Device Insight Integration Page

The Device Insight Integration page enables Policy Manager to integrate with Policy Manager Device Insight, a cloud-hosted application for comprehensive device visibility. When Device Insight is enabled, Policy Manager disables device profiling on the current Policy Manager server and passes the raw preprofiled information to the Device Insight-enabled node. This change occurs across all the Profiler-enabled nodes (see Changes in the ClearPass User Interface When Device Insight Integration is Enabled). A number of other Policy Manager features are removed from the user interface when Device Insight Integration is enabled. For details, see Changes in ClearPass Behaviors When Device Insight Integration is Enabled.

Enabling Device Insight Integration

To enable Policy Manager Device Insight Integration:

1. Complete the prerequisites described in Prerequisites to Using Device Insight Integration.

2. On the publisher, navigate to Administration > Server Manager > Device Insight.

The Device Insight Integration page opens:

Figure 1  Device Insight Integration Page

3. Click Enable.

4. Specify the Device Insight Integration parameters.

 

Table 1: Device Insight Integration Page Parameters

Parameter

Action/Description

Device Insight Integration

To enable Device Insight Integration, select the Enable radio button.

This feature is disabled by default.

Registration Token

To initiate the Activation process, enter the Registration Token that was generated when ClearPass Device Insight was deployed.

Activation Status

This is a read-only field. When Device Insight is disabled, this field displays the status Not Activated. As part of the Activation process, the Device Insight-enabled node is provisioned with Central certificates.

If provisioning is successful, this field displays the status SUCCESS.

If an incorrect or an expired registration is used, this field displays the status FAILED.

Primary ClearPass Server

Select the ClearPass Policy Manager hardware appliance designated as the primary ClearPass Server.

If the Policy Manager instance uses a single appliance, this field is already populated. If it is part of a cluster, you can select any appliance in the cluster, whether publisher or subscriber, to be the primary Policy Manager server.

Standby ClearPass Server

Use this option to designate a standby Device Insight Integration-enabled server for a cluster. Designating a standby is optional; however, it is recommended. If the primary server is unavailable, the standby server will take over functionality, detecting any communication failures and providing service continuity. The standby server should have the same activation and certificate provisioning configuration as the primary.

Polling Interval

Specify the Polling Interval. Enter a value from 5 minutes to 2000 minutes (33.3 hours), inclusive. The default value is 15 minutes.

The Polling Interval is a configurable parameter that serves as a backup in the event real-time streaming becomes unavailable.

If there is no communication between ClearPass Policy Manager and Device Insight within the specified interval, Policy Manager polls Device Insight to fetch devices, classification details, and Device Insight tags.

Device Sync interval

Devices active within the past number of days specified in this date range will be synched between ClearPass Policy Manager and Device Insight. The supported range is 0-999 days, and the default value is 30 days.

Device Tag Action Updates

If there is no RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  or Disconnect action for devices configured in a service, you can use the Device Tag Action Updates options to assign the correct change of authorization (CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. ) behavior. Select any of the following options:

No action—Actions are ignored and Policy Manager’s endpoint tables are updated.

Apply action for all Tag updates — When this option is selected, you can click the RADIUS Action drop-down menu and select RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  action that will be applied to all tags. For any tag update for any endpoint, the selected CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. re-authentication action will be triggered.

Apply action for selected Tag updates only — When this option is selected, in addition to selecting the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  action using the RADIUS Action field, you can use the Tags for Disconnect field to specify a specific set of tags on which to apply the action. The selected CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. re-authentication action will only be triggered for the specified tags. Click the Add drop-down menu to select a tag. To remove a tag, select a tag in the Tags for Disconnect field and click Remove.

5. Click Save.The following prompt appears:

Figure 2  Prompt to Enable Device Insight Integration

6. To proceed with enabling Device Insight Integration, click Yes; to cancel the operation, click No.

7. If activation is successful, the Activation Status field displays the status Success, and the form expands to include following read-only fields.

 

Table 2: Device Insight Integration Page Parameters

Parameter

Action/Description

Activation Timestamp

This is a read-only field that appears after successful activation. This field is automatically populated to indicate the time at which Device Insight was activated.

Registration Status

This is a read-only field that appears after successful activation. If a Websocket connection is successfully initiated between the Device Insight-enabled node and Aruba Central, the registration appears as SUCCESS.

Last Sync Timestamp

This is a read-only field that appears after successful activation. It indicates the time at which the last endpoint added to Policy Manager from Device Insight during synchronization. This field is automatically populated.

Last Sync Run

Time that the last sync operation started between Policy Manager and Device Insight.

Aruba Central Tenant ID

This is a read-only field that appears after successful activation. It indicates the Aruba Central Tenant ID.

Figure 3  Device Insight Activation Enabled

Disabling Device Insight Integration

Use the following procedure to disable Device Insight Integration,

 

Be aware that if you disable Device Insight Integration at any point after it has been enabled, the Device Insight Registration Token and certificate are not retained. To enable integration again, you will need to enter the Registration Token again.

1. Navigate to Administration > Server Manager > Device Insight. The Device Insight Integration page opens.

2. On the Device Insight Integration option, select Disable, then click Save. The following prompt is displayed.

Figure 4  Prompt to Disable Device Insight Integration

3. To proceed with disabling Device Insight Integration, click Yes; to cancel the operation, click No.

Device Insight Integration is set to Disabled.