Upload
dathapham
View
219
Download
0
Embed Size (px)
Citation preview
8/12/2019 ClearPass_FAQ
1/28
Aruba ClearPass AccessManagement System
FREQUENTLY ASKED QUESTIONS
8/12/2019 ClearPass_FAQ
2/28
ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIALDO NOT DISTRIBUTE PAGE 2
AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEMFREQUENTLY ASKED QUESTIONS
Table of Contents
General Product Questions ............................................................................................................. 5
1. What is ClearPass? ................................................................................................................. 5
2. How does ClearPass compare with what enterprises are doing today for BYOD ................. 5
3. Didnt Aruba address BYOD already? What does ClearPass add? ......................................... 6
4. Are enterprises prepared for BYOD? ..................................................................................... 7
5. What are the different components of ClearPass? ............................................................... 7
6. Is ClearPass developed at Aruba or licensed? ....................................................................... 9
7. When is ClearPass available? ................................................................................................. 9
8. What happens to Amigopod customers? .............................................................................. 9
9. How will Amigopod customers upgrade to ClearPass Policy Manager? ............................. 10
10. Has Amigopod been removed from the pricelist and/or discontinued with the introduction
of ClearPass? ........................................................................................................................ 10
11. I already have a RADIUS server. Why would I need to buy ClearPass Policy Manager? ..... 11
12. Why is ClearPass Policy Manager better than my existing RADIUS server? ....................... 11
13. I already have Active Directory to authenticate users, why would I need this? ................. 12
14. I already have a NAC solution and want to use ClearPass for provisioning devices. What
can I do? ............................................................................................................................... 12
15. Will ClearPass work for users that connect to public cellular networks? ........................... 12
16. Is ClearPass NAC? Is it competitive for NAC opportunities? ............................................... 12
17. How does ClearPass fit into Arubas Mobile Virtual Enterprise (MOVE) architecture?...... 13
18. How does ClearPass integrate with Arubas mobility controller appliance or virtual
controller with Instant? ....................................................................................................... 14
19. How does ClearPass differ from AirWave? Do I need both? ............................................... 14
20. What are the key target markets for ClearPass? ................................................................. 15
21. Can ClearPass be deployed on existing networks or does the customer have to upgrade to
Aruba wired and wireless? ................................................................................................... 15
8/12/2019 ClearPass_FAQ
3/28
8/12/2019 ClearPass_FAQ
4/28
ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIALDO NOT DISTRIBUTE PAGE 4
AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEMFREQUENTLY ASKED QUESTIONS
Infrastructure Support .................................................................................................................. 23
44. ClearPass is being advertised as an open, multivendor solution. Which vendor products
does ClearPass interoperate with? ...................................................................................... 23
45. Is there a limit on the number of devices the ClearPass Policy server can support?.......... 24
46. Can the ClearPass solution support policies where non-802.1X capable switches exist? .. 24
Device Profiling/Provisioning Support .......................................................................................... 24
47. Can ClearPass configure iOS, Windows, Android and Mac OS X devices for 802.1X? ........ 24
48. Once a device has been onboarded is there any software left on the device? .................. 24
49. What happens if someone loses a device, like a phone, that has been configured to access
the secure enterprise network? .......................................................................................... 24
50. How does ClearPass uniquely identify and manage devices? ............................................. 24
51. Is there an option for users to self-register BYOD devices like smartphones or gaming
devices? ................................................................................................................................ 24
52. What type of device attributes are displayed within the ClearPass Policy Manager through
self-registration or profiling? ............................................................................................... 25
ClearPass Appliances Information ................................................................................................ 25
53. Is ClearPass available as a turnkey appliance? .................................................................... 25
54. Can my customer install ClearPass Policy Manager on an existing server, and/or supplytheir own hardware? ........................................................................................................... 25
55. Does ClearPass VM appliance software run on Linux or Windows? ................................... 26
Customer Evaluation Support ....................................................................................................... 26
56. Are there evaluation versions of ClearPass Policy Manager and QuickConnect available for
Aruba SEs? ............................................................................................................................ 26
57. How can my customer request an evaluation version of ClearPass? .................................. 26
Glossary of Acronyms ................................................................................................................... 27
8/12/2019 ClearPass_FAQ
5/28
ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIALDO NOT DISTRIBUTE PAGE 5
AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEMFREQUENTLY ASKED QUESTIONS
General Product Questions
1. What is ClearPass?
The ClearPass Access Management System is a new security services platform that offersunparalleled simplicity when managing and applying secure role-based network access
across wireless, wired and VPNs.
Providing the industrys first and only framework built to successfully manage all aspects
of BYOD provisioning and onboarding, ClearPass makes it easy for IT and personally-
owned mobile devices to securely connect to any network.
The first step is onboarding the device to the network. This includes automatically
configuring the devices settings and assigning it a unique ID.
Next it will invoke the appropriate policy. This essentially involves looking at all therelevant context of that user, their device and location, etc. while enabling the
policy dynamically. It also allows that policy to change as the context of the
connection changes.
Finally, the framework handles enforcement of that policy across the global
organization, over any vendors wired, wireless and remote network.
2. How does ClearPass compare with what enterprises are doing today for BYOD
Because BYOD is relatively new, there are many ways that enterprises are addressing
personal devices.
Open network/Manual device configurationmany enterprises have not yet
addressed the BYOD challenge. It is not uncommon for organizations to allow
users to apply their username and password to any device. This means an
employees personal Kindle Fire would have the same level of access as a
corporate-issued laptop
8/12/2019 ClearPass_FAQ
6/28
ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIALDO NOT DISTRIBUTE PAGE 6
AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEMFREQUENTLY ASKED QUESTIONS
Virtual Desktopsome enterprises address the problem of BYOD with
virtualization. In this scenario, no corporate data can be stored on the device and
no applications can be run natively on the device. The challenge here is that VDI is
limited in scope and in many cases, does not provide a user experience that isoptimized for mobile handheld devices like the iPad. This is because VDI often
replicates a windows machine on a smartphone or tablet.
