Aruba ClearPass 6.7 – Simplification, Security and Success

Share Post

Screen Shot 2017-12-05 at 11.03.56 AM.png

The standout changes occur around licensing. Companies are changing their business practices, and we've taken measures to securing them. We are most successful when foster collaboration in the workplace and enterprises are increasingly hiring consultants, temporary employees and contractors. It's incumbent on the business to permit engagement, collaboration and infrastructure sharing without risk to the business. To that end, the full functions and features of ClearPass Guest are now included in ClearPass Policy Manager with no additional fee. We have also made changes to improve user experience and operational efficiency.

Additionally, we've moved from an "average usage" solution to a "concurrent usage" license. This makes planning and deployment more straightforward. We've also separated the acquisition of the virtual (VM) or hardware ClearPass appliances from the software "access" enabling license. Moving forward, we have a single VM, and Small, Medium and Large Hardware devices. Clustering capabilities continue to be supported for performance, resilience and scalability – and performance figures and deployment guides are published separately here.

"Access" licenses are now available either as perpetual or subscription licenses in 100, 500, 1000, 2500, 5000, and 10,000 concurrent device licenses. These access licenses include 802.1X, MAC Auth, TACACS, OnConnect, Secure Exchange, Endpoint Profiling and of course Guest.

In addition to simplifying the conventional access solution, we also wanted to reflect the change in culture towards BYOD. To that end, we've changed OnBoard from a per device license to per-user licenses. Gartner states an average of 3.5 devices per person, and this change in licensing is to ensure that the increasing number of devices connecting to the enterprise does not become an operations or security burden. Enabling a certificate authority and 802.1X in ClearPass is one of the quickest and simplest ways to secure mobile devices in the enterprise.

Here is an example between then and now:

Imagine an organization with the following characteristics for a given business day:

  • 6,000 endpoints using a mix of username/password and certificate (Corp/BYOD) based authentication
  • 2,000 IoT endpoints that use MAC address authentication
  • 1,000 guest endpoints that use self-registration or social logins

Given that all authentication methods are now equal in the new model, we have 9,000 endpoints to consider.

  • 3,000 endpoints that have OnGuard installed
  • 500 users that can onboard their devices as per the BYOD policy
  • We'll exclude the number of appliances needed in this example from a performance perspective for simplicity. In the old model, the number of appliances was part of licensing count. In the new model, it is NOT!
  • However, we are only concerned with the maximum number of users concurrently authenticated/authorized.
  • If we believe that ALL the endpoints will be concurrently authenticated/authorized in a given day, we will need to license for 9,000 but given the network data available (e.g. DHCP max pool size and lease times, max firewall session usage), we are able to determine that only 6,000 endpoints are ever concurrently authenticated/authorized therefore we only need 6,000 Access licenses.
  • OnGuard is going to be installed on 3,000 endpoints so we just need 3,000 OnGuard licenses.
  • Onboard is going to be used by 500 users so we just need 500 Onboard licenses irrespective of the number of endpoints.

The licensing changes are significant, but we've also added:

  • Endpoint profiling improvements
  • Enhanced support for IPv6
  • Support for new virtualization platform, Amazon AWS
  • Improved internalization support for Guest workflows
  • Client support improvements for OnGuard
  • Insight custom reporting and alerting options
  • ClearPass Extensions and API enhancements.

Most importantly, these changes came because we listened to you, our customers and partners – its part of the Aruba culture – Customer First, Customer Last, and Partner Always

If you are, thanks for being a customer, a channel partner, a colleague.