The document discusses Aruba ClearPass network access control solutions. It describes the ClearPass virtual appliance options that support up to 25,000, 5,000, or 500 endpoints. It also outlines the ClearPass license options for access control, onboarding, health checking, and guest portal customization. Finally, it provides definitions of the ClearPass publisher/subscriber clustering model and discusses requirements for a Flex-N-Gate network design.
3. Aruba Clearpass Virtual Appliances
1. ClearPass 25K Virtual Appliance:
• Radius/TACACS+ Server with Advance Policy control for up to 25,000 unique endpoints
2. ClearPass 5K Virtual Appliance:
• Radius/TACACS+ Server with Advance Policy control for up to 5,000 unique endpoints
3. ClearPass 500 Virtual Appliance:
• Radius/TACACS+ Server with Advance Policy control for up to 500 unique endpoints
4. Aruba ClearPass License
1. Aruba ClearPass Access License:
• Provides Secure network access for AAA with Radius and TACACS for Enterprise and Guest Users
• License are sold in Blocks 100-500-1000-2500-5000-10000 Endpoints
2. Aruba ClearPass Onboard License:
• Onboard lets BYOD and IT-issued device connect safely to your network in compliance with
Security mandates. Flexible policies and unique Cert enable full and limited access base on roles
Device type and security posture.
• License are sold in Blocks 100-500-1000-2500-5000-10000 Users
3. Aruba ClearPass OnGuard:
• ClearPass OnGuard preforms vital endpoint health checks and posture assessments automatically
to ensure that all mobile devices are fully compliant with industry and internal requirements
before they connect to wired and wireless networks
• License are sold in Blocks 100-500-1000-2500-5000-10000 Endpoints
4. Aruba ClearPass Guest Portal Customization
• Give your guest web site a professional look and feel. The Aruba Networks skins team will leverage
your unique brand to create a customized skin for your guest portal, optimized for smartphones,
tablets and laptops.
• Onetime cost $4500.00
5. CPPM Design Definitions
– ClearPass uses a Publisher/Subscriber model to provide multiple-box clustering. Another term for this
model is hub and spoke, where the hub corresponds to the Publisher, and the spokes correspond to the
Subscribers.
– Publisher node functions as the master controller in a cluster. The Publisher is your central point of
configuration, monitoring, and reporting. It is also the central point of database replication. All the
databases are managed through the Publisher.
– There is at most one active Publisher in this model, and a potentially unlimited number of Subscribers.
– The Publisher node has full read/write access to the configuration database. All configuration changes must be made
on the Publisher. The Publisher node sends configuration changes to each Subscriber.
– Subscriber nodes are worker nodes. All the AAA load, all RADIUS requests, and the node where policy
decisions are being made are on the Subscriber nodes.
– Subscriber nodes maintain a local copy of the configuration database, and each Subscriber has read only access to a
local copy of the configuration database.
7. Flex-N-Gate Requirements
Design Requirements:
1. 802.1x wireless access using Active Directory
2. 802.1x wireless access using MAC Auth.
3. Guest Access
Design Questions:
1. Determine how many endpoints need to be authenticated.
1. AD Auth ?
2. MAC Auth ?
3. Guest Auth ?
12. Internet of
Things (IoT)
BYOD and
corporate owned
REST API,
Syslog Security monitoring and
threat prevention
Device management and
multi-factor authentication
Helpdesk and voice/SMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
ClearPass Exchange: End to End Controls
14. Understanding Device & IoT Connectivity Options
Businesses want to manage
what devices connect
Only some support
secure connections
50% of IoT may be
wired
15. OnConnect – The cure for dumb ‘smart’ devices
Policy
Engine
SNMP
Enforcement
Printer Vlan Infusion Pump Vlan
Existing 802.1X
wired/wireless support
No 802.1X ?
1)802.1X (Gold Standard)
or
2) SNMP Authentication
or
3) Captive Portal
=
All devices
1)Authenticated
or
2)Authorized
Sequential Authentication
=
Lowered Risk
No unknown devices
Fewer tickets
Editor's Notes
But beyond that – IoT – devices beyond smartphones, tablets and PC’s –
Connected sensors, across a multitude of vertical specific devices have grown in years from 10 to 40 billion in just years
Automated VPN – transition to MDM and VIA
For organizations that are weary of spending too much time on guest networks, position the rich workflow and branding capabilities of an intelligent Guest solution. IT gains the ability to use various sponsor workflows that provide guest access governance and auditability. User Self-registration and MAC caching can simplify the user experience.
And they can create policies that limit time on the network, and how much bandwidth is used. Flexibility on the user side is key. IT enforcement that’s performed on the beck end is key for IT.
To enable the use of personal devices in the workplace, IT needs a way to automate who and what can be used. We often get used if anyone can onboard a device or devices, but the answer is no. IT creates the rules and leverages identity and role to permit users to onboard a device. A user must enter login and password information to start the process. Automated device certificate makes it easier for the user and IT can easily pull certs if needed.
The fact that a device was onboarded even lets IT use that data within policies. If the guest network is off limits to employee devices, IT has ownership data. If the certificate is invalid, IT has that data.
It’s a win for the organization and the user if BYOD is managed versus thrown to a guest network.
The same system should also be leveraged to perform health checks on computers. Before a laptop gains access to internal resources IT can automatically ensure that security apps are being run on a regular basis. Colleges and universities can limit the use of Peer to Peer apps so that movies are not illegally downloaded by users on the campus domain.
Again, flexibility plays a role. Auto-remediation can turn off an app or service before a device is connected to the network, or IT can quarantine a device and request that user contact a help-desk for educational training.
But beyond that – IoT – devices beyond smartphones, tablets and PC’s –
Connected sensors, across a multitude of vertical specific devices have grown in years from 10 to 40 billion in just years