Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass Policy Manager 6.11 Release Notifications

This thread has been viewed 142 times
  • 1.  ClearPass Policy Manager 6.11 Release Notifications

    EMPLOYEE
    Posted Oct 06, 2022 05:06 PM

    We are pleased to announce the immediate availability of ClearPass Policy Manager 6.11.0!

    The 6.11 release is a significant release for multiple reasons in addition to the excellent new features our Development, QA, and Documentation team have worked tirelessly to include.

    • This release moves from the legacy Aruba Lifecycle process to the modern Aruba Lifecycle process. The 6.11 release is a Long Support Release (LSR) meaning it will have a minimum of 2 years of active development and will be supported until the next LSR is released
    • This release changes the underlying base Operating System (OS) from CentOS to Red Hat Enterprise Linux (RHEL) 8.x. The system continues to be hardened and maintained by Aruba R&D team as previous OS versions have been.  This is still not considered a RHEL distribution OS despite the change.
    • The OS change has given us the opportunity to adjust drive partitioning. You will now have Active and Alternative partitions as well as a set of partitions that are always active (such as logs).  This also allows us to make the conversion on all customers from traditional BIOS to the modern UEFI/EFI boot loading system to improve security.  This change does require a reinstallation or reprovisioning process to occur.  Be sure to read the Release Notes for additional information on this.  Be sure to also read the ClearPass 6.11 Installation Guide to do this easily.

    Just a few of the other new features customers will see in 6.11 are:

    UI Improvements

    Why is this interesting? As customers' usage has changed, so is the UI.  ClearPass will now include the hostname in the browser Title to help identify when multiple tabs are open which host you are connected to.  Tables now have the freeze top row effect in many areas to help maintain data when using longer table value sizes.  Access Tracker now keeps the highlight on the row you are opening when you move the mouse away to better identify where you were.  Both Enforcement Policies and Enforcement Profiles allow you to re-order elements now.  Customers will now be able to work with larger Device Group sizes again, sizes are now 20 (default), 100, 500, and 1,000 again.

    Authorization with Azure Active Directory

    Why is this interesting? Using any authentication method, customers can now configure their ClearPass to use Azure Active Directory (AAD) as their authorization source.  This allows customers to use the Microsoft Graph API system to retrieve user group membership from AAD as customers are moving to the cloud without introducing security risks.

    IPv6 Expanded

    Why is this interesting? Support for IPv6 is now moving into the final stage.  Stage four (4) begins with IPv6 support in RadSec (all forms), Nmap profiling, and OnGuard in this release.  The system is also already in process to update our "IPv6 Ready" and USGv6.1certifications.

    More REST APIs

    Why is this interesting? ClearPass has had open APIs forever.  All new features are developed in the RESTful API model, but many of the legacy APIs have not yet moved.  This release moves 8 of the most popular legacy APIs into REST and introduces Insight to the REST API space.  Automation hungry customers can rejoice the move, but we have more to do to complete the move to REST everyplace.  To customers still using Legacy APIs – don't worry, we may not be enhancing them any longer, but we don't plan to remove them anytime soon!

    Administrator Supportability

    Why is this interesting? Despite the best planning, not everything goes perfectly.  Sometimes this means that Administrators need to diagnose issues.  New features are added to help make it easier for admins to diagnose what may have happened or to make it faster to work with TAC if required.  Custom Fingerprint Rule changes are now logged in Audit Viewer. Logs can now be downloaded for specific modules only. RADIUS reload times are now logged at INFO log level.  Disk I/O metrics and TACACS+ lookup/processing times are logged.  For the adventuresome the Graphite data is now also available on ClearPass to work with using Grafana.  OnGuard customers can now "pull" logs from clients when they next connect to the network, so admins do not need to always be online.

    New Insight Reports

    Why is this interesting? We all know Marketing got a little carried away with Insight naming a few years back, but ClearPass Insight module is still the original.  This release adds new reports to help customers better track devices using MAC address randomization (also now noted as an attribute on Access Tracker entries).  A new dashboard has been added to display the most frequent MAC addresses making OnGuard posture requests to help identify network problems by identifying increases in authentications from specific clients.  Customers using EAP-TLS can generate reports now to identify the client versions in use, allowing them to weed out the TLSv1.0 and v1.1 systems on their network quickly.  A new compliance report is available to identify if the net-change in core configuration has changed through the day.  Individual audit messages continue to be available as always, but the new compliance report will indicate if the system is returned to "gold standard" configuration when run.  This release also adds REST API functionality to work with Insight reports!