VPNMany enterprises are addressing BYOD with a short term workaround of
virtual private networks (VPN). Personal devices must launch a VPN session in
order to gain corporate network access.
MDMAccording to Gartner, the enterprise MDM market has more than 60
players with a wide range of products, services and capabilities. These range from
lightweight approaches that push small mobile agents to the device. Toheavyweight client side management software that supports actions such as
containerization and selective wipe.
Access ControlAccess Control vendors ranging from Bradford Networks to Cisco
ISE address policy control for personal devices and will often assess the risk of the
device before allowing it to access the network.
What makes ClearPass unique is that it does what all of the other point-products cant do
it offers a comprehensive workflow for BYOD.
Onboarding the device. Automatically provisioning the devices settings and
checking to make sure the device hasnt be compromised in any way or present
any risk.
Handling policy decisions and policy enablement. Essentially taking in all the
information about the context of the user and device and enabling the appropriate
policy.
Finally, handling enforcement of that policy across the global organization, over
wired, wireless and remote.
3. Didnt Aruba address BYOD already? What does ClearPass add?
With the introduction of the Aruba Move architecture in early 2011, Aruba delivered
BYOD capabilities that addressed the primary challenge at that time, which were iOS
devices connecting to Aruba WLAN networks. MOVE also offered device fingerprinting,
self-serve provisioning of iOS devices and context-based policy enforcement across Aruba
networks.
8/12/2019 ClearPass_FAQ
7/28
8/12/2019 ClearPass_FAQ
8/28
ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIALDO NOT DISTRIBUTE PAGE 8
AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEMFREQUENTLY ASKED QUESTIONS
administration interface. ClearPass Onboard offers full self-service provisioning for
Windows, Mac OS X, iOS, and Android devices that includes configuration of 802.1X
settings as well as the distribution and revocation of unique device credentials.
Additional features include the ability to push configuration settings for mobile email
with Exchange ActiveSync and VPN clients for some device types.
ClearPass ProfileClearPass Profile, available as a software module of the ClearPass
Policy Manager, offers the only progressively tiered profiling service for discovering,
classifying and grouping all attached endpoints, regardless of the device type. A wide
range of unique contextual datafrom MAC organizational unique identifiers (OUIs)
and DHCP fingerprinting characteristics to identity-centric datacan be collected to
create context-based access policies.
Stored data is also used to identify device profile changes and dynamically modify
authorization privileges. For example, if a printer appears as a Windows laptop,
ClearPass Policy Manager can automatically deny access.
ClearPass GuestClearPass Guest, available as a software module of the ClearPass
Policy Manager, simplifies workflow processes, allowing receptionists, employees and
other non-IT staff to create temporary accounts for Wi-Fi access. Once registered,
ClearPass Guest delivers account login credentials to users via SMS text message or
email. Accounts can be set to expire automatically after a specific number of hours or
days.
Role-based access control scales to thousands of users. Customizable guest portal
allows organizations to apply organization branding and user code of conduct
messaging. Self-registration and automated credential delivery streamlines IT
operations and efficiency.
ClearPass QuickConnectClearPass QuickConnect offers an easy way for users to
self-configure their Windows, Mac OS X, iOS, Android and Linux devices to support
802.1X authentication on wired and wireless networks. Creating a uniquely simplified
workflow, ClearPass QuickConnect dramatically reduces helpdesk calls and IToverhead, while propagating the deployment of secure network policies based on
802.1X.
QuickConnect is available as a cloud service and is licensed yearly based on the total
number of devices that require onboarding to an organizations secure network.
8/12/2019 ClearPass_FAQ
9/28
ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIALDO NOT DISTRIBUTE PAGE 9
AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEMFREQUENTLY ASKED QUESTIONS
6. Is ClearPass developed at Aruba or licensed?
ClearPass consolidates three distinct integration and development efforts.
1. The acquisition of Amigopod in early 2011
2. The acquisition of Avenda in late 2011
3. Over one year of internal Aruba development on complementary technology that
was never productized.
These three technologies are brought together into one product offered as either a
hardware appliance (ClearPass Policy Manager + licenses) or with limited functionality as a
cloud-based service (ClearPass QuickConnect).
7. When is ClearPass available?
A limited number of ClearPass products are available on the Aruba pricelist as of January
2012. For SKUs and pricing, please download the latest Aruba pricelist.
Products available as of the January 2012 pricelist
ClearPass Policy Manager
ClearPass OnGuard
Amigopod (to be transitioned to ClearPass Onboard, ClearPass Guest)
Products available on the April 2012 pricelist
ClearPass Profile
ClearPass Onboard
ClearPass Guest
Before April 2012(Current SKUs)
April 2012(New SKUs)
August 2012(Integration)
AAA CPPM CPPM CPPM
NACCPPM CPPM CPPM
OnGuard OnGuard OnGuard
Guest Amigopod Amigopod onlyCPPM
Guest
Profile N/ACPPM CPPM
Profile Profile
OnboardQuickConnect CPPM +
Amigopod+Onboard
CPPM
Amigopod MDPS Onboard
8. What happens to Amigopod customers?
8/12/2019 ClearPass_FAQ
10/28
ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIALDO NOT DISTRIBUTE PAGE 10
AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEMFREQUENTLY ASKED QUESTIONS
The April software release of Amigopod will include additional operating system support
(Windows, OS X, Android) for MDPS and other incremental updates and bug fixes. This will
effectively provide ClearPass Onboard to Amigopod customers
In the August timeframe Aruba is planning to release a common ClearPass platform that
will be capable of supporting both Policy Manager (+ OnGuard & Profile) and Amigopod
(+Guest & Onboard).
