalid Authentication Entry Timeout Settings Affect Timeout Settings for Existing Invalid Entries in the Active Directory Authentication Table
Original Invalid Entry Timeout Setting for Existing Entry
New Invalid Entry Timeout Configuration Setting
Resulting Timeout Setting for Existing Invalid Entry
Timeout expired and entry is removed from the authentication table
Just as the new invalid timeout entry is imposed on that of old invalid entries, producing various and unique results, a new invalid entry is subject to the same rules and effects when the invalid entry timeout value is changed.
How the Invalid Authentication Entry Timeout Works for SRX Series and NFX Series Aruba ClearPass
Use the following command to configure the invalid authentication entry timeout for entries in the ClearPass authentication table. In this example, invalid authentication entries in the ClearPass authentication table expires 22 minutes after they are created.
When you initially configure the invalid authentication entry timeout value for ClearPass, it is applied to any invalid authentication entries that are generated after it was configured. However, all existing invalid authentication entries retain the default timeout of 30 minutes.
If you do not configure the invalid authentication entry timeout setting, the default timeout of 30 minutes is applied to all invalid authentication entries.
If you configure the invalid authentication entry timeout setting and delete it later, the default value is applied to new invalid authentication entries generated after the deletion. However, any existing invalid authentication entries to which a configured value had been applied previously retain that value.
If you change the setting for the invalid authentication entry timeout value, the new value is applied to all invalid authentication entries that were created after the value was changed. However, all existing invalid authentication entries retain the former invalid authentication entry timeout setting applied to them. Those entries to which the default value of 30 minutes had been applied previously retain that setting.
When the pending or valid state of an entry is changed to invalid, the invalid authentication entry timeout setting is applied to it.
When the state of an invalid authentication entry is changed to pending or valid, the invalid authentication entry timeout setting is no longer applicable to it. The timeout value set for the common authentication entry timeout is applied to it
Table 2 shows how a new invalid entry timeout value affects new and existing invalid entries.
Table 2: How New Invalid Authentication Entry Timeout Settings Affect Timeout Settings for Invalid Entries in the ClearPass Authentication Table
Invalid Entry Timeout Setting
Intial Invalid Entry Timeout Setting
New Invalid Entry Timeout Configuration Setting
Final Timeout Setting for Existing Invalid Entry
New invalid authentication entry
Existing invalid entry timeout
Existing invalid entry timeout
Existing invalid entry timeout