HPE Aruba Networking Blogs

The ClearPass Story

Let’s play a word association game. If I say, “Your enterprise network,” what would you say?

Sprawling? Difficult? Insecure? Powerful? Constantly Changing? Challenging? All of the above?

If we had to reduce that list to just one word, would it be “complex”?

If not, congratulations. For the rest of us though, despite our best intentions, networks have become more complex as we’ve moved from wired to wireless, to distributed, to remote, to cloud, to as-a-service, and wherever we go next. But no matter how much complexity your network encompasses, there is one fundamental requirement that doesn’t change. How do you make sure that only devices you know and trust can access it? Securely?

Network Access Control is a critical requirement of any network, yet it is probably the most underrated technology in a world currently dominated by talk of the Edge, SASE, Zero Trust, SD-WAN, and hybrid workplaces. ClearPass has been the standout performer in this space for over 10 years and continues to quietly get on with the job - working with any vendor’s infrastructure, and adjusting to changes in network technology with minimal fanfare. (For more information on this, check out this ClearPass timeline infographic from Data#3.)

So, how much do people know about the breadth of the Clearpass solution today? Especially now as IoT really takes off. I can promise there is a lot we need to tell you.

Let’s start with the rise of mobility and smart devices, which has meant that on average, there are 5 connected devices on the network per person.[1] This doesn’t mean everyone has 5 devices, but as a ratio, it generally holds true. Think of a laptop, mobile phone, smartwatch, smart speaker, tablet, etc. just as a starting point.

Now with IoT, that ratio is predicted to rise to 10 connected devices per person. Security cameras, sensors, smart appliances, smart lighting, etc. And every single one of those devices is a potential security risk. Just ask the casino in the US that was hacked via a connected fish tank! [2]

The situation is made worse because virtually anyone can connect anything to the network with just an SSID and a password, and the IT team would have no idea. Unless they had ClearPass.

That’s because ClearPass was built on the idea of Zero Trust before that term even entered our lexicon. Its entire DNA is based on the premise that nothing is allowed to connect unless it can be identified, classified, authenticated, and secured. Not those new security cameras your facilities team wants to add. Not that Smart TV in the conference room. And not that new smartphone one of your staff just purchased.

“But we don’t want to make it so hard for our staff and visitors! We need to be able to quickly connect new people and devices,” I hear you cry. Well, that’s also part of ClearPass’ capabilities, but let’s go back a step.

ClearPass is actually a family of products comprising Device Insight (detecting and classifying anything connected to the network), Policy Manager (comprehensive policy control and real-time enforcement), Guest (quickly and securely managing guest network access), Onboard (automatically configuring and provisioning mobile devices), and OnGuard (advanced endpoint posture assessments).

You can deploy one or more ClearPass products depending on your needs as they can all work standalone, but together they can share information that adds immense value. Let me give you a simple example.

You use ClearPass OnBoard to streamline and simplify the onboarding of new devices via a self-service portal. One of your staff has a new business issued laptop - that has been pre-configured with the right security controls - and their own personal mobile phone. And we’ve just onboarded both of them with all the information collected about those devices passed to ClearPass Policy Manager.

The devices both connect to the network using the same SSID, and ClearPass Device Insight detects and profiles them, passing the context of the device and the user to ClearPass Policy Manager. ClearPass Policy Manager is then able to authenticate and authorise the devices based on this context, applying appropriate policies that govern the access of each device. For example, allowing the enterprise laptop to access both the internet and intranet, but limiting the (relatively) unsecured smartphone to internet access only.

So, let’s delve a little further into ClearPass Device Insight.

Cloud-hosted, ClearPass Device Insight is like having an all-seeing eye, monitoring and controlling all device connections on all networks.

It continuously scans the networks to detect and collect information about devices such as attribution, destination IPs, and applications used. It then groups unknown and known devices into device clusters. Using user-defined device classification rules, it can also classify or reclassify devices that are discovered on the network that match the rule criteria. If a device or network activity changes, it catches that too. It also makes use of crowdsourcing technology to share new device information captured on networks across multiple ClearPass Device Insight customers' sites. In short, all devices are authenticated or authorised – completely eliminating unknown devices from the network without the need for manual intervention.

IT teams can then use the Device Insight user interface to gain granular visibility into the devices on the network and make more informed network access control decisions - either manually or via ClearPass Policy Manager.

But ClearPass’ tricks don’t stop there.

  • ClearPass Exchange is an open ecosystem of 3rd party integrations comprising out-of-the-box integrations with leading firewall, MDM, SIEM, and Endpoint security vendors, sharing context as described above for more granular policy application.
  • When it comes to identity, ClearPass can integrate with existing authentication and identity services such as Active Directory, or modern cloud identity stores such as Azure AD and Google Workspace. This allows innovative control of identity across corporate network boundaries, even to the point of sharing identity between trusted organisations without the need to constantly re-authenticate.
  • It can be deployed on-premises, in the cloud (as an app on AWS or Azure), or as part of Aruba’s network management platform, Aruba Central.
  • And as we mentioned before, ClearPass is network vendor-agnostic – you don’t need to have Aruba infrastructure to make use of ClearPass.

It has a whole host of other features and capabilities that allow organisations to build granular access security capabilities that can scale without adding unmanageable hurdles for staff and IT teams. It really is that ubiquitous piece of network functionality that every IT team should seriously explore.

As for what’s next? Well, it will keep integrating, adapting, and securing network access no matter what the next round of technology change brings. It’s one part of your network you never have to worry about.