This section contains the following information:
ClearPass Access Management System Overview
ClearPass Policy Manager Hardware and Virtual Appliances
The Aruba ClearPass Access Management System provides a window into your network and covers all your access security requirements from a single platform. You get complete views of mobile devices and users and have total control over what they can access.
With ClearPass, IT can centrally manage network policies, automatically configure devices and distribute security certificates, admit guest users, assess device health, and even share information with third-party solutions—through a single pane of glass, on any network and without changing the current infrastructure.
The ClearPassPolicy Manager™ platform provides role-based and device-based network access control for employees, contractors, and guests across any wired, wireless, and VPN infrastructure.
ClearPass works with any multivendor network and can be extended to business and IT systems that are already in place.
ClearPass delivers a wide range of unique self-service capabilities. Users can securely onboard their own devices for enterprise use or register AirPlay, AirPrint, Digital Living Network Alliance (DLNA), and Universal Plug and Play (UPnP) devices that are enabled for sharing, sponsor guest Wi-Fi access, and even set up sharing for Apple TV and Google Chromecast.
The power of ClearPass comes from integrating ultra-scalable AAA (authentication, authorization, and accounting) with policy management, guest network access, device onboarding, and device health checks with a complete understanding of context.
From this single ClearPass policy and AAA platform, contextual data is leveraged across the network to ensure that users and devices are granted the appropriate access privileges.
ClearPass leverages a user’s role, device, location, application use, and time of day to execute custom security policies, accelerate device deployments, and streamline network operations across wired networks, wireless networks, and VPNs.
ClearPass can be extended to third-party security and IT systems using REST-based APIs to automate work flows that previously required manual IT intervention. It integrates with mobile device management to leverage device inventory and posture information, which enables better-informed policy decisions.
ClearPass's key features are as follows:
Role-based network access enforcement for multivendor Wi-Fi, wired, and VPN networks
Virtual and hardware appliances that can be deployed in a cluster to increase scalability and redundancy.
Support for popular virtualization platforms such as VMware vSphere Hypervisor (ESXi), Microsoft Hyper-V, and Amazon AWS (EC2).
IPv6 administration support
Intuitive policy configuration templates and visibility troubleshooting tools.
Supports multiple authentication/authorization sources—AD, LDAP, and SQL dB.
Self-service device onboarding with built-in certificate authority (CA) for BYOD.
Guest access with extensive customization, branding and sponsor-based approvals.
Comprehensive integration with the Aruba 360 Security Exchange Program.
SAML 2.0 Identity Provider, which allows seamless single sign-on (SSO) to the cloud or on-premise applications.
SAML 2.0 Service Provider, which allows seamless and secure access to ClearPass components using federated/unified identity.
Advanced reporting and granular alerts.
Active and passive device fingerprinting.
High performance, scalability, High Availability, and load balancing.
A Web-based user interface that simplifies policy configuration and troubleshooting.
Network Access Control (NAC), Network Access Protection (NAP) posture and health checks, and Mobile Device Management (MDM) integration for mobile device posture checks.
Social and Cloud Identity Network and Cloud Application single sign-on (SSO) via OAuth 2.0.
Facebook, Twitter, LinkedIn, Azure Active Directory, and Office 365, Google G Suite, and so on.
Device and user certificate enrollment via the Simple Certificate Enrollment Protocol (SCEP), enrollment over Secure Transport (EST) and REST API-based workflows.
Advanced reporting of all user authentications and failures.
Enterprise reporting, monitoring, and alerting.
HTTP/RESTful APIs for integration with third-party systems, Internet security, and Mobile Device Management (MDM).
Device profiling and self-service onboarding.
Guest access with extensive branding and customization and sponsor-based approvals.
ClearPass advanced policy management support includes:
ClearPass Policy Manager offers user and device authentication based on 802.1X, non-802.1X, and Web Portal access methods. To strengthen security in any environment, you can concurrently use multiple authentication protocols, such as PEAP, EAP-FAST, EAP-TLS, EAP-TTLS, and EAP-PEAP-Public.
For fine-grained control, you can use attributes from multiple identity stores, such as Microsoft Active Directory, LDAP-compliant directory, ODBC-compliant SQL database, token servers, and internal databases across domains within a single policy.
Additionally, you can add posture assessments and remediation to existing policies at any time.
ClearPass provides a built-in profiling service that discovers and classifies all endpoints, regardless of device type. You can obtain a variety of contextual data(such as MAC OUIs, DHCP fingerprinting, and other identity-centric device data) and use this data within policies.
Stored profiling data identifies device profile changes and dynamically modifies authorization privileges. For example, if a printer appears as a Windows laptop, ClearPass Policy Manager can automatically deny access.
Unmanaged non-802.1X devices (such as printers, IP phones, and IP cameras) can be identified as known or unknown upon connecting to the network. The identity of these devices is based on the presence of their MAC address in an external or internal database.