At that time, Amigopod customers can upgrade to ClearPass Policy Manager with
Onboard if required.
The following table looks at the upgrade path for both Avenda and Amigopod customers
to ClearPass.
Avenda Amigopod
AAA No change Add CPPM
NAC No changeAdd CPPM +
OnGuard
GuestUpgrade licenseto Guest
Upgrade to CPPM+ Guest license
ProfileAdd Profilelicense
Add CPPM+
Profile
OnboardAdd OnBoardlicense
Upgrade to CPPM+ Onboard
9. How will Amigopod customers upgrade to ClearPass Policy Manager?
This will not be a point and click upgrade for Amigopod customers and will most likely
require a second appliance (hw or vm) to build and restore that configuration backup in
parallel to the existing environment. Details on this upgrade procedure are still to be
determined as the development is not complete.
10. Has Amigopod been removed from the pricelist and/or discontinued with the
introduction of ClearPass?
No, the Amigopod product has not been removed or discontinued from the Arubaportfolio of products. Instead, Amigopod will be absorbed into the ClearPass family and
rebranded as ClearPass Guest.
At its core, Amigopod delivers enterprise-grade guest access using personally-owned
devices into a corporate network, so it is a natural fit to include these capabilities under
the ClearPass umbrella of network security services.
8/12/2019 ClearPass_FAQ
11/28
ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIALDO NOT DISTRIBUTE PAGE 11
AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEMFREQUENTLY ASKED QUESTIONS
11. I already have a RADIUS server. Why would I need to buy ClearPass Policy Manager?
ClearPass Policy Manager is required to run the Profile, Guest, Onboard and OnGuard
software licenses. Although there may be some overlap in functionality, the Policy
Manager provides policy management functionality not provided by standard RADIUSservers. The Policy Manager can co-exist with existing AAA infrastructure by acting as a
proxy if needed. Customers can continue to run the two systems in parallel or can
migrate to ClearPass as the primary RADIUS server.
12. Why is ClearPass Policy Manager better than my existing RADIUS server?
Many existing AAA that include RADIUS and TACACS+ servers are legacy platforms where
many releases have reached their end of life. Examples are Ciscos ACS and Junipers Steel
Belted RADIUS. In each case, customers are required to migrate to a new platform or
maintain two separate products. If you have experienced problems or if you are
concerned about continuing support of the existing platform, you should investigateAruba ClearPass. In addition, the requirements for AAA and NAC have changed
dramatically with the emergence of new demands on access security driven by BYOD
initiatives. Legacy platforms are not equipped to deal with this new paradigm. Here are
some of the differences between Aruba ClearPass and other AAA offerings
Cisco ACS
Many Releases Discontinued and EOLd by Cisco
No integrated NAC (Posture/health based enforcement)
Performance issues when scaling for large deployments
Weak multi-vendor network device support Poor reporting functionality
Inflexible policy modeltrouble supporting multiple auth sources & types
Difficult to configure, manage, and deploy
No integrated guest management function
Juniper UAC
Difficult to install and manage (Customer feedback)
Most expensive solution on the market
Works best with Juniper devices. Many features are not available in a multi-vendor
network infrastructure Very basic guest management functionality
No built-in endpoint device audit capabilities
Must use the UAC Client (former Odyssey client) for advanced health capabilities
Limited clustering for single management and scalability
No utility for self-provisioning and configuration for user endpoints
8/12/2019 ClearPass_FAQ
12/28
ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIALDO NOT DISTRIBUTE PAGE 12
AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEMFREQUENTLY ASKED QUESTIONS
Microsoft NPS
No support for captive portals
Only supports AD as an auth source (no SQL, no LDAP, no Token server, etc.)
No context-based policies. Access can only be grated on identity - not location,
device, time of day, etc.
Only VLAN-based enforcementLimited VSAs and no downloadable ACLs,
TACACS+, or web-based enforcement
Limited windows-only health checks with NAP
NO VM deployment option
13. I already have Active Directory to authenticate users, why would I need this?
In order to satisfy the many of todays usage scenarios while increasing the level of
security provided, an identity based policy management system would be the best
approach. A full featured solution like Arubas can provide many more capabilities to
improve overall security and offload your IT staff from having to manage many aspects of
access control, guest management and helpdesk activities.
14. I already have a NAC solution and want to use ClearPass for provisioning devices. What
can I do?
For ClearPass Onboard the NAC solution would first scan the device for vulnerabilities and
only pass validated clients to ClearPass Onboard for provisioning.
ClearPass QuickConnect can be used to configure devices prior to connecting to 802.1X
networks. The existing NAC solution would then perform a basic health check once the
device authenticates onto the network.
15. Will ClearPass work for users that connect to public cellular networks?
Yes, for clients that use VPN clients such as Arubas VIAclient, a mobile device will always
redirect enterprise data back to the enterprise network and be subject to policies defined
for that network.
In the case of Arubas VIA client, the VPN session is setup automatically, without requiring
the user to initiate. This is very important as many devices today that have both Wi-Fi and
cellular capabilities will tend to roam between the two networks without alerting theuser.
16. Is ClearPass NAC? Is it competitive for NAC opportunities?
While the definition for Network Access Control varies, ClearPass can be considered a NAC
offering. However, unlike traditional point NAC solutions, ClearPass brings together role-
8/12/2019 ClearPass_FAQ
13/28
ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIALDO NOT DISTRIBUTE PAGE 13
AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEMFREQUENTLY ASKED QUESTIONS
based policy management, device onboarding, policy control and reporting into one
cohesive, easy to use system.
