ClearPass Policy Manager

Transcription

1 Manager The most comprehensive network access policy enforcement platform for BYOD Key features Unsurpassed multivendor wireless and wired interoperability Built-in guest, profiling, network access control Onboarding of leading endpoint operating systems Easy-to-use policy creation and troubleshooting interface Proactive policy simulation and testing utilities Real-time user and device access logs track each authentication Convenient dashboards for user and device authentication analysis Published and open API for simple third-party integration MDM interoperability via API connector services Fully-replicated active clustering for high availability, redundancy and load balancing Advanced reporting, analytics, alerts and archiving for compliance and auditing The Manager platform includes ClearPass Guest, ClearPass Onboard and ClearPass OnGuard applications. The Manager platform makes it easy to secure next-generation mobility services, enhance network access security and compliance, and streamline network operations for wired, wireless and VPNs. The industry s most comprehensive policy management system, ClearPass offers role-based policies, detailed endpoint profiling, enterprise-grade RADIUS/TACACS+, BYOD and Apple Bonjourenabled device registration, mobile device management (MDM), and administrative web access. ClearPass is available as an enterprise starter bundle with guest access, device onboarding and posture assessment capabilities for up to 25 endpoints. Additional ClearPass Guest, Onboard and OnGuard licenses are available for a larger number of devices. Whether local or remote, ClearPass makes it effortless to centrally manage and enforce user- and device-based access policies across multivendor campus and distributed network infrastructures, regardless of device ownership or connection method. The ClearPass advantage ClearPass satisfies the demand for secure and efficient network access, policy enforcement and BYOD deployment. From one easy-to-manage platform, ClearPass presents a complete and accurate view of who and what has connected to wireless and wired network. Simplicity An intuitive web interface for administration and userdriven service portals ensures that mandated security measures are easy to implement and maintain, without requiring additional IT resources, management applications or appliances. Operational efficiency A complete out-of-the-box platform, ClearPass includes differentiated role-based access, enterprisegrade AAA, BYOD provisioning, device profiling, advanced reporting, and MDM capabilities across wireless, wired and VPNs. Innovation ClearPass includes many innovative BYOD capabilities, including uncommonly simple policy management, customizable guest access features, the ability to onboard hundreds of thousands of mobile device, and certificate management applications. The result is consistent, automated and secure network access that meets today s evolving BYOD and IT-managed mobile device requirements delivered from a single, extensible platform with capabilities that grow and adapt to changing business needs.

