Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass Policy Manager 6.8 Releases

This thread has been viewed 47 times

  • 1.  ClearPass Policy Manager 6.8 Releases

    EMPLOYEE
    Posted Mar 19, 2019 07:42 PM

    We are pleased to announce the immediate availability of ClearPass Policy Manager 6.8.0!  In addition to bug fixes, this release also includes several new features that our Engineering and QA team have worked tirelessly to include:

     

    New Entry and Access Upgrade licenses

    Why is this interesting? Allows customers to purchase a sub-set of ClearPass Policy Manager’s Access licensed functionality at a reduced price point.  These licenses do not allow use of TACACS+, profiling (including OnGuard licenses or integration with ClearPass Device Insight), or the use of 3rd party integrations such as Ingress Event Engine or Context Server Actions.  Customers who later change their mind may purchase the Access Upgrade licenses to upgrade from Entry licenses to Access license functionality.

     

    Aruba Multi Pre-Shared Key (MPSK) Support

    Why is this interesting? IoT devices typically fall into a category known as headless-devices that are unable to support advanced network security functionality such as 802.1X.  Aruba MPSK helps to overcome that lack of network security by generating a unique WPA2-Personal passphrase for each device. Leveraging the existing Device Registration capabilities, this release adds support for MPSK generation and management (supported with Entry or Access, no Onboard required) so that end users can create keys on their own without IT involvement. MPSK does not replace secure authentication methods like EAP-TLS for standard end-user devices like laptops, tablets and smartphones. MPSK is supported with AOS 8.4 Mobility Controllers and Instant.

     

    Support for WPA3-Enterprise (CNSA mode) Systems

    Why is this interesting? High security customers using Suite-B configured supplicants may use WPA3 with CNSA mode enabled to ensure compliance with their security policy.

     

    RadSec (RADIUS/TLS)

    Why is this interesting? Allows customers the ability to deploy RadSec using NAD-to-ClearPass Policy Manager and/or ClearPass Policy Manager-to-remote proxy using the RADIUS over TLS (RadSec) protocol that was initially released with limited functionality in 6.7.4.  This provides full compatibility of the service and expanded features.

     

    Agentless OnGuard

    Why is this interesting? Allows customers with domain-joined managed Windows endpoints the functionality of OnGuard without the need for end user intervention to deploy and manage endpoint agents. 

     

    Dual stack (IPv4 & IPv6) end device support for PostAuth v2

    Why is this interesting? Allows customers with IPv4 and IPv6 end device networks to select which IP address version(s) to use in post authentication events to partners such as Palo Alto or our own solutions like IntroSpect.

     

    Galleria 2.0 updates

    Why is this interesting? Updates the popular Galleria skin to support modern 2019 features such as gif support and updated images

     

    Several new/updated APIs

    Why is this interesting? Allows external access through RESTAPI access to several ClearPass Policy Manager functions. This release in particular completes the Certificate API.

     

    As always, please take note of the ‘Changes of Behaviors’ section of the release notes (https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.8.0/Default.htm).

     

    The update images have been posted to the legacy Aruba support site (Aruba Support site) and the ClearPass webservices software updates portal.  Posting to MNP and ASP will complete shortly.

     

    A big thanks and congratulations to the ClearPass Engineering, ClearPass QA and TechPubs teams for reaching this milestone!

     

    Best regards,

    The ClearPass Team



  • 2.  RE: ClearPass Policy Manager 6.8 Releases

    Posted Mar 20, 2019 04:29 AM

    Is it any webinar presenting the news in the new release planned?



  • 3.  RE: ClearPass Policy Manager 6.8 Releases

    Posted Mar 20, 2019 10:29 AM

    Hi ,

     

    There are no 6.8v files available on the legacy support site .

     

    Please provide more info on the new access licences ,

    what will happen to the old 6.7 access licence ? 

     

    Please confirm that the old guest api is still exist. 

     

    Regards , 

    Shay

     

     



  • 4.  RE: ClearPass Policy Manager 6.8 Releases

    EMPLOYEE
    Posted Mar 20, 2019 10:37 AM

    The update is slowly rolling out. It can take some time to appear globally.