Competitive solutions are either multi-box or just point products, and do not offer the
ease of use or the multivendor support of ClearPass.
Note that Gartner rates ClearPass as the Most Visionary NAC solution on the market
today!
According to Gartner; The company's ability to support Microsoft NAP-enabled
endpoints (Windows 7, Vista and XP SP3) without requiring an agent, its support for non-
Microsoft endpoints (via agents), and a strong road map for profiling features has earned
it a high score for Completeness of Vision
17. How does ClearPass fit into Arubas Mobile Virtual Enterprise (MOVE) architecture?
ClearPass enhances the Aruba MOVE architecture with access management functionality.
The ClearPass solution provides three key advantages:
Works across every major mobile OS: Extends MOVE device onboarding benefits to
include not only iOS but now Mac OS X, Windows and Android operating systems to
deliver the most dynamic provisioning capable solution in the industry.
8/12/2019 ClearPass_FAQ
14/28
ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIALDO NOT DISTRIBUTE PAGE 14
AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEMFREQUENTLY ASKED QUESTIONS
Works over any vendors network:ClearPass easily and securely extends Arubas
policy definition and enforcement capabilities, allowing Aruba customers to define
and implement policies across multivendor wireless networks, switches, routers, and
clients. As a result, Aruba can now delivery policy and role-based network access forany organization without the cost and complexities of other solutions while also
providing full-featured device posture assessment and profiling.
Security visibility and reporting:ClearPass extends Arubas AirWave RF visibility to
now include comprehensive security visibility and forensics needed to pinpoint root
causes for network access issues, per user bandwidth concern and known endpoint
vulnerabilities.
18. How does ClearPass integrate with Arubas mobility controller appliance or virtual
controller with Instant?
Although ClearPass can be used on any vendors wireless, wired, and remote network,
there are inherent advantages to using Aruba access networks for policy enforcement.
With the Policy Enforcement Firewall (PEF) capabilities that reside on the Mobility
Controller appliance and Instant virtual controller, policies that are defined on ClearPass
can be mapped directly to firewall roles on the controller. These firewall roles can then
take a variety of actions to improve the security and reliability of the network.
Other access networks will typically enforce policies by defining VLANs or downloading
Access Control Lists (ACLs) within switches and routers. This doesnt work very well in a
mobile environment because it maps to a VLAN centric architecture. Because VLANswerent designed for policy enforcement, their use is limited and they are very difficult to
setup and maintain.
19. How does ClearPass differ from AirWave? Do I need both?
Arubas AirWave product is designed to provide management and visibility for mobile
networks and connected users. AirWave is a network management system that employs a
user-centric approach, identifying who is on the network, where they are accessing the
network, the mobile devices theyre using, and how much bandwidth is being consumed
by specific devices.
ClearPass compliments a network management system like AirWave by providing
comprehensive management and reporting of security and policy transactions across the
network. ClearPass also provides advanced troubleshooting and forensics needed to
pinpoint root causes for network access issues and known endpoint vulnerabilities.
8/12/2019 ClearPass_FAQ
15/28
ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIALDO NOT DISTRIBUTE PAGE 15
AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEMFREQUENTLY ASKED QUESTIONS
20. What are the key target markets for ClearPass?
Enterprise-class RADIUS/AAA services, robust policy management, dynamic device
provisioning and advanced guest access capabilities make ClearPass suitable for any
organization that wants to modernize their network access security infrastructure toaccommodate enterprise-wide mobility and employee BYOD initiatives. This would
include the following examples:
K-12 and higher education institutionsDistrict-wide or campus-wide access
differentiation, visibility, troubleshooting and manageability that is easy to use and
deploy.
Healthcare clinics and hospitalsMobile device and role-based user authentication
with long-term archiving by user session to assist with HIPAA compliance
requirements.
Large enterprises, distributed enterprisesScalability to manage tens of thousands
authentications; devices and mobile users with centralized, single-console operations.
Retail organizationsField-proven multisite support with integrated role-based policy
assignment, monitoring and PCI compliance reporting.
GovernmentConsolidation of policies across departments regardless of identity
store type or administrative ownership, for wired and wireless access.
21. Can ClearPass be deployed on existing networks or does the customer have to upgrade
to Aruba wired and wireless?
The ClearPass Access Management system is the industrys first and only independent
platform for policy management, network access control, and BYOD provisioning and
onboarding. While there are advantages when deployed with Aruba wireless
infrastructure, Aruba ClearPass can be deployed with any existing networkinfrastructure
from any major vendor.
22. Is ClearPass easy to deploy?
ClearPass Policy Manager is a very easy to use/deploy solution which includes many tools
to assist in deployment including a configuration wizard, pre-configured templates, and
policy simulation to name a few.
23. What are some of the opportunities to position ClearPass?
The ClearPass Policy Manager can be used for RADIUS upgrades as a number of older
standalone solutions from Cisco and Juniper have reached end-of-life (EOL).
The Policy Manager can be used where other vendorsnetwork access control
solutions require a proxy to an enterprise-class RADIUS server.
8/12/2019 ClearPass_FAQ
16/28
ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIALDO NOT DISTRIBUTE PAGE 16
AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEMFREQUENTLY ASKED QUESTIONS
Any organization looking to deploy BYOD and identity-based policy management in an
Aruba or mixed vendor environment can now choose a single platform that works
across wireless, wired and VPN networks.
The ClearPass solution can also solve customers device profiling requirements using atiered and dynamic profiling model which drastically improves the confidence level for
accurately identifying endpoint devices.
ClearPass Guest is a proven solution for any opportunity that requires guest access,
enterprise and public access.
