Security

Hey all, brand new to ClearPass and Aruba products in general. I was wondering if anyone can explain how ClearPass works exactly? I read their BYOD whitepaper and their ClearPass datasheets, but I'm still having some trouble wrapping my head around how it works. I understand it is basically a physical or virtual device that runs the Policy Manager software along with the other optional modules, but I'm still lost.

Specifically,

1. If I already have a WiFi infrastructure in-place with non-Aruba gear, will it still work? Does it just "see" the various wireless networks or does it need to integrate with my current WAPs/controllers somehow?

2. How does it auto provision/configure the various devices?

So for example, I have a corp WLAN running WPA2 and 802.1x w/PEAP. I also have a guest WLAN. Can the ClearPass system take Joe Blow's Android device, detect it on the guest network, know that he is an employee and I want that Android device to be provisioned with the config for the corp WLAN, and then proceed to "push" that config out to him?

Right now, we only allow corp issued devices with our configs pre-set. If a user can bring in their own device and we can push the config for their specific OS over the air, that would be ideal. Or am I missing the purpose of ClearPass entirely?

Thanks for selecting Aruba and ClearPass. Let me try to help with your questions below:

1. If I already have a WiFi infrastructure in-place with non-Aruba gear, will it still work? Does it just "see" the various wireless networks or does it need to integrate with my current WAPs/controllers somehow?

Yes, ClearPass is multi-vendor by nature and leverages RADIUS for the vast majority of its network enforcement decisions so assuming your existing network is RADIUS capable you will have a great solution for AAA and policy management.

2. How does it auto provision/configure the various devices?

ClearPass Onboard is an optional module that leverages a captive portal enabled workflow for provisioning various BYO devices for access to your secure network. This avoids the need for the employee to bring their personal device to the IT help desk to get provisioning onto the network.

So for example, I have a corp WLAN running WPA2 and 802.1x w/PEAP. I also have a guest WLAN. Can the ClearPass system take Joe Blow's Android device, detect it on the guest network, know that he is an employee and I want that Android device to be provisioned with the config for the corp WLAN, and then proceed to "push" that config out to him?

There are many diifferent workflows you can enable with ClearPass to capture Joe's Android as he attempts to connect to the network. We have cusotmers linking to the provisioning workflow from the Guest captive portal, others with a dedicated provisioning SSID's and many enabling device profiling on their existing secure SSID to detect any BYO Devices attempting to connect with just their AD credentials and redirecting them to BYOD provisioning portal.

Hope this helps and let us know how you get on with your deployment.

Cam.

Thanks for the info, but now I have more questions :)

OK, so if Clearpass can visualize all devices on my WLANs, then that means I should be able to detect who has brought thier own device and is trying to access corp resources without informing IT first right? That's one of our biggest concerns, not knowing what's being used by personnel who have enough access.

Does Clearpass also work as a MDM solution? For example, once we ID those BYOD's can we do stuff to them such as remote wipe of just corp data, corp app deployment, etc.?

What document do I need to read to see the nitty gritty details of how Clearpass visualizes the devices on my WLANs and how it ties into my current WAPs/RADIUS server, etc? 

Any info would be very much appreciated! 

No problems, here to help. Comments inline below.

OK, so if Clearpass can visualize all devices on my WLANs, then that means I should be able to detect who has brought thier own device and is trying to access corp resources without informing IT first right? That's one of our biggest concerns, not knowing what's being used by personnel who have enough access.

Absolutely this is a common problem for organizations dealing with BYOD challenges and the ClearPass platform has several approaches to solving them. If you were to go down the path of using our Onboarding technology, each BYO device will be provisioned with a unique device credential as part of the one-time enrollment process. This credential will then be used for all subsequent connections to the secure network. The absence of this credential is then a simple method to detect a new BYO device entering the network and ClearPass can send a different enforcement method back to your WLAN equipment to ensure that the device is redirected to the provisioning portal. This enforcement method will differ from one WLAN vendor to the next but typically there is a method to change how the device is admitted onto the network.

The second approach is to use the ClearPass Profile technology that listens to device identifying data whilst a device connects to the network and use this to identify the device type and apply business rules on how they should be treated. Again ClearPass could use this device context to send a different enforcement method down to your WLAN network to trigger the redirect to the provisioning portal as required.

Does Clearpass also work as a MDM solution? For example, once we ID those BYOD's can we do stuff to them such as remote wipe of just corp data, corp app deployment, etc.?

ClearPass is currently focussed on the provisioning of secure network access and not managing the device itself. We have found with many customers that managing a device that is owned by the employee (BYOD) can create some friction and legal challenges around privacy (geo-location, personal Apps installed etc) and also loss of personal data (family photos, purchased music) that outweigh the need to perform a function such as remote wipe. Many customers are leveraging existing solutions such as Exchange Active Sync's abilitiy to trigger a remote wipe or looking to an MDM solution to tackle the management of their corporate issued mobile devices.

Aruba has partnerships with many of the leading MDM providers if you are interested in an integrated solution.

What document do I need to read to see the nitty gritty details of how Clearpass visualizes the devices on my WLANs and how it ties into my current WAPs/RADIUS server, etc?

Take a look at some of the Deployment Guide and Tech Notes notes published on the support site and definitely work with your local Aruba partner or Account team for further assistance on your project.