     

    Please create individual threads for specific product questions.



  • 5.  RE: ClearPass Policy Manager 6.8 Releases

    MVP EXPERT
    Posted Mar 21, 2019 04:11 PM

    Hi Tim,

     

    When comes the download available on the legacy support site? Its stil not there. I can see the files availiable in ASP (locked) but my account cant be migrate from MNP to ASP at this moment.



  • 6.  RE: ClearPass Policy Manager 6.8 Releases

    EMPLOYEE


  • 7.  RE: ClearPass Policy Manager 6.8 Releases

    MVP EXPERT
    Posted Mar 21, 2019 05:09 PM

    Sorry didnt work. A critical error has occurred. You don't appear to have permission to see this item. Please check your login status.



  • 8.  RE: ClearPass Policy Manager 6.8 Releases

    MVP EXPERT
    Posted Mar 21, 2019 06:04 PM

    After create a trial license i was enable to download the images from HPE My Network Portal under "My Software".

     

    https://h10145.www1.hpe.com/downloads/ProductsList.aspx



  • 9.  RE: ClearPass Policy Manager 6.8 Releases

    Posted Mar 22, 2019 09:36 AM

    I don not see it on the download site yet, is there a link availble with release notes?

     

    Never mind: https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.8.0/Default.htm



  • 10.  RE: ClearPass Policy Manager 6.8 Releases

    EMPLOYEE
    Posted Mar 25, 2019 08:30 PM
    All ~
     
    Some of you noticed that you were only able to download the 6.8.0 files manually (the permission problem on the legacy support site was recently resolved), but that your ClearPass Policy Manager appliances were unable to find them. This is because we temporarily suspended the automatic downloads after some customers reported a problem with the upgrade not being completing the download before allowing you to attempt to install. This left a partial download on your appliance that then required TAC aid to resolve.
     
    To resolve the download issue we have release a new patch:
    ClearPass 6.8.0 Upgrade Preparation Patch for Software Updates Portal Downloads
     
    This patch must be installed prior to being able to download the 6.8.0 upgrade package when using the automated Software Updates capabilities. Manual package are not impacted by this change and do NOT require this patch.
     
    Best regards,
    The ClearPass Team


  • 11.  RE: ClearPass Policy Manager 6.8 Releases

    EMPLOYEE
    Posted Jun 19, 2019 06:04 PM

    Hello All,

     

    We are pleased to announce the immediate availability of ClearPass Policy Manager 6.8.1!  In addition to bug fixes, this release also includes several new features that our Engineering and QA team have worked tirelessly to include:

     

    Agentless OnGuard Improvements

    Why is this interesting? Customers no longer need to copy the checksum values between screens.  The data is now automatically populated unless the customer has opted to manually override this in use cases where they host the files on another server.

     

    Agentless OnGuard now officially supports Windows Server Core versions of Windows Server 2012R2 through 2019.  This allows Agentless OnGuard to operate on versions of Windows that do not have a UI.

     

    Improved Switch and Router Profiling Support

    Why is this interesting? SNMP profiling of NADs is now load-balanced across all nodes in a zone.  This allow for more efficient SNMP profiling.

     

    Source IP address and ports are now collected for all NetFlow versions (v1, v5, v6, v7, and v9) and sFlow.  The MAC address is also collected for NetFlow v9/IPFix and sFlow sources if it exists.

     

    Expanded Hypervisor Support

    Why is this interesting? ClearPass Policy Manager is now approved to run on the Microsoft Hyper-V Server 2019, as well as VMware ESXi 6.7 update 2 hypervisor platforms.

     

    Updates to Appliance Names

    Why is this interesting? The hardware appliance name changes introduced in Policy Manager 6.7 have made it difficult for some customers to identify the specific appliance model/version.  The names will now include their updated name as well as a hardware indicator.  This allows better identification of appliance hardware.

     

    RADIUS Responses are Dropped if Policy Server service is Unresponsive

    Why is this interesting? Normally Policy Manager’s RADIUS server will return a REJECT message if the policy server service was unresponsive or crashed.  The RADIUS service will now drop the request without sending a response, allowing NADs to fail over to alternate RADIUS servers easier.

