ClearPass Gets More Than Just a Coat of Paint

By Ryan Adzima, Blog Contributor
Share Post

Automation has been the top topic in the networking world for a few years now. With technologies like Puppet, Chef, Ansible, the SDN flavor of the week and more out there making large scale networks easier to manage why wouldn't it be? Who doesn't love giving up menial, repetitive tasks in favor of intelligent systems that do it for you and let you as the admin/engineer/architect deal with the real problems? Unfortunately, in the wireless space, much of this has passed us by. Now that's not to say there isn't some great stuff out there for us, but anyone who has configured an end-to-end wireless solution knows there's a lot of typing and clicking involved.

And then Atmosphere 2016 happened…...maybe what I should say instead though is and then HPE happened.

HPE (back when it was just HP) has contributed a mountain of technology to the networking world; most notably collaborating on the predecessor to SDN as we know it and founding the Open Networking Foundation. These first steps contributing, and arguably leading the way, to the revolution we see today in wired networking automation. Love them or hate them, they took some early risks and it has paid off with nearly all other vendors falling in line with the ideals laid down.

Now, you may be asking yourself "What has this got to do with wireless?" Honestly? Not a whole lot at the moment. What it does have a lot to do with is the evolution of the back end products that secure and support the networks we deploy. Specifically ClearPass. ClearPass 6.6, announced this past March in Las Vegas, is, in my mind, the product of a beautiful marriage of two companies that are willing to take risks and lead the way in new approaches to old problems.

What new features have me so beguiled? Let's look at a quick rundown of some of the enhancements (in order of my excitement):

New Interface for Insight

Insight is the reporting tool for ClearPass which offers real-time visibility and analytics of what's going on in your network giving you the ability to quickly troubleshoot and fix any issues that may arise. Following along with AirWave and the wireless controllers, Clearpass Insight is getting a fresh new makeover - and it's gorgeous.

Ingress Event Engine

ClearPass will now be able to operate as a syslog receiver. Messages from external devices can now trigger events or alerts within Clearpass. By responding to threats to or changes in the network based on syslog events, Clearpass can add another layer of security to the wired, wireless, and remote access components of your network.

Automatic Network Device Discovery

In what is sure to be one of my favorite features, ClearPass will now crawl the network segments you configure and discover new devices automagically. No more csv files or manual entry for network access devices! This feature is vendor agnostic, reads directly from SNMP, show device capabilities and info such as OS and software version (or anything else that can be gleaned from SNMP), and allows for quick and easy import. Additionally, you can assign profiles based on a number of factors like subnet, type, or vendor and automatically deploy differing policies - secure your network with even more context.

Custom Device Fingerprinting

Updating MAC OUI files, waiting for fingerprints to be released in the next update, not knowing if that device is really an AppleTV or not… Not anymore. ClearPass 6.6 introduces the ability to create your own device fingerprints. We're just seeing the beginning of the "IoT explosion" and devices are coming out faster than most can keep up with. Not only that, people are creating their own devices (me included) with the capabilities to do amazing, and amazingly destructive, things on your network. Being able to profile, identify, categorize, contain, or deny access is more important than ever.

ClearPass Exchange

ClearPass Exchange is how 3rd party applications integrate with ClearPass to provide enhanced functionality in a number of ways. Exchange integrations use ClearPass APIs and syslog correlation to create new features available to your network.

A quick example of this would be the Infoblox integration capabilities. ClearPass can share the username and MAC of a user through a set of APIs into your IPAM appliances allowing IP/MAC based policies, profiles, and reporting to be correlated and tied to specific users and devices. In the future, more of the available information could be shared from ClearPass to enhance these capabilities even further and who knows what functionality could be added.

With an impressive set of partners listed including companies like Palo Alto, Google, Splunk, and much more you can enhance your MDM/EMM rollout, add 2FA, SSO, and a multitude of other acronyms. Aruba is building a foundation for identity management and network context awareness from which others can build upon. That's a pretty big deal in the network world. These days most companies approach products and features with an "I do this really well, maybe I should give that a try too" attitude instead of doing this even better and work with those who do that really well already instead of competing against them as a late-comer to the game.

But the integrations get even better… (this is the part that ties back into all the HPE rambling at the beginning of this post)

ClearPass Extensions

ClearPass Extensions are a new approach to tightly integrated systems from multiple vendors. Similar to Clearpass Exchange, yet completely different. Extensions offer deeper ties, more security, less moving parts, and much faster setup.

This is a game changer. Not just because of the ease of use. Not just because of the flexibility. This is where the willingness to try new approaches and the adoption of new technology comes into play.

How can you quickly enable these apps, deploy them so easily, and be sure they are safe, secure, and won't affect your ClearPass installation? Docker. Docker is a containerized system for rapidly deploying applications and their dependencies in a sandboxed environment. From their site:

"Docker containers wrap up a piece of software in a complete filesystem that contains everything it needs to run: code, runtime, system tools, system libraries – anything you can install on a server. This guarantees that it will always run the same, regardless of the environment it is running in."

I have only recently taken the dive into using Docker myself but it's clear the ClearPass team put a lot of thought into the best possible way to deploy this feature. No infrastructure to stand up for 3rd party integrations, no cluster of VMs, no messing with installation guides. Just point, click, secure.

For now, ClearPass Extensions are going to be developed on a case-by-case basis but as time goes on it may be opened up to a larger community of applications offered by partners and customers alike. I don't disagree with this move, you don't want to just open the floodgates and let anyone in until you figure out how to ensure the sources are trustworthy and stable but I'm hoping this comes sooner than later - when you open up a great platform as the foundation and allow people to build on it, you'd be amazed at what they come up with.

In my opinion, the bleeding edge heritage of HPE mixed with the brilliant team at Aruba are mixing to create a nearly unstoppable force in the wireless world, much to the dismay of the many naysayers.