DATA SHEET
ARUBA CLEARPASS
POLICY MANAGER
The most advanced Secure NAC
platform available
Aruba’s ClearPass Policy Manager, part of the Aruba 360
Secure Fabric, provides role- and device-based secure network
access control for IoT, BYOD, corporate devices, as well as
employees, contractors and guests across any multivendor
wired, wireless and VPN infrastructure that use them.
With a built-in context-based policy engine, RADIUS,
TACACS+, non-R ADIUS enforcement using OnConnect, device
proling, posture assessment, onboarding, and guest access
options, ClearPass is unrivaled as a foundation for network
security for organizations of any size.
For comprehensive integrated security coverage and
response using rewalls, EMM/MDM and other existing
solutions, ClearPass supports the Aruba 360 Security
Exchange Program. This allows for automated threat
detection and response workows that integrate with third-
party security vendors and IT systems previously requiring
manual IT intervention.
In addition, ClearPass supports secure self-service
capabilities, making it easier for end users trying to access
the network. Users can securely congure their own devices
for enterprise use or Internet access based on admin policy
controls. Aruba wireless customers in particular can take
advantage of unique integration capabilities such as AirGroup,
as well as ClearPass Auto Sign-On (ASO). ASO enables a
user’s network authentication to pass automatically to their
enterprise mobile apps so they can get right to work.
The result is detailed visibility of all wired and wireless
devices connecting to the enterprise, increased control
through simplied and automated authentication or
authorization of devices, and faster, better incident analysis
and response through the integration of Aruba IntroSpect
UEBA and third-party partner ecosystems. This is achieved
with a comprehensive and scalable policy management
platform that goes beyond traditional A A A solutions to
deliver extensive enforcement capabilities for IT-owned and
BYOD security requirements.
KEY FEATURES
• Role-based network access enforcement for multi-vendor
wireless, wired and VPN networks.
• Virtual and hardware appliances that can be deployed in a
cluster to increase scalability and redundancy.
• Intuitive policy conguration templates and visibility
troubleshooting tools.
• Supports multiple authentication/authorization sources
(AD, LDAP, SQL dB).
• Self-service device onboarding with built-in certicate
authority (CA) for BYOD.
• Guest access with extensive customization, branding and
sponsor-based approvals.
• Supports NAC and EMM/MDM integration for mobile
device assessments.
• Comprehensive integration with the Aruba 360 Security
Exchange Program.
• Single sign-on (SSO) support works with Ping, Okta
and other identity management tools to improve user
experience to SAML 2.0-based applications.
• Advanced reporting and granular alerts.
• Active and passive device ngerprinting.
• Support for popular virtualizations platforms such as
VMware vSphere Hypervisor (ESXi), Microsoft Hyper-V,
CentOS KVM & Amazon AWS (EC2).
DATA SHEET
ARUBA CLEARPASS POLICY MANAGER
THE CLEARPASS DIFFERENCE
ClearPass is the only policy platform that centrally enforces
all aspects of enterprise-grade access security for any
industry. Granular policy enforcement is based on a
user’s role, device type and role, authentication method,
EMM/MDM attributes, device health, trac patterns, location,
and time-of-day.
Deployment scalability supports tens of thousands of devices
and authentications which surpasses the capabilities oered
by legacy AAA solutions. Options exist for small to large
organizations, from centralized to distributed environments.
ADVANCED POLICY MANAGEMENT
Enforcement and visibility for wired and wireless
With ClearPass, organizations can deploy wired or wireless
using standards-based 802.1X enforcement for secure
authentication. ClearPass also supports MAC address
authentication for IoT and headless devices that may lack
support for 802.1X. For wired environments where RADIUS
based authentication cannot be deployed, OnConnect, oers
an alternative using SNMP based enforcement.
Device health checks
ClearPass OnGuard leverages persistent and dissolvable
agents to perform advanced endpoint posture assessments
over wireless, wired and VPN connections. OnGuard’s
health-check capabilities ensure compliance and network
safeguards before devices connect.
Customizable visitor management
ClearPass Guest simplies visitor workow processes to
enable employees, receptionists, and other non-IT sta to
create temporary guest accounts for secure wireless and
wired access. Highly customizable, mobile friendly portals
provide easy-to-use login processes that include self-
registration, sponsor approval, and bulk credential creation
support any visitor needs – enterprise, retail, education,
large public venue. Credentials can be delivered by SMS,
email, printed badges, or input directly through cloud identity
providers such as Facebook or Twitter.
Built in support for commercial oriented guest Wi-Fi hotspots
with credit card billing and 3rd party advertising driven workows
make it simple to integrate into a wide variety of environments.
Authentication methods can be used to concurrently support
a variety of use-cases. It also includes support for multi-
factor authentication based on log-in times, posture checks,
and other context such as new user, new device, and more.
Attributes from multiple identity stores such as Microsoft Active
Directory, LDAP-compliant directory, ODBC-compliant SQL
database, token servers and internal databases across domains
can be used within a single policy for ne- grained control.
Contextual data from these proled devices allows for IT
to dene what devices can access either the wired, VPN, or
wireless network. Device prole changes are dynamically
used to modify authorization privileges. For example, if a
Windows laptop appears as a printer, ClearPass policies can
automatically deny access.
Secure device conguration of personal devices
ClearPass Onboard provides automated provisioning of any
Windows, macOS, iOS, Android, Chromebook, and Ubuntu
devices via a user driven self-guided portal. Network details,
security settings and unique device identity certicates
are automatically congured on authorized devices. Cloud
identity services like Microsoft Azure Active Directory, Google
G Suite and Ok ta can also be leveraged as identity providers
with Onboard for secure certicate enrollment.
ARUBA 360 SECURITY EXCHANGE PROGR AM
Integrate with security and workow systems
Support for the Aruba 360 Security Exchange Program is an
integrated component of ClearPass. Using features like REST-
based APIs, RADIUS Accounting Proxy, and Syslog ingestion
help facilitate workows with EMM/MDM, SIEM, rewalls,
help-desk systems and more. Context is shared between each
component for end-to-end policy enforcement and visibility.
The ClearPass Ingress Event Engine provides 3rd party
systems the means to share information in real-time using
Syslog. This enables ClearPass to respond to changing
threats for users and devices after they have authenticated
to the network. By utilizing an open dictionar y approach,
anyone can write a parsing ruleset without the need for
costly add-ons or locked in 3rd party ecosystems.
ADVANCED REPORTING AND ALERTING
ClearPass Insight provides advanced reporting capabilities
via customizable reports. Information about authentication
trends, proled devices, guest data, on-boarded devices,
and endpoint health can also be viewed in an easy to use
dashboard. Insight also has support for granular alerts and a
watchlist to monitor specic authentication failures.