     

    ClearPass Device Insight Integration Enablement

    Why is this interesting? Customers who are using both ClearPass Policy Manager and ClearPass Device Insight will be able to link the two systems together for better endpoint visibility and reporting. This feature enables the Policy Manager side of the integration but requires the upcoming ClearPass Device Insight 1.0.2 release before being ready for use. Additional content will be made available as we near the Device Insight 1.0.2 release.

     

    As always, please take note of the ‘Changes of Behaviors’ section of the release notes (https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.8.1/Default.htm).

     

    The update images have been posted to the support site (Aruba Support site) and the software updates portal.  Posting to MNP and ASP will complete shortly.

     

    A big thanks and congratulations to the ClearPass Engineering, ClearPass QA and TechPubs teams for reaching this milestone!

     

    Best regards,

    The ClearPass Team



  • 12.  RE: ClearPass Policy Manager 6.8 Releases

    EMPLOYEE
    Posted Oct 16, 2019 03:09 PM

    We are pleased to announce the immediate availability of ClearPass Policy Manager 6.8.3!  In addition to bug fixes, this release also includes several new features that our Engineering and QA team have worked tirelessly to include:

     

    Certificate Authentication with VMware AirWatch (MDM)

    Why is this interesting? VMware AirWatch recently began replacing authentication with tokens in order to use certificate-based authentication.  Policy Manager is now able to interact with AirWatch using certificates rather than tokens for a more secure authentication process.

     

    Push backups using NFS

    Why is this interesting? Policy Manager now supports pushing backups using NFS.  This allows customers who do not have SCP/SFTP environments available to back up to Microsoft Windows enabled systems.

     

    Enhanced Access Tracker filtering

    Why is this interesting? Customers can now find Access Tracker records with significantly less searching through long lists of filtered results.  Filtering in the Access Tracker screen now allows the use of additional attributes including posture, authorization, RADIUS, and computed attributes. 

     

    MPSK support using RadSec

    Why is this interesting? Customers using Aruba’s Multiple Pre-Shared Key (MPSK) to secure their IoT systems can now use RadSec (RADIUS over TLS) rather than only using RADIUS connections.

     

    OnGuard support for macOS Catalina (10.15)

    Why is this interesting? This release officially adds OnGuard support for the Catalina release of macOS.  Catalina now requires all programs to have attestation signing to be able to install when downloaded from a web browser.  This update allows customers to download and install OnGuard agents directly from web browsers without errors. 

     

    Support for wired Evil Twin detection

    Why is this interesting? Aruba controllers already prevent a cloned system from appearing on a network more than once, but wired networks are the new point of attack.  Inserting an unmanaged switch/hub into the network would allow attackers to clone an existing computer (IP address, MAC address, user agent, etc.).  Endpoints using OnGuard are able to interact with ClearPass to indicate whether a system has an Evil Twin.  ClearPass can then notify the last managed port to quarantine the system and/or alert administrators.

     

    List available posture updates

    Why is this interesting? OnGuard customers are now able to list out all supported information for Windows Hotfix Updates (by KBID) and Posture Signature Updates (by AV definition version, date, and/or signature).

     

    As always, please take note of the ‘Changes of Behaviors’ section of the release notes (https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.8.3/Default.htm).

     

    The update images have been posted to the support site (Aruba Support site) and the software updates portal.  Posting to MNP and ASP will complete shortly.

     

    A big thanks and congratulations to the ClearPass Engineering, ClearPass QA and TechPubs teams for reaching this milestone!



  • 13.  RE: ClearPass Policy Manager 6.8 Releases

    EMPLOYEE
    Posted Nov 01, 2019 08:07 PM

    Hello All,

     

    We are pleased to announce the immediate availability of ClearPass Policy Manager 6.7 / 6.8 Hotfix for Brazil DST changes.  Brazil has decided to not observe Daylight Savings Time this year.  This change requires a hotfix on all 6.7 or 6.8 systems to ensure that the clock is properly corrected to indicate the accurate time.