QuickConnect allows you to sell into any non-Aruba environment.
24. How do customers order ClearPass?
ClearPass software module licensing is based on the total number of authenticating
devices. When ordering a ClearPass software license, it is important to identify the total
number of devices an organization currently utilizes and is looking to migrate towards in
the future to size the solution accordingly. The ClearPass software modules are
categorized in the following way:
ClearPass QuickConnectA cloud-based tool for IT administrators to build device
configuration wizards for connecting devices to wireless or wired networks.
ClearPass Policy Manager- The base platform (either a virtual server or full
hardware/software turnkey solution) that includes AAA/RADIUS services, centralized
policy management and enforcement functionality, and reporting capabilities.
Additional functionality is derived by purchasing the following optional licenses:
- ClearPass OnboardWizard-driven provisioning and onboarding of devices for
wireless, wired, or VPN connectivity to address employee BYOD initiatives.
- ClearPass OnGuardDownloadable or dissolvable agents that perform health and
posture assessments as well as remediation capabilities for any Windows or Mac OS
X-based device before allowing these devices onto a secure network.
- ClearPass ProfileAccurate identification and classification of devices attached to a
secure network for policy definition and enforcement.
- ClearPass GuestSecure workflow for allowing guest access to a secure network.
Additional guidance around ordering a ClearPass solution as well as obtaining evaluationlicenses is available in theClearPass Access Management System Licensing andCustomer
Evaluation Support sections of this FAQ.
25. Does ClearPass provide an interface for integration with other customer infrastructure?
8/12/2019 ClearPass_FAQ
17/28
ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIALDO NOT DISTRIBUTE PAGE 17
AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEMFREQUENTLY ASKED QUESTIONS
Yes, an open XML-based API allows for integration with existing IT service management
solutions and other custom applications. The use of an extensible API permits the
accessibility of ClearPass data to virtually any application developer without specialized
knowledge of the platform.
ClearPass Access Management System Core Features
26. What are some of the unique capabilities delivered with the ClearPass Access
Management System?
ClearPass is the only solution today to seamlessly enable BYOD using a complete user and
device lifecycle management model; device onboarding and enrollment, identity and
context-based access control, device revocation, and complete visibility. The ClearPass
policy engine allows for simultaneous policies using user identity/role-based assignments(i.e. Active Directory credentials), MAC authentication (MAC auth), web authentication
(web auth) and 802.1X methods to differentiate user and device access.
27. What are the top advantages of the ClearPass Policy Manager AAA platform?
The industrys most intuitive policy Admin interface. Includes pre-configured
templates, built-in deployment and helpdesk tools, compliance reporting and
more
Full featured policy management engine and AAA services that abstract the
complexity of RADIUS and TACACS+ to support all popular use cases (802.1X, Web
& MAC auth, etc.). Note that Ciscos ISE product and many point solutions from
other vendors do not support TACACS+
Role-based differentiated access for employees, guests, partner/contractors, IT
managed and BYOD devices, printers and more.
Authentication and enforcement using standards-based protocols for any Aruba
and multi-vendor WLAN, Wired, and VPN infrastructure.
Innovative clustering techniques support a variety of local and remote deployment
options where the Policy Manager can be centrally deployed or distributed to best
suit customer needs.
28. What identity stores are supported by the ClearPass platform?
8/12/2019 ClearPass_FAQ
18/28
ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIALDO NOT DISTRIBUTE PAGE 18
AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEMFREQUENTLY ASKED QUESTIONS
The ClearPass Policy Manager gives customers the option to authenticate and authorize
end users and devices against Microsoft Active Directory (AD), LDAP, SQL databases, two-
factor token servers, and an internal database.
The Policy Manager provides the advantage of being able to authenticate and authorize
against separate identity stores, i.e. authenticates users against Active Directory and
checks for MAC addresses against a SQL database.
29. How many unique accounts can ClearPass Policy Manager handle?
ClearPass is expected to scale to multiple millions of unique accounts. Aruba has tested a
configuration of 1.5 million entries in a single cluster of ClearPass appliances. This is not
the maximum capacity per cluster; this is the tested capacity with the hardware.
30. What devices are supported by the ClearPass Onboard and ClearPass QuickConnect
products?
By the April 2012 timeframe, both ClearPass Onboard and ClearPass QuickConnect will
support:
OS X 10.5/10.6/10.7.
Windows XP/Vista/7
iOS 5.0/5.0.1/5.1
Android 2.2/2.3/3.x/4.0
LinuxUbuntu
8/12/2019 ClearPass_FAQ
19/28
ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIALDO NOT DISTRIBUTE PAGE 19
AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEMFREQUENTLY ASKED QUESTIONS
31. Whats the difference between ClearPass Onboard and ClearPass QuickConnect
Onboard QuickConnect
Device Support iOS now, Android/Windows/Mac at the
end of April, Ubuntu mid May) for dot1X
Windows, iOS, Mac OS, Android now,
Ubuntu mid May) for dot1X
Push Supplicants/Agents Yes Yes
Configure VPN Yes No
Configure Active Sync &
Exchange
Yes No
Install Programs/Apps Yes (Window's Only) Yes (Window's Only)
Push Unique Machine
Credentials
Can push certificates (iOS/Mac Lion) and
Unique Credentials (Android/Windows) to
devices and revoke their access
No
Requires ClearPass Policy
Manager
Yes No
Administration ClearPass Policy Manager Cloud-based with yearly subscription
Use Case Best for enterprise environments where
there are multiple things to configure on
new devices, especially environments
where certs/credentials are required
Best for environments that experience
constant change (universities) or
organizations that are moving to dot1X
and do not require certs/credentials
Works over Any Vendor's
Network
Yes Yes
License tracking Through ClearPass Policy Manager Cannot track how many users configure
devices (sold by total number of users /
honor system for adherence to
purchased usage license)
32. How is QuickConnect offered in the Cloud?
Administrative functions are managed in cloud where an administrator can configure,
download, and store 802.1X configuration install packages. The installation package is
then hosted locally and delivered from an IT owned web server.
