Access Management with Aruba ClearPass

Editor's Notes

• #5: The introduction of Wi-Fi enabled smart phones and tablets has changed the dynamics for rolling out new user devices and services. IT no longer has the ability to qualify which device a user receives, pre-configure them with work and security apps, and monitor their use. Personal devices are the new norm and successful deployments of new services like BYOD are gauged by days, not months. Other factors include the number of helpdesk calls and how happy the users are. With the speed in which devices are introduced, refreshed and replaced, lets look at some new IT issues that is faced with.
• #6: To eliminate silos Aruba ClearPass is designed to deliver user and device visibility, automated workflow services and policy management enforcement all from a single platform. Built-in device profiling provides a comprehensive picture of what’s connecting to the network which makes it simple to differentiate access for BYOD and IT managed devices. Real-time troubleshooting tools help IT create policies that work and also solve connectivity issues. For example, an access dashboard and per session logs allow IT to easily see why a user had a problem without having to peruse lengthy log databases. To help off-load IT, ClearPass includes automated features that allow users to self-provision personal devices and register media sharing devices like an Apple TV or just a printer. ClearPass Guest lets visitors self-register or sponsors can create credentials that automatically expire. Device management services extend MDM capabilities with network control and enforcement. A built-in CA can be used to distribute and manage device specific certificates. User can even re-install or revoke certificates for lost or stolen devices. The policy component brings it all together by allowing organizations to create granular policies for Aruba and multivendor Wi-Fi, wired and VPN networks. A role-based model allows you to assign and differentiate access by user, device and other contextual attributes like location, job function and device ownership. All this from a single pane of glass.
• #7: All of the features just described are delivered as hardware or virtual appliances that can authenticate up to 500, 5000 and 25000 unique devices per week. ClearPass is also unique in that the base appliance includes our entire feature set – RADIUS and TACACS services, policy engine, identity broker features, as well as each of the add-on modules in the form of a starter bundle for Guest, Onboard, OnGuard and WorkSpace. The add-on modules are expandable per use case which means that customers with 100 guests per week only need to license for that amount. The same goes for onboarding personal or BYO devices. They’re not required to purchase advanced licenses or features they won’t use. Other customer benefits include the ability to create policies that query multiple identity stores, connect multiple active directory domains, leverage external MDM solutions and work in Wi-Fi, wired and VPN environments. Again without purchasing special licensing.
• #15: User authentication attempt with jail broken device ClearPass quarantines device via RADIUS Using RESTful API, ClearPass automatically creates trouble ticket in ServiceNow including: User ID MAC address Device type Location Email sent to helpdesk staff
• #21: ClearPass provides added value as a combination of contextual attributes can be used to create very granular policies in networks where multivendor and Aruba Mobility Controllers are deployed. While permit/deny and VLAN enforcement is supported for non-Aruba equipment, ClearPass lets organizations create enforcement rules that take advantage of Aruba’s role-based enforcement features. Policies can be written that take advantage of per user firewalls and optimization for voice and video applications. Context can be used to differentiate employee access by device type and OS if needed. For example, Guest policies can be written that limit access to week days and not weekends. Or executives can be given full access for smart phones, while employees can be restricted to the Internet when using mobile devices.
• #37: 30:24 – 32:44
• #47: 30:24 – 32:44