     

    Unlike previous hotfixes, this hotfix can be installed on 6.7 or 6.8 systems so there is only one patch for all supported versions.

     

    This patch is only required for customers operating servers in Brazil configured to use local time. 

     

    There is a Known Issue with this patch is that the time zone on the publisher will reset to US Pacific time on cluster after the reboot.  This can be reset and the time restarted.  Subscriber and stand-alone nodes are not impacted.

     

    The hotfix image has been posted to the support site (Aruba Support site). Posting to MNP and ASP will complete shortly.

     

    A big thanks and congratulations to the ClearPass Engineering, and ClearPass QA teams for reaching this milestone!

     

    Best regards,

    The ClearPass Team



  • 14.  RE: ClearPass Policy Manager 6.8 Releases

    Posted Dec 16, 2019 08:24 PM

    December 16th, 2019

     

    Hello All,

     

    We are pleased to announce the immediate availability of ClearPass 6.8.4!  In addition to bug fixes, this release also includes several new features that our Engineering and QA team have worked tirelessly to include:

      

    Enhancement to the existing TACACS Authentication/Authorization processing

    Why this is interesting? - Extending the logic of TACACS authentication to return an authentication reject response when an authorization check fails. For example perhaps an authorizations check against the users AD Group membership fails, Policy Manager can now selectively return a reject response.

     

     

    Displaying the system-assigned Role ID for Policy Manager roles in the GUI

    Why this is interesting? – For customers that use the system-assigned Role ID to build role-mapping or enforcement-policy logic, using the Role ID provides extended options. This ID is now displayed on the individual roles under Configuration > Identity > Roles.

     

    An example of using Role ID values are shown below. image-2019-11-19-15-39-45-373.jpg

     

    Support for Active Directory site awareness

    Why this is interesting? – Policy Manager now supports Active Directory site awareness to assist with domain joins for password authentication. This ensures that a Policy Manager server uses the nearest AD Domain Controller(s) to avoid authentication delays. Site awareness information is dynamically provided during the join which avoids misconfiguration or the need for the CPPM administrator to know the AD topology.

     

      

    As always, please take note of the ‘Changes of Behaviors’ section of the release notes https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.8.4/Default.htm

     

    The update images have been posted to the support site (Aruba Support site) and the software updates portal.  Posting to MNP and ASP will complete shortly.

     

    A big thanks and congratulations to the ClearPass Engineering, ClearPass QA and TechPubs teams for reaching this milestone!

     

    Best regards,

    The ClearPass Team



  • 15.  RE: ClearPass Policy Manager 6.8 Releases

    EMPLOYEE
    Posted Mar 26, 2020 03:06 PM

    Hello All,

     

    We are pleased to announce the immediate availability of ClearPass Policy Manager 6.8.5!  In addition to bug fixes, this release also includes several new features that our Engineering and QA team have worked tirelessly to include:

     

    Certificate Based Context Server Action Support

    Why is this interesting? Many destination systems for Context Server Actions have been moving to add support for certificate-based authentication rather than OAuth2 or basic authentication only.  This will allow ClearPass Policy Manager to communicate with additional external systems that now support this authentication type.

     

    SSO Logout

    Why is this interesting? Customers using Policy Manager as the service provider (SP) who log out from the application, including administrative inactivity timeouts, will need to re-authenticate with the SSO IdP to re-connect.  This only applies to IdP systems that support the ForceAuthn = True systems.

     

    Chomebook Device Type Renamed

    Why is this interesting? This is a new behavior change.  Google Chromebooks have been renamed to be Chrome OS devices throughout the Onboard system.  This is only a UI change

     

    As always, please take note of the ‘Changes of Behaviors’ section of the release notes (https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.8.5/Default.htm).

     

    The update images have been posted to the support site (Aruba Support site) and the software updates portal.  Posting to MNP and ASP will complete shortly.

     

    A big thanks and congratulations to the ClearPass Engineering, ClearPass QA and TechPubs teams for reaching this milestone!