33. Why is profiling devices important to an enterprise?
The most basic requirement for profiling is just to find out whats on the network. This is
important not only for reporting but also to help with things like capacity planning.
More importantly, profiling is important for implementing policies. With BYOD,
enterprises need to create policies based on the context of the connection; who is
connecting, with what device, where and to what applications. But now that network
security and user experience are based on context, the accuracy of that context becomes
far more important. It is especially important to ensure the accuracy of things like user
role and device type. If I have different security roles for laptops and smartphones, I need
8/12/2019 ClearPass_FAQ
20/28
ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIALDO NOT DISTRIBUTE PAGE 20
AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEMFREQUENTLY ASKED QUESTIONS
to be very confident that the network doesntprofile a device incorrectly and thus create
a security breach.
With ClearPass, Aruba now offers the industrys most accurate device detection
capabilities that can be used for access control.
34. How does Arubas Dynamic Profiling differ from competitive offerings?
The Policy Manager platform is capable of using baseline fingerprinting data from DHCP
and web browsers within a policy, as well as using more advanced techniques directly
from Active Directory, device agents and provisioning data.
Competitive solutions usually stop at baseline fingerprinting. ClearPass Profile benefits the
most from the information gathered by provisioning the device. During provisioning,
ClearPass interacts directly with the OS kernel and has full visibility into device
characteristics. Solutions that dont provision the device cannot provide the same level of
profiling accuracy?
35. Where does network access control fit within the ClearPass solution?
ClearPass OnGuard licensing utilizes persistent and dissolvable agents to perform posture
and traditional NAC health checks against policies that reside in the Policy Manager. The
agents can authenticate any node in a Policy Manager cluster. Pre- and post-admission
controls are natively supported through NAC and Microsoft network access protection
(NAP) methods.
8/12/2019 ClearPass_FAQ
21/28
ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIALDO NOT DISTRIBUTE PAGE 21
AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEMFREQUENTLY ASKED QUESTIONS
36. Is ClearPass Mobile Device Management (MDM)?
The ClearPass Access Management System currently employs a great deal of MDM
functionality specifically around configuring, provisioning and the secure onboarding of
computers, smartphones and tablets, as well as more advanced features such asconfiguring security, VPN and email settings, installing applications (note that application
installation is currently only for Windows devices), managing bandwidth and revoking
access for lost or stolen devices.
There are two reasons that Aruba is moving in this direction with ClearPass:
1. Better policy controlTo do policy control in a BYOD environment, there is a great
advantage to also doing device provisioning. Provisioning the device and
associating a unique machine ID with that device provides a level of knowledge
and control that wouldnt be possible otherwise.
2. Less expensive for supporting mobile devices - The other reason is one of simple
economics. Customers dont want to have to buy yet another system for managing
devices. They would prefer that the access network do the majority of what MDM
does today. And they ultimately want the OS manufacturers to control whats on
the device with offerings like Windows Server or Mac OSX Server.
Much of what MDM does today will be marginalized as infrastructure vendors start to
handle the onboarding process. And Aruba is the first one to take this step.
8/12/2019 ClearPass_FAQ
22/28
ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIALDO NOT DISTRIBUTE PAGE 22
AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEMFREQUENTLY ASKED QUESTIONS
Unlike MDM solutions, ClearPass will address not only handheld mobile devices like
smartphones and tablets, but also the next wave of employee-own devices that often
consist of laptops and Ultrabooks. MDM is also limited to devices that have the MDM
agent installed, which may not be the case if a device doesnt trigger installation of the
MDM client through ActiveSync.
However, some customers may also be looking to perform remote wipes or otherwise
fully manage the firmware of a device. In this case, these customers should consider
Windows and Mac OS X servers that will handle all Windows, iOS and Mac OS X devices,
or third-party MDM products. For customers that have existing MDM solutions in place,
Aruba has validated interoperability many of the major MDM providers.
37. What about controlling what apps are actually on the device? Some MDM vendors claim
they can do this.
Most enterprises dont want to dictate what an employee can download to their personal
device. What they want is to limit the use of certain apps when the device is connected to
their corporate network. This is the approach that Aruba ClearPass uses. ClearPass can set
policies based on application use and keep applications from traversing the corporate
network.
38. Can the ClearPass Policy solution be used for compliance requirements?
Customers are successfully using the ClearPass solution to capture and archive access data
in a variety of verticals such as higher education, healthcare, financial services and more.
The ability of the ClearPass solution to provide per session user and device information
satisfies many requirements associated with PCI, HIPAA, Sarbanes-Oxley, and more.
ClearPass Access Management Licensing
39. How are the ClearPass products packaged and delivered?
The ClearPass products are available in the following packages:
ClearPass Policy Manageravailable as either a 1U appliance or as a VMware virtual
appliance.
ClearPass OnGuardorderable software license (ClearPass Policy Manager required).
ClearPass Onboardorderable software license (ClearPass Policy Manager required).
ClearPass Profileorderable software license (ClearPass Policy Manager required).
ClearPass Guestorderable software license (ClearPass Policy Manager required).
ClearPass QuickConnectcurrently available as a cloud-based service.
8/12/2019 ClearPass_FAQ
23/28
ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIALDO NOT DISTRIBUTE PAGE 23
AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEMFREQUENTLY ASKED QUESTIONS
40. How does ClearPass Policy Manager handle redundancy and load balancing?
The ClearPass Policy Manager uses a clustering model that allows you to configure
additional appliances as subscribers to a designated publisher appliance. All
administrative changes are propagated from publisher to subscriber.