2 Advanced enforcement capabilities Broad multivendor support ClearPass includes a full complement of enforcement options for the largest possible mix of use-cases and does not require a forklift upgrade to the network infrastructure. Using any 802.1X or non-802.1x-enabled APs or switches, ClearPass enforces a wide range of context-aware policies, including dynamic role-based access, VLAN and ACL assignments, and application-aware quality of service (QoS). With ClearPass, a single policy can leverage multiple identity stores, including Microsoft Active Directory, LDAP-compliant directories, ODBC-compliant SQL databases, token servers and internal databases. This enables IT to manage and enforce network access at multiple levels and across domains when merging organizations or departments. Identity stores also can be used for authentication and ongoing authorization of users and devices. Integrated device profiling Built-in profiling discovers, categorizes and maintains a real-time database of endpoints, regardless of device type and IP address. The collected data MAC OUIs, DHCP fingerprinting, CDP/LLDP and onboarding inventory is then used to enforce context-aware access policies. Profiling offers the visibility to determine mobile device adoption and ownership. It also modifies authorization privileges when device profile changes are detected. So, if a printer appears as a smartphone, ClearPass automatically denies access and quarantines the device. Built-in BYOD enablement A fully functional captive portal supports wired and wireless user authentication from a single Manager web page, which enhances the BYOD user experience and reduces administrative overhead. It also includes Aruba AirGroup services, which let users register and share Bonjour-enabled ipads, Apple TVs and printers across VLANs. It optionally supports device registration to enforce policies based on the MAC address of gaming devices, printers and wireless IP cameras. In BYOD environments with mobile device management, ClearPass can probe MDM databases for jailbroken status, password strength and other device information, and apply it to access policies. This safeguard can be used for any device that connects based on MDM status. Unmanaged endpoint access Unmanaged non-802.1x devices printers, IP phones and IP cameras can be identified as known or unknown when they connect to the network and their MAC addresses are verified through profiling or against an external or internal database. After this verification process, Manager will create policies that enforce differentiated access for these devices whenever they connect to the network and regardless of their location. Scalable BYOD applications Built-in endpoint capacity enables IT to fully leverage all ClearPass Policy Manager features and rightsize BYOD deployments to accommodate the number of employees, devices and guests that connect via wireless, wired and VPNs at no additional cost. Secure device onboarding To ensure secure access for BYOD, ClearPass Onboard automatically provisions employee-owned Windows, Mac OS X, ios and Android devices for 802.1X authentication and issues a unique device credential that can be revoked if a device is lost or stolen. Additional information collected by ClearPass during the onboarding process such as device serial number, operating system version and model number is applied to wireless and wired network access policies. Customizable guest access and management ClearPass Guest makes it easy to implement self-registration and sponsor-based registration for guest Wi-Fi access. Sponsor roles let receptionists and non-it personnel create differentiated and group guest accounts and distribute credentials before visitors arrive. Self-registration and automated credential delivery streamlines IT operations and efficiency. Accounts can be set to automatically expire after a specific number of hours or days without IT involvement, and login credentials can be dispatched via , SMS or label printers. A customizable guest portal simplifies the creation of branded login screens, posting of code-of-conduct messaging, and placement of advertisements and relevant organizational updates based on user role, location, department and venue. Real-time posture assessments ClearPass OnGuard runs operating system, anti-virus, antispyware and firewall health checks to ensure compliance and network integrity before guest and employee-owned devices connect. OnGuard enforce policies for Windows, Mac OS X and Linux via persistent or dissolvable agents. ClearPass OnGuard advanced posture checks also allow peerto-peer apps, bridged network interfaces, VM instances, USB storage devices and specific registry key entries. For a seamless user experience, automatic remediation services are available for non-compliant devices. Manager appliances Manager is available as hardware or a virtual appliance. Both have identical functionality and capacity to support 500, 5,000 and 25,000 unique authenticating devices. It can be configured in publisher/subscriber mode for active clustering of multiple appliances. The Manager virtual appliance is optimized to run on 64-bit VMware ESX and ESXi platforms, versions 4.0 (minimum), 5.0 and 5.1.

3 SPECIFICATIONS Aruba Manager Comprehensive identity-based policy engine Built-in AAA services RADIUS, TACACS+, Kerberos Web, 802.1X, non-802.1x authentication and authorization File- and directory-based encryption OnGuard agents for Windows, Mac OS X, Linux operating systems Support for multiple Active Directory domains Built-in advanced reporting, analytics and troubleshooting tools External captive portal redirect for multivendor networks Interactive policy simulation and monitor mode utilities Deployment templates for any network, identity store and endpoint Framework and Protocol Support Microsoft NAP, NAC RADIUS, RADIUS CoA, TACACS+, web authentication, Kerberos PEAP (EAP-MSCHAPv2, EAP-GTC, EAP-TLS) EAP-TLS EAP-FAST (EAP-MSCHAPv2, EAP-GTC, EAP-TLS) TTLS (EAP-MSCHAPv2, EAP-GTC, EAP- TLS, EAP-MD5, PAP, CHAP) PAP, CHAP, MSCHAPv1 and 2, EAP-MD5 Wireless, wired and VPN 802.1X Windows machine authentication MAC auth (non-802.1x devices) Audit (rules based on port and vulnerability scans) Supported Identity Stores Microsoft Active Directory Kerberos Server Any LDAP compliant directory Any ODBC-compliant SQL server Token servers Built-in identity store Built-in static hosts list RFC Standards 2246, 2248, 2548, 2759, 2865, 2866, 2869, 2882, 3079, 3579, 3580, 3748, 4017, 4137, 4849, 4851, 5019, 5216, 5280 Internet Drafts Protected EAP Versions 0 and 1, Microsoft CHAP extensions, dynamic provisioning using EAP-FAST, TACACS+.

