This is a write up from the clearpass fundamentals session from Arubanetworks Airheads EMEA 2013 Conference. Basically this was a whole day session with labs, so I did my best to write up some notes to help others .
The heart of the Clearpass product is the ClearPass policy manager (CPPM). CPPM is responsible for controlling and managing the entire processes of authentication and access from the Clearpass architetcure. The architecture includes;
- Onguard – endpoint posture check supporting Windows, Mac OS and Linux only at this stage. Typically used for corporate builds.
- Guest – Captive portal to allow guests to access your network.
- Insight – provides reporting and monitoring. Discussed – but not really covered in any details.
- Onboard – Is used for BYOD implementations to “onboard” devices onto your network.
So what exactly does the clearpass policy manager do? Clearpass policy manager (version 6) performs the following key steps;
- Identify the network device (Wireless controller, network switch etc) that the client is connecting through (via service rules)
- Authenticate the user against an authentication repository (e.g. 802.1x, http ) note – could be different per network device
- Assign the user into a role based upon the authentication and authorisation result. Roles can define type of access from specific device types
- Profile the device based upon information gathered during the stages above (DHCP packets, http)
- Check the posture of the device (check a firewall running, virus free etc)
- The system then enforces the network adminstrator’s rules and applies specific actions (allow, deny, assign to a VLAN)
Aruba clearpass refer’s to the different components of it’s architecture as applications.
Guest or Visitor access
The guest user capability within Clearpass, basically acts as a captive portal solution that either ACCEPTS or REJECTS requests sent to it by the network access control. Typically in a wireless network you will have 4 basic components a wireless station (laptop, smartphone etc), a wireless access point (e.g. the radio access point) , the wireless controller (the device that the access points connect to) and the captive portal (the device that captures a users request and asks them to authenticate) . The Aruba guest application is basically the captive portal but is extremely customisable.
Onboarding BYOD devices
Depending on the type BYOD devices you are connecting to your wireless network you will experience a different way of being onboarding. The user experience is much slicker for Apple devices (Mac OSx 10.6 and above, iOS 4 and above) due to Apple’s Over the air provisioning protocol. Other device manufacturers are generally forced to onboard via a downloadable/installable application called quickconnect. Both of these processes put a certificate onto the underlying OS and therefore requires some elevated priviledges.
Remember Onboard is really all about BYOD, not about how you support other companies corporate builds on your network. In this scenario you would use Guest access.
One of the most common use cases for authenticating the user will be configuring Clearpass against Microsoft’s Active Directory (AD). Clearpass binds to an LDAP interface using a BIND DN and password.
and finally … Up NEXT
Aruba workspace .. Mobile Application Management grows up