Authentications can also be shared across appliances (hardware and VM) in a cluster to
load balance incoming requests. Appliances can also be distributed in a cluster
deployment.
41. How can customers increase the number of devices that authenticate against the
ClearPass Policy Manager?
If the number of authentications surpasses the limit set on the existing ClearPass Policy
Manager hardware and VM appliance, additional appliances can be added in the cluster
model described above to support additional devices.
42. Is ClearPass OnGuard required for Policy Manager to work?
No, OnGuard is not required for Policy Manager to work. In fact many customers start
with identity-based authentication and AAA, and then add posture assessment and health
checks at a later time using persistent and dissolvable agents.
43. When would I purchase additional OnGuard licenses?
OnGuard licenses are structured so that customers can purchase OnGuard agents for all of
the computers within their organization or start with a targeted group of devices. For
example, a customer can start by only purchasing agents for their more mobile sales staff
and later decide to purchase additional licenses to support a greater number of
users/devices.
Infrastructure Support
44. ClearPass is being advertised as an open, multivendor solution. Which vendor products
does ClearPass interoperate with?
ClearPass Policy Manager, Guest and QuickConnect are currently deployed in networksthat consist of Aruba Networks, Cisco, Hewlett-Packard, Enterasys, Juniper and other
network vendors products across the globe.
Enterprise-class RADIUS, guest management and device provisioning services support
industry standards regardless of vendor or industry.
8/12/2019 ClearPass_FAQ
24/28
ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIALDO NOT DISTRIBUTE PAGE 24
AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEMFREQUENTLY ASKED QUESTIONS
45. Is there a limit on the number of devices the ClearPass Policy server can support?
There is a range that is designated by the physical characteristics of the ClearPass baseline
appliance. To support a greater number of devices, customers can purchase additional
appliances to create a cluster that can support very large numbers of devices. Foradditional details and proper sizing of a ClearPass server, check the latest Arubapricelist.
46. Can the ClearPass solution support policies where non-802.1X capable switches exist?
Yes. The use of OnGuard agents, or captive-portal registration, allow organizations that
are migrating to more secure 802.1X-capable devices to deploy policy management in a
phased manner.
Device Profiling/Provisioning Support
47. Can ClearPass configure iOS, Windows, Android and Mac OS X devices for 802.1X?
Yes. Aruba ClearPass is the only complete configuration, provisioning and onboarding
solution in the industry.
48. Once a device has been onboarded is there any software left on the device?
No, the ClearPass Onboard executable is purely a configurator, it doesn't actually
authenticate you and will still need you to have a valid cert and/or user account which can
both be deleted/revoked if an employee leaves a company
49. What happens if someone loses a device, like a phone, that has been configured to
access the secure enterprise network?
ClearPass identifies each unique device associated with a user and access can be revoked
for that individual device without having to manipulate the users AD or LDAP credentials.
50. How does ClearPass uniquely identify and manage devices?
ClearPass issues certificates for IOS and OS X Lion devices and unique credentials for each
Windows and Android device associated with a user so that it can take unique action on
that device. This certificate or credential acts as a unique machine ID.
Beyond this we inventory devices and embed data about the device that was enrolled
within the client certificate/credential such as MAC address, UUID, serial number etc.
These unique machine IDs are stored securely within the certificate store.
51. Is there an option for users to self-register BYOD devices like smartphones or gaming
devices?
https://compass.arubanetworks.com/SitePages/Products/Price%20Lists.aspxhttps://compass.arubanetworks.com/SitePages/Products/Price%20Lists.aspxhttps://compass.arubanetworks.com/SitePages/Products/Price%20Lists.aspxhttps://compass.arubanetworks.com/SitePages/Products/Price%20Lists.aspx8/12/2019 ClearPass_FAQ
25/28
ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIALDO NOT DISTRIBUTE PAGE 25
AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEMFREQUENTLY ASKED QUESTIONS
Yes. A self-registration option allows users to enter information about their devices that
can then be used during authentication and authorization of devices to create a more
granular and secure policy.
52. What type of device attributes are displayed within the ClearPass Policy Managerthrough self-registration or profiling?
ClearPass Policy Manager provides the following client device attributes:
Device type (i.e. iPhone, iPad, iPod)
Device OS
Device OS detail
Manufacturer
Model
Serial number Network interface vendor
ClearPass Appliances Information
53. Is ClearPass available as a turnkey appliance?
Yes, ClearPass Policy Manager is available as turnkey hardware/software appliance
optimized for running ClearPass software. There are three appliance versions (HW &
VMware) currently available;
1.) CP-HW-500/CP-VA-500 capable of scaling up to 500 total devices
2.) CP-HW-5K/CP-VA-5K capable of scaling up to 5000 total devices
3.) CP-HW-25K/CP-VA-25K capable of scaling to 25,000 total devices.
Ordering information is available in theAruba price list.
54. Can my customer install ClearPass Policy Manager on an existing server, and/or supply
their own hardware?
