Cloud Managed Networks

Hi all, i'm looking at Central for a brand new deployement. It's not easy to find good documentation about use case and feature. It's why i ask you a little help.
The goal is to fully manage with cloud console, nothing on prem except some device (AP, switch, gateway).  Also, many AP will be at home office (teleworking).

All endpoints are fully Microsoft 365, including Microsoft Intune.  Windows 10 PC are already manage by Intune policy. Device and users authenticate against Microsoft service (Azure AD) with MFA enable and some conditionnal access policies. There is no legacy Active directory neither traditionnal LDAP server !

For the main office, we will deploy a new security gateway and some AP.
We want to do some NAC or 802.1x auth to permit only corporate device on corporate network. 
We also want remote connect with VPN to main office to target some old legacy system. 

We want authentifcation for VPN AND the authorization for NAC or 802.1x to be the Microsoft Account, either by asking Intune if PC is compliant/recognized or by asking for user authentification (depending on policy), and working with Microsoft MFA enable on that account.

Bottom line : we want Microsoft 365/Azure service be the only auth provider.

So, here is the assumption :
a) Will be able to manage AP, Switch, security gateway directly from Central
b) the use of Clear Pass is mandatory to be able to build NAC policy

But ...
Question :
1) Does Clearpass can be subscribe 'as a service' in Central ? We dont want to deploy a server on Prem, and preferly not manage a virtual appliance
1b) if it can be 'included' in central, how is it licensed ? by number of users ?

2) i saw some video about intune integration. Does Clearpass can simply check if devices are compliant/recognized in intune to give access to Network (either VPN or wired or wifi) ?

3) Would some elements be possible even without clearpass ? May we bind security gateway directly with Azure AD as a provider to challenge authentication ?

Thanks all for your comments and suggestion.

Hi,

While ClearPass Device Insight is built into Central, the Policy Manager solution would currently require an appliance or running it in a VM. I guess you could run  the VM in a cloud instance though. 

tf

------------------------------
Trent Fierro
------------------------------

Original Message:
Sent: May 08, 2021 04:05 PM
From: Sebastien Samson
Subject: Aruba Central and ClearPass - new modern setup

Hi all, i'm looking at Central for a brand new deployement. It's not easy to find good documentation about use case and feature. It's why i ask you a little help.
The goal is to fully manage with cloud console, nothing on prem except some device (AP, switch, gateway).  Also, many AP will be at home office (teleworking).

All endpoints are fully Microsoft 365, including Microsoft Intune.  Windows 10 PC are already manage by Intune policy. Device and users authenticate against Microsoft service (Azure AD) with MFA enable and some conditionnal access policies. There is no legacy Active directory neither traditionnal LDAP server !

For the main office, we will deploy a new security gateway and some AP.
We want to do some NAC or 802.1x auth to permit only corporate device on corporate network. 
We also want remote connect with VPN to main office to target some old legacy system. 

We want authentifcation for VPN AND the authorization for NAC or 802.1x to be the Microsoft Account, either by asking Intune if PC is compliant/recognized or by asking for user authentification (depending on policy), and working with Microsoft MFA enable on that account.

Bottom line : we want Microsoft 365/Azure service be the only auth provider.

So, here is the assumption :
a) Will be able to manage AP, Switch, security gateway directly from Central
b) the use of Clear Pass is mandatory to be able to build NAC policy

But ...
Question :
1) Does Clearpass can be subscribe 'as a service' in Central ? We dont want to deploy a server on Prem, and preferly not manage a virtual appliance
1b) if it can be 'included' in central, how is it licensed ? by number of users ?

2) i saw some video about intune integration. Does Clearpass can simply check if devices are compliant/recognized in intune to give access to Network (either VPN or wired or wifi) ?

3) Would some elements be possible even without clearpass ? May we bind security gateway directly with Azure AD as a provider to challenge authentication ?

Thanks all for your comments and suggestion.

Aruba ClearPass Policy Manager can be deployed in Azure but is recommended to contact your Aruba Partner or SE for advise.

ClearPass can't use Azure AD as authentication source therefore you can use EAP-TLS without check authorisation (basicly just check the client certificate is valid and from a trusted CA). You can use the Intune integration tool in the ClearPass Guest module for use Intune Attributes into your ClearPass policy's.

Please understand that when ClearPass is in the cloud you don't have any authentication when your internet connection is down and RADIUS request low latency (a normal stable internet connection is fine). This are some things to consider when placing ClearPass in the cloud or on-premise. It all depend on sizing.

------------------------------
Marcel Koedijk | MVP Guru 2021 | ACMP | ACCP | ACDA | Ekahau ECSE | Not an HPE Employee | Opionions are my own
------------------------------

Original Message:
Sent: May 17, 2021 01:54 PM
From: Trent Fierro
Subject: Aruba Central and ClearPass - new modern setup

Hi,

While ClearPass Device Insight is built into Central, the Policy Manager solution would currently require an appliance or running it in a VM. I guess you could run  the VM in a cloud instance though. 

tf

------------------------------
Trent Fierro

Original Message:
Sent: May 08, 2021 04:05 PM
From: Sebastien Samson
Subject: Aruba Central and ClearPass - new modern setup

Hi all, i'm looking at Central for a brand new deployement. It's not easy to find good documentation about use case and feature. It's why i ask you a little help.
The goal is to fully manage with cloud console, nothing on prem except some device (AP, switch, gateway).  Also, many AP will be at home office (teleworking).

All endpoints are fully Microsoft 365, including Microsoft Intune.  Windows 10 PC are already manage by Intune policy. Device and users authenticate against Microsoft service (Azure AD) with MFA enable and some conditionnal access policies. There is no legacy Active directory neither traditionnal LDAP server !

For the main office, we will deploy a new security gateway and some AP.
We want to do some NAC or 802.1x auth to permit only corporate device on corporate network. 
We also want remote connect with VPN to main office to target some old legacy system. 

We want authentifcation for VPN AND the authorization for NAC or 802.1x to be the Microsoft Account, either by asking Intune if PC is compliant/recognized or by asking for user authentification (depending on policy), and working with Microsoft MFA enable on that account.

Bottom line : we want Microsoft 365/Azure service be the only auth provider.

So, here is the assumption :
a) Will be able to manage AP, Switch, security gateway directly from Central
b) the use of Clear Pass is mandatory to be able to build NAC policy

But ...
Question :
1) Does Clearpass can be subscribe 'as a service' in Central ? We dont want to deploy a server on Prem, and preferly not manage a virtual appliance
1b) if it can be 'included' in central, how is it licensed ? by number of users ?

2) i saw some video about intune integration. Does Clearpass can simply check if devices are compliant/recognized in intune to give access to Network (either VPN or wired or wifi) ?

3) Would some elements be possible even without clearpass ? May we bind security gateway directly with Azure AD as a provider to challenge authentication ?

Thanks all for your comments and suggestion.