ClearPass is a network access control solution that provides device visibility, connection policy enforcement, and user login management. It uses fingerprinting to identify devices and their types, and an adaptive policy engine to enforce wired, wireless, and VPN policies based on the device and user. ClearPass integrates with other security and infrastructure solutions through exchanges and APIs to enable features like automated defense, service chaining, BYOD onboarding, and guest access management. It collects data from various sources to build user and device profiles for adaptive trust and security monitoring through real-time policy actions and integration with IntroSpect for user entity behavior analytics.

1. ClearPass Overview
Chuck Jenson – CSE, Network Security

2. 2
Question of the Day – Week - Month - Year
WHAT
ISON
THE

3. 3
In Today’s Digital Workplace you HAVE to know
Device Visibility
Over 90% of customers do not
know how many and what
types are on their networks
Connection Options
Customers lack plans
for BYOD, IoT, wired,
wireless and VPN policies
User Logins
Customers want help with
access for guests, staff
and management
WHAT HOW WHO

4. 4
Step One – Visibility
Hundreds of built in device category profiling fingerprints. All Included in base appliance.
Total
devices
Fingerprint
data
Device
types

5. 5
Who? What & Health?
Where?When?
Step Two – Enforcement with an Adaptive Device/User Policy
How?

6. 6
Example: Good…
OnConnect for Wired Non-AAA Enforcement
Aruba
ClearPass
SNMP
Enforcement
Printer Vlan Infusion Pump Vlan
Existing 802.1X
wired/wireless support
No 802.1X
• Built-in device-centric security for all non-AAA ready customers
• Easy to configure on legacy multivendor switches
• Leverages ClearPass profiling for wired/wireless - IoT, laptops, mobile
phones.

7. 7
Technolo
Example: Better…
MAC Authentication: Authentication Before Access
Aruba
ClearPass
Existing Devices with no
supplicant wired/wireless support
• MultiVendor and MultiSession support for all devices wired and wireless
• Secure encrypted wireless access using PSK
• Built-in ClearPass profiling - IoT, laptops, mobile phones
• Easy to use policy creation templates
• Possible to provide Guest Wired

8. 8
Example: Better - ”Colorless Ports” – Aruba Switches

9. 9
Example: Better - ”Colorless Ports” – Cisco Switches

10. 10
Technolo
Example: Best…
802.1x Secure Connections: Authentication Before Access
Aruba
ClearPass
Existing 802.1X
wired/wireless support
• MultiVendor and MultiSession support for all 802.1X ready wired and
wireless customers
• Secure encrypted wireless access
• Built-in ClearPass profiling - IoT, laptops, mobile phones
• Easy to use policy creation templates

11. 11
Example: Adaptive Policy That Minimizes SSID Usage
Enterprise Laptop
Authentication EAP-TLS
SSID CORP-SECURE
Authentication EAP-TLS
SSID CORP-SECURE
Internet OnlyInternet and Intranet
BYOD Phone

12. 12
Visibility
• Policy Engine
• RADIUS/CoA
• TACACS+
• Profiling+
• +100 RADIUS
dictionaries
• OnConnect
• Advanced reporting
Automation
• Policy simulation
• Access Tracking
• Template-based
policy creation
• Basic Guest (Social
Login)
• LDAP browser
• Per session logs
Protect
• Exchange
• API
• Syslog
• Extensions
• AirGroup
Bonjour/DLNA
• Device registration
• Certificate
revocation
ClearPass Policy Manager – What's Inside?

13. 13
ClearPass Exchange – Supporting Best of Breed
CONTROLLER SWITCHACCESS POINT Firewall / IPS
INFRASTRUCTURE PERIMETER
SECURITY & ENDPOINT MANAGMENT
Here is just a few of the Network, Firewall, Security and Endpoint Management exchange partners we work with.