ClearPass Onboard fully automates the provisioning of any Windows, macOS, iOS, Android, ChromeOS, and Ubuntu devices via a built-in enrollment workflow.
Valid users are redirected to a template-based interface to configure required SSIDs and 802.1X settings, and download unique device credentials.
Additional capabilities include the ability for IT to revoke and delete credentials for lost or stolen devices, and the ability to configure mobile email settings for Exchange ActiveSync and VPN clients on some device types.
ClearPass Guest simplifies work flow processes so that receptionists, employees, and other non-IT staff can create temporary guest accounts for secure Wi-Fi and wired network access. Self-registration allows guests to create their credentials.
ClearPass OnGuard, as well as separate OnGuard persistent or dissolvable agents, performs advanced endpoint posture assessments. Traditional NAC health-check capabilities ensure compliance and network safeguards before devices connect.
You can use information about endpoint integrity (such as status of anti-virus, firewall, and peer-to-peer applications) to enhance authorization policies. Automatic remediation services are also available for non-compliant devices.
ClearPass Policy Manager is available as a hardware or a virtual appliance. To increase scalability and redundancy, you can deploy virtual appliances, as well as the hardware appliances, within a cluster.
For hardware and virtual appliance installation and deployment procedures, see This describes the procedures for installing and configuring ClearPass Policy Manager on a hardware appliance, as well as how to install ClearPass on a VMware vSphere Hypervisor host and on a host that runs Microsoft's hypvervisor, Hyper-V™. This guide also describes how to install a ClearPass virtual appliance on a host that runs the CentOS KVM (Kernel Virtual Machine) hypervisor. .
Virtual appliances are supported on the following platforms:
VMware ESX and ESXi
For installation and deployment procedures, see Using the VMware vSphere Hypervisor Web Client to Install ClearPass on a Virtual Machine.
Microsoft Hyper-V
For installation and deployment procedures, see Using Microsoft Hyper-V to Install ClearPass on a Virtual Appliance.
The ClearPass Policy Manager specifications are as follows:
ClearPass is available as hardware or as a virtual appliance. Virtual appliances are supported on VMware vSphere Hypervisor (ESXi), Microsoft Hyper-V, and Amazon EC2.
VMware ESXi 5.5 to 6.7
Microsoft Hyper-V Server 2012 R2 and 2016, and Windows Server 2012 R2 with Hyper-V
KVM on CentOS 6.6, 6.8
Amazon EC2
Deployment templates for any network type, identity store, and endpoint
802.1X, MAC authentication, and captive portal support
ClearPass OnConnect for SNMP-based enforcement on wired switches
Advanced reporting, analytics, and troubleshooting tools
Interactive policy simulation and monitor mode utilities
Multiple device registration portals—Guest, Aruba AirGroup, BYOD (bring your own device), and unmanaged devices
Admin/Operator access security via CAC (Common Access Card) and TLS (Transport Layer Security) certificates
RADIUS, RADIUS CoA, TACACS+, Web authentication, and SAML v2.0
EAP-FAST (EAP-MSCHAPv2, EAP-GTC, EAP-TLS)
PEAP (EAP-MSCHAPv2, EAP-GTC, EAP-TLS, EAP-PEAP-Public)
EAP-TTLS (EAP-MSCHAPv2, EAP-GTC, EAP- TLS, EAP-MD5, PAP, CHAP)
EAP-TLS
PAP, CHAP, MSCHAPv1, MSCHAPv2, and EAP-MD5
Wireless and wired 802.1X and VPN
OAuth .02
Microsoft NAP and NAC
Active Directory machine authentication
Online Certificate Status Protocol (OCSP)
SNMP generic MIB, SNMP private MIB
Common Event Format (CEF), Log Event Extended Format (LEEF)
Simple Certificate Enrollment Protocol (SCEP)
Enrollment over Secure Transport (EST)
Microsoft Active Directory
Kerberos
Any LDAP-compliant directory
Microsoft SQL, PostgreSQL, MariaDB, and Oracle 11g ODBC-compliant SQL server
Built-in SQL store
Built-in static-hosts list
Token servers
Built-in SQL store, static hosts list
Microsoft Azure Active Directory (via SAML and OAuth 2.0)
Google G Suite (via SAML and OAuth 2.0)
Web and CLI based management
IPv6 addressed authentication & authorization servers
IPv6 accounting proxy
IPv6 addressed endpoint context servers
Syslog, DNS, NTP, IPsec IPv6 targets
IPv6 Virtual IP for high availability
HTTP Proxy
Ingress Event Engine Syslog sources
Active: Nmap, WMI, SSH, SNMP
Passive: MAC OUI, DHCP, TCP, Netflow v5/v10, IPFIX, sFLOW, ‘SPAN’ Port, HTTP User-Agent, IF-MAP
Integrated and Third-Party: Onboard, OnGuard, ArubaOS, EMM/MDM, Rapid7, Cisco device sensor