Close

ClearPass Extensions: A Way to the Future

By François Vergès, Blog Contributor
Share Post

There is no question that a high level of security is requested on enterprise wireless networks. The implementation of such security is often complex. Using these high security mechanisms for the end user is not easy. Our goal, as engineers, is to provide a secure access to the network while it being easy for the end user to connect.

I believe that Aruba ClearPass will allow us to get there eventually, thanks to its extensions. Moreover, network engineers are starting to think like software engineers, which will eventually lead to making our networks smarter.

What Is An Extension? 

By itself, ClearPass is already a very powerful tool. ClearPass becomes even more powerful with the use of extensions. An extension is a microservice working on its own in a container independently from the ClearPass operating system, which is used by ClearPass to communicate with external systems. Because they are developed as microservices, they can be integrated into ClearPass without any major changes to the OS. It is very flexible and it's easy to add and remove extensions. You can think of it as applications on a phone. We can install, update, remove applications without having to update the phone OS.

Extensions allow ClearPass to interact with external systems. They can be leveraged to perform advanced authentication, two-factor authentication, apply policies or firewall rules, onboard guests onto the Wi-Fi networks or manage BYOD devices. The list of use cases is endless.

Who Is Developing These Extensions?

Extensions are developed by Aruba in partnership with any company wanting to connect their systems and applications to ClearPass. Here are a few examples:

  • Google: Built-in ClearPass integration for MDM and authentication services.
  • Duo Security: Application-based two-factor authentication that includes geolocation, VPN, open network, role and device specific access controls. Adds secondary auth for users/devices previously authenticated via ClearPass.
  • Palo Alto Networks: ClearPass integration for identity-based access policies for employees and guests.
  • Splunk: Combine with ClearPass for comprehensive network access authentication and event correlation.

The complete list of extensions can be found here. This list will keep on growing over time.

Now, let’s try to live in the future for a moment. We know that extensions allow us to link the access to the Wi-Fi network to external systems. With that in mind, I present a couple of use cases we could implement in the (near) future.

Hotel Wi-Fi Auto-registration and Auto-connection

It would be nice if we could receive the credentials to connect to the hotel Wi-Fi network as soon as we book the room. At the same time as receiving your invoice, you could be receiving your login information into the Wi-Fi network. We could even imagine implementing strong security on the Wi-Fi network and having the credentials delivered to the guest’s device prior to visiting the hotel.

There will be no need to ask the receptionist for the Wi-Fi information and the connection to the Wi-Fi network will be secured and transparent to the user. Easier for everyone.

Auto Device Classification

More and more, we don’t know which device will be connected to our enterprise Wi-Fi networks. It used to be a subset of managed devices, but nowadays, more and more unknown devices are brought unto the Wi-Fi. The issue is that we don’t know in advance how we want to handle them.

So now, imagine that your network access control solution is smart enough to detect the device connecting, detect which type of device it is, compare the profile of this device to already-connected devices. It could then be smart enough to assign the right policies to this device so it just works for the end user without impacting the rest of your network or creating security breaches.

The future looks very promising. Tools such as ClearPass extensions will allow us to provide a better user experience and assure the security of our enterprise networks.

 Follow François Vergès on Twitter at @VergesFrancois.