     

    Best regards,

    The ClearPass Team



  • 16.  RE: ClearPass Policy Manager 6.8 Releases

    Posted Jun 03, 2020 07:37 PM

    Hello All,

     

    We are pleased to announce the immediate availability of ClearPass Policy Manager 6.8.6!  This cumulative patch release focuses on addressing customer related issues and also includes new features.

     

    Support for VMware ESXi 7.0
    Why this is interesting? Customer infrastructure is continually evolving to meet new demands, customers’ needs to deploy and upgrade their underlying virtualization platforms to support these demands. Being able to support ClearPass Policy Manager running on the latest VMware ESXi 7.0 will quickly become critical.

     

    As always, please take note of the ‘Changes of Behaviors’ section of the release notes (https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.8.6/Default.htm).

     

    The update images have been posted to the Aruba Support Portal (ASP) and the ClearPass software updates portal.

     

    A big thanks and congratulations to the ClearPass Engineering, ClearPass QA and TechPubs teams for reaching this milestone!

     

     

    Best regards,

    The ClearPass Team



  • 17.  RE: ClearPass Policy Manager 6.8 Releases

    Posted Aug 26, 2020 08:57 PM

    August 26th, 2020

     

    Hello All,

     

    We are pleased to announce the immediate availability of ClearPass 6.8.7!  In addition to bug fixes, this release also includes several new features that our Engineering and QA team have worked tirelessly to include:

     

    • APIs
      • Addition of new API, ‘SessionAction’, with enhanced filters for flexibility and improved user experience to support disconnect or reauthorize active sessions for endpoints based on specific session attributes.

      • Enhanced ‘ApplicationLicense’ API includes up to date usage levels for licensed components.
    • Device Insight
      • Includes an option in ClearPass to designate a ‘Standby ClearPass Server’ within a cluster  for Device Insight integration.

      • Added a new option ‘Device Tags Update Action’ in ClearPass that allows to specify the action to be taken for the incoming Device Insight tag updates.

     

    • Endpoint Context Servers
      • Includes support for the latest SOTI API framework that supports OAuth2 authentication for SOTI Endpoint Context Server.

     

    • Policy Manager
      • Allows filtering of Trust List by Usage and Validity fields.

      • Addition of new SHA-2 root Certificate Authority (CA), ‘USERTrust RSA Certification Authority’ to the Trust List.

     

    As always, please take note of the ‘Changes of Behaviors’ section of the release notes (https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.8.7/Default.htm).

     

    The update images have been posted to the support site (Aruba Support Portal) and the software updates portal. 

     

    A big thanks and congratulations to the ClearPass Engineering, ClearPass QA and TechPubs teams for reaching this milestone!

     

    Best regards,

    The ClearPass Team



  • 18.  RE: ClearPass Policy Manager 6.8 Releases

    EMPLOYEE
    Posted Dec 09, 2020 05:01 PM

    Hello All,

    We are pleased to announce the immediate availability of ClearPass Policy Manager 6.8.8! In addition to bug fixes, this release also includes several new features that our Engineering and QA team have worked tirelessly to include:

     

    RADIUS traffic throttling

    Why is this interesting? In scenarios where an occasional, sudden increase in authentications per second might put an excessive load on the policy server, Multi-Master Cache, or Post-Authentication module, customers can set the throttling rate that can alleviate the load and ensure that the traffic is always processed. This feature is especially useful with customers using load balancers to ensure that traffic is regulated within their cluster nodes.

     

    Support for VMware vMotion while idle

    Why is this interesting? VMware ESXi customers have been able to use vMotion with ClearPass appliances in powered off state for some time, this now allows for the appliance to be idle (not actively performing authentication tasks) to also support vMotion move events.  It is still not supported to perform vMotion moves while the appliance has active client sessions.

     
    As always, please take note of the 'Changes of Behaviors' section of the release notes (https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.8.8/Default.htm).

     

    The update images have been posted to the Aruba Support Portal (ASP) and the software updates portal.

     

    A big thanks and congratulations to the ClearPass Engineering, ClearPass QA and TechPubs teams for reaching this milestone!