4 Appliance Specifications CPU Manager-500 (1) Dual Core Pentium 2.9-GHz G850 Manager-5000 (1) Quad Core Xeon 2.66-GHz X3450 Manager (2) Quad Core Xeon 2.66-GHz X5650 Memory 4 GB 8 GB 48 GB Hard drive storage (1) 3.5 SATA (7K RPM) 500-GB hard drive (2) 3.5 SATA (7.2K RPM) 500-GB hard drive PERC H200 RAID-1 controller (4) 2.5 SAS (10K RPM) 300-GB HotPlug hard drives PERC 6/I SAS RAID controller Network ports (2) Gigabit Ethernet (2) Gigabit Ethernet (2) Gigabit Ethernet Appliance Scalability Maximum devices 500 5,000 25,000 Form Factor Dimensions (w x h x d) 16.8 x 1.7 x x 1.7 x x 1.7 x Weight (max config) 14 Lbs 39 Lbs 39 Lbs Power Power consumption (maximum) 260 watts max 250 watts max 717 watts max Power supply Single Single Dual hot-swappable (optional) AC input voltage 110/220 VAC auto-selecting 110/220 VAC auto-selecting 110/220 VAC auto-selecting AC input frequency 50/60 Hz auto-selecting 50/60 Hz auto-selecting 50/60 Hz auto-selecting Environmental Operating temperature 10º C to 35º C (50º F to 95º F) 10º C to 35º C (50º F to 95º F) 10º C to 35º C (50º F to 95º F) Storage temperature -40º C to 65º C (-40º F to 149º F) -40º C to 65º C (-40º F to 149º F) -40º C to 65º C (-40º F to 149º F) Operating relative humidity 20% to 80% non-condensing 20% to 80% non-condensing 20% to 80% non-condensing Maximum humidity gradient Storage relative humidity Operating vibration Storage vibration Operating shock Storage shock Operating altitude Storage altitude

5 ORDERING GUIDANCE Ordering the Manager involves the following steps: 1. Determine the number of unique authenticating devices within your environment. This total includes printers, smartphones, computers, etc. 2. Choose the appropriate hardware or virtual appliance to accommodate the total number from above. 3. Select any additional licenses Onboard, OnGuard and Guest to accommodate the total number of devices for each of these applications. Anything over 5,000 total application licenses will require the purchase of a second Manager appliance. Example For secure BYOD provisioning of 2,000 mobile devices, ensure that the Manager platform is sized to accommodate the 2,000 mobile devices and anything else that will authenticate, such as via 802.1X and MAC auth. Purchase ClearPass Onboard licenses for 2,000 total devices to support the provisioning requirement. Additional Onboard licenses can be purchased as required. ClearPass Virtual Appliance CP-VA-5K ClearPass Onboard 2 X LIC-CP-OB-1K Ordering Information Part Number Description CP-HW-500 or Aruba Manager 500 hardware platform supporting a maximum of 500 authenticated devices CP-VA-500 CP-HW-5K or Aruba Manager 5K hardware platform supporting a maximum of 5,000 authenticated devices CP-VA-5K CP-HW-25K or Aruba Manager 25K hardware platform supporting a maximum of 25,000 authenticated devices CP-VA-25K Optional software (available as perpetual and 1-, 3- and 5-year subscriptions) LIC-CP-OB-XXX* ClearPass Onboard provisioning (includes ArubaCare support) LIC-CP-OG-XXX* ClearPass OnGuard device posture (includes ArubaCare support) LIC-CP-GM-XXX* ClearPass Guest (includes ArubaCare support) Inclusive License LIC-CP-EN-XXX* ClearPass Enterprise bundle that includes option to selectively use Onboard, OnGuard, or Guest licenses Warranty Hardware 1-year parts/labor** Software 90 days** * Software module licenses are available in the following increments, where XXX indicates the number of authenticated devices: 100, 500, 1,000, 2,500, 5,000, 10,000, 25,000 and 50,000. ** Extended with support contract Crossman Avenue. Sunnyvale, CA ARUBA Tel Fax [email protected] 2012 Aruba Networks, Inc. Aruba Networks trademarks include AirWave, Aruba Networks, Aruba Wireless Networks, the registered Aruba the Mobile Edge Company logo, Aruba Mobility Management System, Mobile Edge Architecture, People Move. Networks Must Follow, RFProtect, and Green Island. All rights reserved. All other trademarks are the property of their respective owners. DS_ClearPass_PolicyManager_121312