ARUBA JW335AAE, JW770A, R1V82A, JZ400AAE User Guide

DATA SHEET

ARUBA CLEARPASS
POLICY MANAGER

The most advanced Secure NAC
platform available

Aruba’s ClearPass Policy Manager, part of the Aruba 360

Secure Fabric, provides role- and device-based secure network

access control for IoT, BYOD, corporate devices, as well as

employees, contractors and guests across any multivendor

wired, wireless and VPN infrastructure.

With a built-in context-based policy engine, RADIUS,

TACACS+, non-R ADIUS enforcement using OnConnect, device

proling, posture assessment, onboarding, and guest access

options, ClearPass is unrivaled as a foundation for network

security for organizations of any size.

For comprehensive integrated security coverage and

response using rewalls, EMM/MDM and other existing

solutions, ClearPass supports the Aruba 360 Security

Exchange Program. This allows for automated threat

detection and response workows that integrate with third-

party security vendors and IT systems previously requiring

manual IT intervention.

In addition, ClearPass supports secure self-service

capabilities, making it easier for end users trying to access

the network. Users can securely congure their own devices

for enterprise use or Internet access based on admin policy

controls. Aruba wireless customers in particular can take

advantage of unique integration capabilities such as AirGroup,

as well as ClearPass Auto Sign-On (ASO). ASO enables a

user’s network authentication to pass automatically to their

enterprise mobile apps so they can get right to work.

The result is detailed visibility of all wired and wireless

devices connecting to the enterprise, increased control

through simplied and automated authentication or

authorization of devices, and faster, better incident analysis

and response through the integration of Aruba IntroSpect

UEBA and third-party partner ecosystems. This is achieved

with a comprehensive and scalable policy management

platform that goes beyond traditional A A A solutions to

deliver extensive enforcement capabilities for IT-owned and

BYOD security requirements.

KEY FEATURES

• Role-based, unied network access enforcement across

multi-vendor wireless, wired and VPN networks.

• Intuitive policy conguration templates and visibility

troubleshooting tools.

• Supports multiple authentication/authorization sources

(AD, LDAP, SQL dB).

• Self-service device onboarding with built-in certicate

authority (CA) for BYOD.

• Guest access with extensive customization, branding and

sponsor-based approvals.

• Integration with key EMM/MDM solutions for in-depth

device assessments.

• Comprehensive integration with the Aruba 360 Security

Exchange Program.

• Single sign-on (SSO) support works with Ping, Okta

and other identity management tools to improve user

experience to SAML 2.0-based applications.

THE CLEARPASS DIFFERENCE

ClearPass is the only policy platform that centrally enforces

all aspects of enterprise-grade access security for any

industry. Granular policy enforcement is based on a

user’s role, device type and role, authentication method,

EMM/MDM attributes, device health, trac patterns, location,

and time-of-day.

Deployment scalability supports tens of thousands of devices

and authentications which surpasses the capabilities oered

by legacy AAA solutions. Options exist for small to large

organizations, from centralized to distributed environments.

DATA SHEET

ARUBA CLEARPASS POLICY MANAGER

ADVANCED POLICY MANAGEMENT

Enforcement and visibility for wired and wireless

With ClearPass, organizations can deploy wired or wireless

using standards-based 802.1X enforcement for secure

authentication. ClearPass also supports MAC address

authentication for IoT and headless devices that may lack

support for 802.1X. For wired environments where RADIUS

based authentication cannot be deployed, OnConnect, oers

an alternative using SNMP based enforcement.

Authentication methods can be used to concurrently support

a variety of use-cases. It also includes support for multi-

factor authentication based on log-in times, posture checks,

and other context such as new user, new device, and more.

Attributes from multiple identity stores such as Microsoft Active

Directory, LDAP-compliant directory, ODBC-compliant SQL

database, token servers and internal databases across domains

can be used within a single policy for ne- grained control.

Contextual data from these proled devices allows for IT

to dene what devices can access either the wired, VPN, or

wireless network. Device prole changes are dynamically

used to modify authorization privileges. For example, if a

Windows laptop appears as a printer, ClearPass policies can

automatically deny access.

Secure device conguration of personal devices

ClearPass Onboard provides automated provisioning of any

Windows, macOS, iOS, Android, Chromebook, and Ubuntu

devices via a user driven self-guided portal. Network details,

security settings and unique device identity certicates

are automatically congured on authorized devices. Cloud

identity services like Microsoft Azure Active Directory, Google

G Suite and Ok ta can also be leveraged as identity providers

with Onboard for secure certicate enrollment.

Device health checks

ClearPass OnGuard delivers endpoint posture assessments

over wireless, wired and VPN connections. OnGuard’s

health-check capabilities ensure endpoints meet security

and compliance policies before they connect to the

network. OnGuard oers a variety of exible deployment

options including agentless, disolvable agents and agent-

based conguration.

Customizable visitor management

ClearPass Guest simplies visitor workow processes to

enable employees, receptionists, and other non-IT sta to

create temporary guest accounts for secure wireless and

wired access. Highly customizable, mobile friendly portals

provide easy-to-use login processes that include self-

registration, sponsor approval, and bulk credential creation

support any visitor needs – enterprise, retail, education,

large public venue. Credentials can be delivered by SMS,

email, printed badges, or input directly through cloud identity

providers such as Facebook or Twitter.