     

    Best regards,

    The ClearPass Team


    Original Message


  • 19.  RE: ClearPass Policy Manager 6.8 Releases

    EMPLOYEE
    Posted Mar 24, 2021 05:06 PM

    Hello All,

     

    We are pleased to announce the immediate availability of ClearPass Policy Manager 6.8.9! In addition to bug fixes, this release also includes several new features that our Engineering and QA team have worked tirelessly to include:

    Simplified Cluster Creation

    Why is this interesting? Removing the need to manually copy the certificates between nodes when making clusters, returns customers to the simple cluster registration workflow that was previously used.

    Troubleshooting Improvement

    Why is this interesting? Diagnosing issues frequently requires information from the cluster-wide parameters screen.  Customers have typically required to take a backup of the system to transfer this data to TAC for troubleshooting.  Now it is much easier as this feature allows customers to capture CPPM server logs with cluster-wide parameters in a separate log file.

    As always, please take note of the ‘Changed Behaviors’ section of the release notes (https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.8.9/Default.htm).

    The update images have been posted to the Aruba Support Portal (ASP) and the software updates portal.

    Please note that this release marks the End of Development on the 6.8.x version.  As noted on https://www.arubanetworks.com/support-services/end-of-life/#ClearPassSoftware the 6.8 release will reach end of life on 18 March 2022.

    A big thanks and congratulations to the ClearPass Engineering, ClearPass QA and TechPubs teams for reaching this milestone!

    Best regards,

    The ClearPass Team


  • 20.  RE: ClearPass Policy Manager 6.8 Releases

    EMPLOYEE
    Posted Oct 20, 2021 09:25 AM
    Hello All!

    We are making a one-time special CPPM Upgrade Release available for 6.8.9 to 6.9.7 DIRECTLY.  The 6.9.7 Upgrade Patch is now available.

    This patch is already available in both the CPPM Software Updates and ASP locations for use. It will ONLY appear if you are already at the 6.8.9 release (including if you have hot fixes applied). Using this is then able to directly update from your 6.8.9 version to 6.9.7 without the typical 6.8.9 -> 6.9.0 -> 6.9.7 process.

    Why did we do this?
    There are two primary reasons. The first is that we wanted to make it easy for customers to jump from the current security version (6.8.9) to the latest available 6.9.x version (you will still need to apply the security hot fixes once you upgrade). The second reason is that we have found a few customers who are experiencing a subscriber database lock after they upgrade to 6.9.0 that then requires significant extra time to resolve for customers and we want to avoid that risk to all customers.

    Is this going to be a regular thing?
    Unfortunately, no. We are doing this as a special release that will only allow customers at 6.8.9 or 6.7.14 releases to then jump directly to the 6.9.7 release with a single upgrade to help with the security events that will then minimize risk for people. We just want to make it easier for people to get to the next known secure release quickly.

    Does this mean I have to use this patch?
    No. While we have removed the 6.9.0 version from all 6.7.x and 6.8.x Software Updates screen options, it is still available at ASP to manually upgrade from other versions (e.g. 6.8.2 -> 6.9.0). The reason that we removed this was due to the fact that we are all conditioned to go to the .0 Upgrade normally and we wanted to make it clear to people that this jump-upgrade (or slipstream to borrow the word from Microsoft) release was available. The regular upgrade processes are still available for people, we just want to encourage everyone to go from 6.8.x to 6.8.9 and then directly to 6.9.7 (and then apply any hotf ixes).

    If you do desire to use the regular upgrade process, TAC is still willing and able to help assist you in the process if you have any problems or concerns. Please note that there is not a problem with 6.9.0; we have not pulled the release, it is only not displaying on these systems for download to facilitate the special patch.

    Please note that the release notes for 6.7.14, 6.8.9, 6.9.0, and 6.9.7 have all been updated to reflect this new option and behaviors to interact with and expect.

    A big thanks and congratulations to the ClearPass Engineering, ClearPass QA and TechPubs teams for reaching this milestone!

    Best regards,
    The ClearPass Team

    ------------------------------
    Bryan Lechner
    ------------------------------

    Original Message