Wireless Access

Hi,

 

Can I achieve BYOD with enhanced policy management by only Aruba PEFNG licenses, without deploying Aruba ClearPass?... This Customer does not require any advanced on boarding features provide through ClearPass. Only considering following features...

 

·         BYOD with enhanced policy management (Device level policies for ipads / laptops of the same user using a single SSID)

·         3rd Party device profiling and access policing capability (profile, permit/deny access, drop, prioritize)

 

Br,

Nilanka Surain

You are capable of much more granular policy with ClearPass.  For example, on the Aruba controller, you can put an iPad into a role or VLAN, but you cannot combine that with a user AD group requirement, for example.  When you need to provide enforcement for multiple policies especially with a single SSID, that is when ClearPass is needed.

 

 

As cjoseph notes, ClearPass has more integration tailored to the controller, and due to the first-rule-to-match behavior you can't build complicated expressions, though for a NAS the options are still quite impressive, and also some attributes can be sent to the AAA server to allow it to do the logic.  If the customer is asking about 3rd-party device classification integration, though, they might have a particular system in mind that they plan to use, so you might want to find out what that is and look at the specifics.  You can also do one level of fanciness by taking advantage of the difference between how the Role and the VLAN are selected.

 

I would have to disagree with the statement "you can't build complicated expressions". When done correctly through the use of multiple services and enforcement policies, you can build very complicated, powerful expressions to build policy.

 

I meant on the controller itself, not in CPPM, sorry I was not clear.