    Variables in DUR & dACL

    Why is this interesting? Customers have been asking to return variables (like vlan-name %) in DUR and dACl definitions but not been able to do this outside of using the IETF device definitions.  Customers are now allowed to return variables in DUR and dACL systems (subject to what the infrastructure NAD can accept).

    TACACS+

    Why is this interesting? TACACS+ has been around for nearly 20 years before it finally moved from "the draft" to an actual RFC in late 2020.  The RFC introduced a few changes that were implemented in earlier ClearPass releases, but the remaining RFC compliance functionality is now available.  With increased functionality, logging information has been increased to also allow customers to better track the lookup & processing times for the connections making it easier to work and troubleshoot when needed.

    TLS Session Cache for EAP authentication

    Why is this interesting? When enabled, changes in ClearPass that normally trigger all systems to re-auth in the background no longer require full authentication to occur.  Instead, the system will use the cached information to validate against.  This is especially useful in EAP-GTC environments where frequent changes would cause end users to re-enter MFA token passcodes frequently.

    CAPPORT (RFC 8908) Support

    Why is this interesting? The only thing that people hate more than captive portals are captive portals that don't trigger correctly when they join the network.  RFC 8908 allows the presence of the captive portal to be sent in the DHCP response (or RA or DHCPv6) to notify Android (v11+) and Apple (iOS 14+, macOS Big Sur+) devices to open the real browser automatically and connect to the portal.  No more mini browser that doesn't work all the time. 

    MAC Address Linkage to Central or COP Clients page

    Why is this interesting? A popular feature with AirWave customers has always been the ability to open the MAC address of a system from the Access Tracker in another tab on AirWave.  With more customers migrating to Central or Central On-Premises this is now able to provide the same functionality.  When linked the MAC address on an Access Tracker record can directly open the same client information in Central/COP.

    Beta Support MACsec

    Why is this interesting? ClearPass now includes support for MACsec (802.1AE) functionality.  It is currently only validated with Aruba switches (AOS-CX) but will be fully supported in the future as additional testing is completed.

    Onboard Certificate Mutual TLS Authentication

    Why is this interesting? Support for mTLS is something that is part of EST that was not included when ClearPass first added EST.  The system is now updated to support using mTLS to enroll (or update) certificates for devices like AOS-CX switches.

    OnGuard

    Why is this interesting? In addition to IPv6 support expanded, OnGuard now supports grace periods for all health categories, more than one (1) AV client check, certificate-based authentication on macOS and Linux clients, SHA2 (256 and 512) file hash checks.  Client logs can now be collected without needing to be online at the same time.  Administrators can trigger the client to upload OnGuard logs to a remote server when it next connects to the network without the administrator being present to trigger the collection.

    As always, please take note of the 'Changes of Behaviors' section of the release notes https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.x.x/Default.htm. Note this URL will be used for all Release Patches going forward.  Also be sure to read the ClearPass 6.11 Installation Guide this time.

    The release images have been posted to the Aruba Support Portal (ASP) and the software updates portal.  VPC images will be available on AWS Marketplace and Azure Marketplace once approved from the vendors.

    A big thanks and congratulations to the ClearPass Engineering, ClearPass QA and TechPubs teams for reaching this milestone!

    Best regards,
    The ClearPass Team



  • 2.  RE: ClearPass Policy Manager 6.11 Release Notifications

    EMPLOYEE
    Posted Mar 02, 2023 08:15 PM

    Hello All,

    We are pleased to announce the immediate availability of ClearPass Policy Manager 6.11.2! This release being a Long Supported Release (LSR) is primarily focused on addressing identified issues for our customer base.

    As always, please take note of the 'Behavior Changes in 6.11.x' section of the release notes https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.x.x/Default.htm.

    The images have been posted to the Aruba Support Portal (ASP) and the software updates portal.

    A big thanks and congratulations to the ClearPass Engineering, ClearPass QA and TechPubs teams for reaching this milestone!

    Best regards,

    The ClearPass Team



  • 3.  RE: ClearPass Policy Manager 6.11 Release Notifications

    EMPLOYEE
    Posted May 16, 2023 05:07 PM

    Hello All,

    We are pleased to announce the immediate availability of ClearPass Policy Manager 6.11.3!  In addition to bug fixes, this release also includes several new features that our Engineering and QA team have worked tirelessly to include:

    License Expiration in UI

    Why is this interesting? ClearPass 6.11 performs additional license checks for support contracts prior to upgrades and updates. Administrators can now view this information from the UI, not just CLI, to see the status of license support dates.

