ClearPass Exchange allows customers to integrate ClearPass with third-party applications like firewalls, mobile device management (MDM) solutions, and SIEM reporting tools via APIs and syslog messages. This sharing of user and device context across different systems improves visibility and security. The API explorer makes it easy for developers to test out and understand ClearPass APIs to build their own integrations. Future plans include additional Exchange integrations and capabilities.

1. #ATM16
ClearPass
Exchange
Gary Jenkins / Abhijit Das - CSE
@ArubaNetworks |

2. 2
What is ClearPass Exchange?
It is a partner ecosystem based on API’s and Syslog messaging that allows
customers to share context between ClearPass, MDM/EMM, Firewalls,
Wi-Fi equipment, Wired switches, VPN concentrators and other
solutions (SIEM, PMS, Trouble-ticket, etc.).

3. 3
• Included in Base License
• Integrates with virtually any web
based application
• Allows customers to build their own
integrations
• Recipes available on Airheads
Community
• Built-in native integration (over
65 and counting)
• Build-your-own integrations
utilizing HTTP RESTful APIs

4. 4
Examples of 3rd party integrations

5. 5
How does the Exchange process work?

6. 6
Palo Alto Networks Firewall example

7. 7
Twilio example

8. 8
How did ClearPass communicate with
Twilio?

9. 9
Twilio communication

10. 10
Twilio communication

11. 11
Twilio Actions

12. 12
How did we get the visitor’s phone #?

13. 13
From the Guest database!

14. 14
When do the 3rd party applications update?

15. 15
It happens in post-authentication

16. 16#ATM16
Enforcement Points
[Firewalls] PANW, CheckPoint, FortiNet, Intel
MLC, Juniper SRX, iboss
@ArubaNetworks |

17. 17#ATM16@ArubaNetworks |
Enforcement
RADIUS REQUEST
Service Matching
Authentication
Authorization
Role Mapping
RADIUS RESPONSE
HTTP
ENFORCEMENT
RADIUS Accounting
Target: Checkpoint, Fortinet, Websense, others

18. 18#ATM16@ArubaNetworks |
Firewall Integration
– Today’s challenge is to allow traffic
based upon contextual data such as
username
– Session Notification Enforcement - is
introduced in 6.5.0. Notification of a change
in IP address can now be sent to any external
context server (such as a firewall) by
configuring that server as a generic HTTP
server and adding the appropriate generic
HTTP context server actions. The content of
the payload to be posted by CPPM to the
external server is based on the REST API
defined by the external server for
communication.

19. 19#ATM16@ArubaNetworks |
What ClearPass sees that it can send to the firewall
– When a user authenticates to the wireless or
wired network using ClearPass we gather
information about the user.
• Username
• AD information
• Domain
• IP address and MAC
• Location
• Device Type
• Device OS
Internet
Internal Segment
(include Staff, Student, Teacher, etc)
Existing
Firewall
Next Gen Firewall
ClearPass MS AD
• V-wire inline mode
• Monitoring Internet segment
• Provides application visibility
• Enabled Threat Prevention ,
URL filtering , Wildfire
• User-ID feature
• Standalone mode
• Integrated with Firewall
• Authentication Users (Students)
• 802.1x Authentication for Wi-FI
User
Controller + AP
LAN Switch

20. 20#ATM16@ArubaNetworks |
Event Network Diagram Flow
Internet
Internal Segment
(include Staff, Student, Teacher, etc)
Next Gen Firewall
ClearPass MS AD
Controller + AP
LAN Switch
If a device breaks one of the firewall rules it can signal ClearPass
that will signal back to the wired or wireless network to move the
device to a quarantine network. It can also send a text to them via
twilio and open a helpdesk ticket

21. 21#ATM16
Mobile Client Enforcement
[MDM] MobileIron, AirWatch, BES, JAMF,
Etc., Google Admin Console
@ArubaNetworks |

22. 22#ATM16@ArubaNetworks |
MDM Integration – Google
Admin Console – Create account on External
Server
• Client ID and Client Secret
Manufacturer, Model
– Model, OS version, Serial
Number
Owner
– Display Name
Ownership
– Corporate, Personal
MDM Identifier
– MDM Enabled
Security Status
– Compromised, Blacklist or
Required App Encryption
enabled, Last Check-in

23. 23#ATM16
Reporting
Splunk, ArcSight, Qradar
@ArubaNetworks |

24. 24#ATM16@ArubaNetworks |
ClearPass Splunk App
A rich set of dashboards to visualize and navigate the wealth of information captured by ClearPass.

25. 25#ATM16@ArubaNetworks |
ClearPass Splunk App – Customer Example
“I had to apply a new radius cert, and for all of the corporate devices (windows and mobile) we have ways to
whitelist the radius server certificate in advance, but personal IOS devices detected a cert change and
wouldn’t connect until a user drills into their wifi settings and accept the new cert. Before doing that it just
aborts the authentication attempt as soon as it see the radius server cert doesn’t match what it has cached,
which just shows as a timeout in ClearPass. The trend graph using Splunk gave a pretty cool visual of what
happened when I made that change, and how it diminished as people figured out they weren’t connecting,
drilled in, and accepted the cert. Blue arrow is when I made the change.”

26. 26#ATM16
API Explorer
@ArubaNetworks |

27. 27
What about talking to ClearPass from
another application?

28. 28
We use the RESTful APIs.

29. 29
Example profiles:

30. 30
So, how do we know how to use the APIs?

31. 31
You can actually try it out in the browser
itself by using the API explorer.

32. 32
The API explorer shows you all the functions
that are available:

33. 33
Let’s take a look at the Guest method under
Guest Manager

34. 34
Under Guest, we can
list/add/get/update/replace and delete guests

35. 35
Before we take a look at the list function,
how do we authorize the API call?

36. 36
Let’s take a look at how to use the list

37. 37
Results of the call:

38. 38
Response code and headers of the call:

39. 39
How to use it in a script?

40. 40
What’s coming up next in Exchange?

41. 41
Join Aruba’s Titans of Tomorrow
force in the fight against network
mayhem. Find out what your
IT superpower is.
Share your results with friends
and receive a free superpower
t-shirt.
www.arubatitans.com

42. Thank you
gary.jenkins@hpe.com
abhijit.das@hpe.com