Yes, ClearPass Policy Manager can be purchased in a VMware format for ESX
infrastructure and installed on customer supplied servers/hardware platforms. A sizing
guide for customer supplied hardware is available onArubapedia .
https://compass.arubanetworks.com/SitePages/Products/Price%20Lists.aspxhttps://compass.arubanetworks.com/SitePages/Products/Price%20Lists.aspxhttps://compass.arubanetworks.com/SitePages/Products/Price%20Lists.aspxhttps://arubapedia.arubanetworks.com/arubapedia/index.php/ClearPass_Sizinghttps://arubapedia.arubanetworks.com/arubapedia/index.php/ClearPass_Sizinghttps://arubapedia.arubanetworks.com/arubapedia/index.php/ClearPass_Sizinghttps://compass.arubanetworks.com/SitePages/Products/Price%20Lists.aspx8/12/2019 ClearPass_FAQ
26/28
ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIALDO NOT DISTRIBUTE PAGE 26
AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEMFREQUENTLY ASKED QUESTIONS
55. Does ClearPass VM appliance software run on Linux or Windows?
No, ClearPass VM software is not supported on Linux or Windows platforms. Supported
versions of VMware are available in the product documentationlocated here.
Customer Evaluation Support
56. Are there evaluation versions of ClearPass Policy Manager and QuickConnect available
for Aruba SEs?
Yes. Information regarding how to obtain an evaluation version of ClearPass Policy
Manager can be found onArubapedia.Please make sure that the instructions in the
"Licenses" section are followed.
SEs can obtain QuickConnect credentials on their own by entering their email addresshere.
57. How can my customer request an evaluation version of ClearPass?
Customers interested in evaluating ClearPass Policy Manager, OnGuard, QuickConnect
and Guest can obtain a software evaluation license through their Aruba SE -ClearPass Eval
Request.
http://support.arubanetworks.com/DOCUMENTATION/tabid/77/DMXModule/512/EntryId/6867/Default.aspxhttp://support.arubanetworks.com/DOCUMENTATION/tabid/77/DMXModule/512/EntryId/6867/Default.aspxhttp://support.arubanetworks.com/DOCUMENTATION/tabid/77/DMXModule/512/EntryId/6867/Default.aspxhttp://arubapedia.arubanetworks.com/arubapedia/index.php/AirWave_licensing#Aruba_SE_keys_for_personal_employee_labshttp://arubapedia.arubanetworks.com/arubapedia/index.php/AirWave_licensing#Aruba_SE_keys_for_personal_employee_labshttp://arubapedia.arubanetworks.com/arubapedia/index.php/AirWave_licensing#Aruba_SE_keys_for_personal_employee_labshttp://qceval.arubanetworks.com/quick1xAdmin/createEvalUser.phphttp://qceval.arubanetworks.com/quick1xAdmin/createEvalUser.phphttp://demo.amigopod.com/partners/eval_request.phphttp://demo.amigopod.com/partners/eval_request.phphttp://demo.amigopod.com/partners/eval_request.phphttp://demo.amigopod.com/partners/eval_request.phphttp://demo.amigopod.com/partners/eval_request.phphttp://demo.amigopod.com/partners/eval_request.phphttp://qceval.arubanetworks.com/quick1xAdmin/createEvalUser.phphttp://arubapedia.arubanetworks.com/arubapedia/index.php/AirWave_licensing#Aruba_SE_keys_for_personal_employee_labshttp://support.arubanetworks.com/DOCUMENTATION/tabid/77/DMXModule/512/EntryId/6867/Default.aspx8/12/2019 ClearPass_FAQ
27/28
ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIALDO NOT DISTRIBUTE PAGE 27
AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEMFREQUENTLY ASKED QUESTIONS
Glossary of Acronyms
802.1XIEEE standard for port-based network access control
AAAauthentication, authorization and accounting
ADActive Directory (Microsoft)
BYODbring your own device
DHCPdynamic host configuration protocol
EOLend of life
HIPAAhealth insurance portability and accountability act
LDAPlightweight directory access protocol
LMSlicense management system
MAC authauthentication using a media access control database
MDMmobile device management
NACnetwork access control
PCIPayment Card Industry
RADIUSRemote Authentication Dial-In User Service
SSIDservice set identifier
TACACS+Cisco proprietary, terminal access controller access-control system plus
web authauthentication using a captive portal
8/12/2019 ClearPass_FAQ
28/28
AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEMFREQUENTLY ASKED QUESTIONS
About Aruba Networks
Aruba Networks is the leading provider of next-generation network access solutions for mobile
enterprise networks. The companys Mobile Virtual Enterprise (MOVE) architecture unifies
wired and wireless into one cohesive network access solution based on a users identity.
This gives your enterprise workforce secure access to network resources based on who they are
no matter where they are, what devices they use or how they connect.
Listed on the NASDAQ and Russell 2000 Index, Aruba is based in Sunnyvale, California, and has
operations throughout the Americas, Europe, Middle East, Africa and Asia-Pacific-Japan regions.
To learn more, visit Aruba athttp://www.arubanetworks.com.For real-time news updates
follow Aruba onTwitter,Facebook,or theGreen Island News Blog.
2011 Aruba Networks, Inc. AirWave , Aruba Networks , Aruba Mobility Management System,Bluescanner, For Wireless That Works , Mobile Edge Architecture ,
People Move. Networks Must Follow, RFprotect
, The All Wireless Workplace Is Now Open For Business, Green Island, and The Mobile Edge Company
are trademarks of
Aruba Networks, Inc. All rights reserved. Aruba Networks reserves the right to change, modify, transfer, or otherwise revise t his publication and the product specifications
i h i Whil A b i ll bl ff h f h ifi i i d i hi d A b ill
1344 Crossman Ave. Sunnyvale, CA 94089-1113
Tel 408.227.4500 |Fax 408.227.4550 |[email protected]| www.arubanetworks.com
http://www.arubanetworks.com/http://www.twitter.com/ArubaNetworkshttp://www.facebook.com/ArubaNetworkshttp://greenislandnews.blogspot.com/mailto:[email protected]:[email protected]:[email protected]://greenislandnews.blogspot.com/http://www.facebook.com/ArubaNetworkshttp://www.twitter.com/ArubaNetworkshttp://www.arubanetworks.com/