    Increased Endpoint Attribute Size Limits

    Why is this interesting? ClearPass 6.11 initially reduced the size of endpoint attributes to 4 KB, or the endpoint would not load into the service (it would still display in the UI or API).  This release increases the size to 128 KB.  Records with larger attributes will continue to display but will not load into policy decisions.

    Deprecation of Facebook Wi-Fi by Meta

    Why is this interesting? Reminder that Meta has decided to discontinue the Facebook Wi-Fi functionality starting 12 June 2023.  Customers using this are recommended to change prior to the termination date from Meta.

    As always, please take note of the 'Changes of Behaviors' section of the release notes https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.x.x/Default.htm 

    The update images have been posted to the Aruba Support Portal (ASP) and the software updates portal.

    A big thanks and congratulations to the ClearPass Engineering, ClearPass QA and TechPubs teams for reaching this milestone!

    Best regards,

    The ClearPass Team




  • 4.  RE: ClearPass Policy Manager 6.11 Release Notifications

    EMPLOYEE
    Posted Jul 26, 2023 06:24 PM

    Hello All,<o:p></o:p>

    We are pleased to announce the immediate availability of ClearPass Policy Manager 6.11.4!  This release being a Long-Supported Release (LSR) is primarily focused on addressing identified issues for our customer base. In addition, this release also includes the following new features that our Engineering and QA team have worked tirelessly to include:

    <o:p></o:p>

    AOS-CX Integration for Device Fingerprint data<o:p></o:p>

    Why is this interesting?  Starting with AOS-CX 10.11, ClearPass can integrate with AOS-CX switches to receive client device fingerprint data via RADIUS Accounting Requests and profile the client device accordingly.
    <o:p></o:p>
    <o:p> </o:p>

    Disable RSA-PSS algorithm<o:p></o:p>

    Why is this interesting? TLSv1.3 includes a requirement to support RSA-PSS signature algorithms.  Some TPM certificates have a firmware bug that incorrectly calculates the hash, resulting in invalid exchanges.  Because not all customers can easily upgrade the TPM firmware, and they do not want to leave their TPM based EAP-TLS certificates there is now an option to disable support of this within EAP transactions on ClearPass.

    <o:p></o:p>

    As always, please take note of the 'Changes of Behaviors' section of the release notes https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.x.x/Default.htm 

    <o:p></o:p>

    The update images have been posted to the Aruba Support Portal (ASP) and the software updates portal.

    <o:p></o:p>

    A big thanks and congratulations to the ClearPass Engineering, ClearPass QA and TechPubs teams for reaching this milestone!<o:p></o:p>

    Best regards,<o:p></o:p>

    The ClearPass Team




  • 5.  RE: ClearPass Policy Manager 6.11 Release Notifications

    EMPLOYEE
    Posted Sep 27, 2023 06:45 PM

    Hello All,

    We are pleased to announce the immediate availability of ClearPass Policy Manager 6.11.5!  This release being a Long-Supported Release (LSR) is primarily focused on addressing identified issues for our customer base.

    As always, please take note of the 'Changes of Behaviors' section of the release notes https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.x.x/Default.htm 

    The update images have been posted to the Aruba Support Portal (ASP) and the software updates portal.

    A big thanks and congratulations to the ClearPass Engineering, ClearPass QA and TechPubs teams for reaching this milestone!

    Best regards,
    The ClearPass Team




  • 6.  RE: ClearPass Policy Manager 6.11 Release Notifications

    EMPLOYEE
    Posted 17 days ago

    Hello All,<o:p></o:p>

    We are pleased to announce the immediate availability of ClearPass Policy Manager 6.11.6!  This release is focused on bug and security fixes in alignment with the Long Support Release (LSR) model. <o:p></o:p>

    As always, please take note of the 'Changes of Behaviors' section of the release notes https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.x.x/Default.htm

    The update images have been posted to the Aruba Support Portal (ASP) and the software updates portal.<o:p></o:p>

    A big thanks and congratulations to the ClearPass Engineering, ClearPass QA and TechPubs teams for reaching this milestone!<o:p></o:p>

    Best regards,<o:p></o:p>

    The ClearPass Team