Built in support for commercial oriented guest Wi-Fi hotspots

with credit card billing and 3rd party advertising driven workows

make it simple to integrate into a wide variety of environments.

ARUBA 360 SECURITY EXCHANGE PROGR AM

Integrate with security and workow systems

Support for the Aruba 360 Security Exchange Program is an

integrated component of ClearPass. Using features like REST-

based APIs, RADIUS Accounting Proxy, and Syslog ingestion

help facilitate workows with EMM/MDM, SIEM, rewalls,

help-desk systems and more. Context is shared between each

component for end-to-end policy enforcement and visibility.

The ClearPass Ingress Event Engine provides 3rd party

systems the means to share information in real-time using

Syslog. This enables ClearPass to respond to changing

threats for users and devices after they have authenticated

to the network. By utilizing an open dictionar y approach,

anyone can write a parsing ruleset without the need for

costly add-ons or locked in 3rd party ecosystems.

ADVANCED REPORTING AND ALERTING

ClearPass Insight provides advanced reporting capabilities

via customizable reports. Information about authentication

trends, proled devices, guest data, on-boarded devices,

and endpoint health can also be viewed in an easy to use

dashboard. Insight also has support for granular alerts and a

watchlist to monitor specic authentication failures.

DATA SHEET

ARUBA CLEARPASS POLICY MANAGER

SPECIFICATIONS

Appliances

ClearPass is available as hardware or as a virtual appliance. Virtual

appliances are supported on VMware vSphere Hypervisor (ESXi),

Microsoft Hyper-V, CentOS KVM & Amazon EC2.

• VMware ESXi 6 up to 6.7

• Microsoft Hyper-V 2012/2016 R2 and Windows 2012/2016

R2 Enterprise

• KVM on CentOS 7.5

• Amazon AWS (EC2)

Platform

• Deployment templates for any network type, identity store

and endpoint

• 802.1X, MAC authentication and captive portal support

• ClearPass OnConnect for SNMP-based enforcement on

wired switches

• Advanced reporting, analytics and troubleshooting tools

• Interactive policy simulation and monitor mode utilities

• Multiple device registration portals – Guest, Aruba

AirGroup, BYOD, and un-managed devices

• Admin/operator access security via CAC and TLS certicates

Framework and protocol support

• RADIUS, RADIUS Dynamic Authorization, TACACS+, web

authentication, SAML v2.0

• RadSec

• EAP-FAST (EAP-MSCHAPv2, EAP-GTC, EAP-TLS)

• PEAP (EAP-MSCHAPv2, EAP-GTC, EAP-TLS, EAP-PEAP-

Public, EAP-PWD)

• TTLS (EAP-MSCHAPv2, EAP-GTC, EAP- TLS, EAP-MD5,

PAP, CHAP)

• EAP-TLS

• PAP, CHAP, MSCHAPv1, MSCHAPv2, EAP-MD5

• OAuth2

• WPA3

• Windows machine authentication

• SMB v2/v3

• Online Certicate Status Protocol (OCSP)

• SNMP generic MIB, SNMP private MIB

• Common Event Format (CEF), Log Event Extended Format

(LEEF)

Supported identity stores

• Microsoft Active Directory

• RADIUS

• Any LDAP compliant directory

• MySQL, Microsoft SQL, PostGRES and Oracle 11g

ODBC-compliant SQL server

• Token servers

• Built-in SQL store, static hosts list

• Kerberos

• Microsoft Azure Active Directory

• Google G Suite

RFC standards

2246, 2248, 2407, 2408, 2409, 2548, 2759, 2865, 2866, 2869,

2882, 3079, 3579, 3580, 3748, 3779, 4017, 4137, 4301, 4302,

4303, 4308, 4346, 4514, 4518, 4809, 4849, 4851, 4945, 5176,

5216, 5246, 5280, 5281, 5282, 5755, 5759, 6614, 6818, 6960,

7030, 7296, 7321, 7468, 7815, 8032, 8247

Internet drafts

Protected EAP Versions 0 and 1, Microsoft CHAP extensions,

dynamic provisioning using EAP-FAST, TACACS+, draft-ietf-

curdle-pkix-00 EdDSA, Ed25519, Ed448, Curve25519 and

Curve448 for X.509, draft-nourse-scep-23 (Simple Certicate

Enrollment Protocol)

Proling methods

• Active: Nmap, WMI, SSH, SNMP

• Passive: MAC OUI, DHCP, TCP, Netow v5/v10, IPFIX,

sFLOW, ‘SPAN’ Port, HTTP User-Agent, IF-MAP

• Integrated & 3rd Party: Onboard, OnGuard, ArubaOS,

EMM/MDM, Cisco device sensor

IPv6 Support

• Web and CLI based management

• IPv6 addressed authentication & authorization servers

• IPv6 accounting proxy

• IPv6 addressed endpoint context servers

• Syslog, DNS, NTP, IPsec IPv6 targets

• IPv6 Virtual IP for high availability

• HTTP Proxy

• Ingress Event Engine Syslog sources

Information assurance validations

• FIPS 140-2 – Certicate #2577

• Common Criteria NDcPP + Authentication Server

(ClearPass)