The ClearPass Policy Manager™ Access Management System provides a window into your network and covers all your access security requirements from a single platform. You get complete views of mobile devices and users and have total control over what they can access
The HPE Movement Towards Inclusive Terminology
As part of advancing HPE's commitment to racial justice, we are taking a much-needed step in overhauling HPE engineering terminology to reflect our belief system of diversity and inclusion. Some legacy products and publications may continue to include terminology that seemingly evokes bias against specific groups of people. Such content is not representative of our HPE culture and these samples will be archived as and when the related products reach end of life.
Usage | Old Language | New Language |
---|---|---|
Campus Access Points + Controllers |
Master-Slave |
Conductor-Member |
Instant Access Points |
Master-Slave |
Conductor-Member |
Switch Stack |
Master-Slave |
Conductor-Member |
Wireless LAN Controller |
Mobility Master |
Mobility Conductor |
Firewall Configuration |
Blacklist, Whitelist |
Denylist, Allowlist |
Types of Hackers | Black Hat, White Hat | Unethical, Ethical |
If you are new to ClearPass Policy Manager, refer to the following sections:
For a description of how to use the Dashboard, see Using the Policy Manager Dashboard.
For a list of common configuration tasks and pointers to information about how to perform each task, refer to Accessing Configuration Information.
If you are planning a new ClearPass Policy Manager deployment, refer to the ClearPass Deployment Guide.
The ClearPass Deployment Guide is organized in a way that presents the deployment and configuration sequences in the order in which ClearPass deployment should take place, and makes the major deployment tasks easy to implement.
With ClearPass, IT can centrally manage network policies, automatically configure devices and distribute security certificates, admit guest users, assess device health, and even share information with third-party solutions—through a single pane of glass, on any network and without changing the current infrastructure.
The ClearPass Policy Manager™ Access Management System provides a window into your network and covers all your access security requirements from a single platform. You get complete views of mobile devices and users and have total control over what they can access.
In ClearPassPolicy Manager, a policy provides the rules that tells ClearPass when to execute profiles. Profiles are actions that are taken by ClearPass; for example assigning a certain role to a user or enabling command authorization for different types of users on a switch. The actions specified in a policy are the profiles to be activated when specific conditions or rules are met.
Then a policy is associated with a service—a service ties all the elements together: authentication sources, authorization sources, role-mapping, and enforcement policies.
The ClearPass Policy Manager platform provides role-based and device-based network access control for employees, contractors, and guests across any wired, wireless, and VPN infrastructure.
ClearPass works with any multivendor network and can be extended to business and IT systems that are already in place.
ClearPass delivers a wide range of unique self-service capabilities. Users can securely onboard their own devices for enterprise use or register AirPlay, AirPrint, Digital Living Network Alliance (DLNA), and Universal Plug and Play (UPnP) devices that are enabled for sharing, sponsor guest Wi-Fi access, and even set up sharing for Apple TV and Google Chromecast.
The power of ClearPass comes from integrating ultra-scalable AAA (authentication, authorization, and accounting) with policy management, guest network access, device onboarding, and device health checks with a complete understanding of context.
From this single ClearPass policy and AAA platform, contextual data is leveraged across the network to ensure that users and devices are granted the appropriate access privileges.
ClearPass leverages a user’s role, device, location, application use, and time of day to execute custom security policies, accelerate device deployments, and streamline network operations across wired networks, wireless networks, and VPNs.
ClearPass can be extended to third-party security and IT systems using REST-based APIs to automate work flows that previously required manual IT intervention. ClearPass integrates with mobile device management to leverage device inventory and posture information, which enables well-informed policy decisions.
ClearPass advanced policy management support includes:
ClearPass offers user and device authentication based on 802.1X, non-802.1X, and Web Portal access methods. To strengthen security in any environment, you can concurrently use multiple authentication protocols, such as PEAP, EAP-FAST, EAP-TLS, EAP-TTLS, and EAP-PEAP-Public.
For fine-grained control, you can use attributes from multiple identity stores, such as Microsoft Active Directory, LDAP-compliant directory, Open Database Connectivity (ODBC)-compliant SQL database, token servers, and internal databases across domains within a single policy.
Additionally, you can add posture assessments and remediation to existing policies at any time.
ClearPass provides a profiling service that discovers and classifies all endpoints, regardless of device type. You can obtain a variety of contextual data(such as MAC OUIs, DHCP fingerprinting, and other identity-centric device data) and use this data within policies.
Stored profiling data identifies device profile changes and dynamically modifies authorization privileges. For example, if a printer appears as a Windows laptop, ClearPass Policy Manager can automatically deny access.
Unmanaged non-802.1X devices (such as printers, IP phones, and IP cameras) can be identified as known or unknown upon connecting to the network. The identity of these devices is based on the presence of their MAC address in an external or internal database.