14. 14
Internet of
Things (IoT)
BYOD and
corporate owned
REST API,
Syslog Security monitoring and
threat prevention
Device management and
multi-factor authentication
Helpdesk and voice/SMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
ClearPass - “Center of the Authentication Universe”
ClearPass bridges the gap between a secured perimeter and a secure network

15. 15
Logon to Applications (SSO)
Update Firewall
Update Web Proxy / Filter
Update EMM/MDM
Example: Security and Usability Coordination
AD/LDAP
EMM/MDM
Who: Bob
Group: Faculty
Device: Personal iPad
MDM: Airwatch
Location: Room 104
Time: 9am, Monday
Compliance: Healthy
Mac Address: X
IP Address: Y
Airgroup Permissions
Update Enforcement Device (LAN/WAN/VPN)
Adaptive Trust Identity
ClearPass
Service Chaining

16. 16
Firewall / IPS LAN/WLAN
User connects and
downloads threat
NGFW / IPS sends
event to ClearPass
ClearPass
Quarantines client
1 2 3
Example:
Automated Defense – Palo Alto Networks or CheckPoint
4
ClearPass
Service Chaining

17. 17
Example: Service Chaining
Radius Action to
force notification
page
Send user
SMS
notification
Update Palo
Alto Firewall
Open Help
Desk
Ticket
Sound
the
alarm!
Send Email
to security
team

18. 18
Example: Service Chaining for Guest

19. 19
Automated workflows
Enhanced security for
BYOD and guests
Rules by user role and
device types
Onboard
Guest OnGuard
ClearPass Expandable Applications
IntroSpect

20. CONFIDENTIAL © Copyright 2016. Aruba, a Hewlett Packard Enterprise Company. All rights reserved
Guest: Flexible Guest Logins
for Any Visitor
Visitor uses self registration
Rich self-service workflows to
control guest access privileges
Logon support for social, sponsor
Mac Caching for repeat visitors

21. 21
Access Network
Sponsor confirms
guest is valid
ClearPass Guest
Account enabled,
visitor notified via
screen, SMS, or email
Visitor
information
collected
New Visitor
Sponsor
1
2
3
Guest - Self-Service with Sponsor Example

22. CONFIDENTIAL © Copyright 2016. Aruba, a Hewlett Packard Enterprise Company. All rights reserved
OnBoard: BYOD
Employees Login with
Personal Devices
User and IT friendly:
One time user registration / no IT
intervention
Security: IT managed, 802.1X and
Certificates
Context: Data added to profile for
adaptive policy and troubleshooting

23. 23CONFIDENTIAL © Copyright 2016. Aruba, a Hewlett Packard Enterprise Company. All rights reserved
OnGuard: Automated Health
Checks
Before Access
Wired/Wireless/VPN: Ensures posture
compliance for laptops/computers
Security: Forces use of Anti-Virus,
Anti-Spyware, firewalls, disk encryption…
Remediation: Manual or auto
Visibility: Identifies poor behavior

24. 24www.arubanetworks.com/clearpass www.arubanetworks.com/introspect
ClearPass Real-time Policy-based Actions
• Real-time quarantine,
• Re-authentication
• Bandwidth Control
• Blacklist
• Role-change
Devices
Profiled
User/Device
Context
Wired/Wireless
Device Authentication
Actionable
Alerts
ClearPass
Policy Manager
IntroSpect UEBA
Entity360 Profile
with Risk Scoring
ClearPass + IntroSpect = 3600 Protection
Detect and Validate
Monitor
and
Alert
Decide
and
Act

25. 25
• Focused on solving two key problems
–Detecting attacks that have evaded traditional defenses—attacks on the inside
–Reducing the time and effort required to understand and respond to attacks
• Enabling technologies
–Comprehensive data aggregation including network, flows, logs, and alerts
–Big Data: Spark/Hadoop
–Artificial Intelligence: Machine Learning
IntroSpect Overview

26. 26
Peer Baseline Anomaly

27. 27
Accelerated Investigation and Response
Entity360 Profile
Behavioral
Analytics

28. 28
Aruba IntroSpect Components
Packets
Flows
Logs
Alerts
PACKET PROCESSOR
DPI
PACKET
CAPTURE
API
ANALYZER
ENTITY360
ANALYTICS FORENSICS
DATA FUSION BIG DATA
Consoles / Workflows
COLLECTOR
NATIVE SIEM

29. Recent Wins and Industry Adoption
Over 4300 ClearPass Customers - Over 25 Verticals
Market Leader
2013 / 2014
Gartner NAC
Magic Quadrant

30. 30
Thank You