ClearPass Onboard fully automates the provisioning of any Windows, macOS, iOS, Android, ChromeOS, and Ubuntu devices via a built-in enrollment workflow. Valid users are redirected to a template-based interface to configure required SSIDs and 802.1X settings, and download unique device credentials.
Additional capabilities include the ability for IT to revoke and delete credentials for lost or stolen devices, and the ability to configure mobile email settings for Exchange ActiveSync and VPN clients on some device types.
ClearPass Guest simplifies work flow processes so that receptionists, employees, and other non-IT staff can create temporary guest accounts for secure Wi-Fi and wired network access. Self-registration allows guests to create their credentials.
ClearPass OnGuard, as well as separate OnGuard persistent or dissolvable agents, performs advanced endpoint posture assessments. Traditional NAC (Network Admission Control) health-check capabilities ensure compliance and network safeguards before devices connect.
You can use information about endpoint integrity (such as status of anti-virus, anti-spyware, firewall, and peer-to-peer applications) to enhance authorization policies. Automatic remediation services are also available for non-compliant devices.
For the latest information, refer to the ClearPass 6.7.x release notes.
RADIUS, RADIUS CoA, TACACS+, Web authentication, and SAML v2.0
EAP-FAST (EAP-MSCHAPv2, EAP-GTC, EAP-TLS)
PEAP (EAP-MSCHAPv2, EAP-GTC, EAP-TLS, EAP-PEAP-Public)
EAP-TTLS (EAP-MSCHAPv2, EAP-GTC, EAP- TLS, EAP-MD5, PAP, CHAP)
EAP-TLS
PAP, CHAP, MSCHAPv1, MSCHAPv2, and EAP-MD5
Wireless and wired 802.1X and VPN
OAuth 2.0
Microsoft Network Access Protection (NAP) and Network Access Control (NAC)
Active Directory machine authentication
Online Certificate Status Protocol (OCSP)
SNMP generic MIB, SNMP private MIB
Common Event Format (CEF), Log Event Extended Format (LEEF)
Simple Certificate Enrollment Protocol (SCEP)
Enrollment over Secure Transport (EST)
Microsoft Active Directory
Kerberos
Any LDAP-compliant directory
Microsoft SQL, PostgreSQL, MariaDB, and Oracle 11g ODBC-compliant SQL server
Built-in SQL store
Built-in static-hosts list
Token servers
Built-in SQL store, static hosts list
Microsoft Azure Active Directory (via SAML and OAuth 2.0)
Google G Suite (via SAML and OAuth 2.0)
Any SAML 2.0-compliant identity provider
The supported browsers for ClearPass are:
Mozilla Firefox on Windows 7, Windows 8.x, Windows 10, and macOS
Google Chrome for macOS and Windows
Apple Safari 9.x and later on macOS
Mobile Safari 5.x on iOS
Microsoft Edge on Windows 10
Microsoft Internet Explorer 10 and later on Windows 7 and Windows 8.x. When accessing ClearPass Insight with Internet Explorer (IE), IE 11 or above is required.
The special characters that are supported in passwords for all ClearPass modules (Policy Manager, ClearPass Guest, ClearPass Onboard, ClearPass OnGuard and ClearPass Insight) are described in the following table:
Special |
Description |
---|---|
+ |
Plus sign |
, |
Comma |
- |
Hyphen |
. |
Period |
; |
Semicolon |
= |
Equal sign |
? |
Question mark |
_ |
Underscore |
Revision |
Change Description |
Revision Date |
---|---|---|
Revision 01 |
Initial ClearPass 6.7.0 release |
-- |
Revision 02 |
Includes documentation for 6.7.1 features. |
February 5, 2018 |
Revision 03 |
Includes documentation for 6.7.2 features |
March 21, 2018 |
Revision 04 |
Includes documentation for 6.7.3 features |
April 25, 2018 |
Revision 05 |
Includes documentation for 6.7.4 features |
June 8, 2018 |
Revision 06 |
Includes documentation for 6.7.5 features |
July 18, 2018 |
Revision 07 |
Includes documentation for 6.7.6 features |
September 14, 2018 |
Revision 08 |
Includes documentation for 6.7.7 features |
October 24, 2018 |
Revision 09 |
Includes documentation for 6.7.8 features |
December 5, 2018 |
Revision 10 |
Includes documentation for 6.7.9 features |
January 30, 2019 |
Revision 11 |
For 6.7.10 release, added description of the JAMF endpoint context server Group Name attribute (see JAMF Endpoint Context Server "Group Name" Attribute). Clarified the description of the > " " parameter (see Table 1 , OnGuard Settings Parameters). |
April 22, 2019 |
Revision 12 |
Includes documentation for 6.7.11 features |
August 14, 2019 |
Revision 13 |
Includes documentation for 6.7.12 features |
October 30, 2019 |