The most difficult part of any network engineer’s job is securing the unknown devices users will connect. How many times has a facilities manager gone through an RFP process to enhance controls of their HVAC and power control systems, award a vendor a contract, complete their work, and connect insecure IoT controllers to your network? Never, right? But it’s coming. What if there way to prevent a possible catastrophe when an unknown HVAC controller all of a sudden starts talking to your file servers?
Aruba ClearPass running version 6.6 now gives administrators peace of mind, by providing the ablility to profile and apply policies to specific devices on wired networks through the use of OnConnect. While the vast majority of these IoTs are a variant of Linux and may not be 802.1X compliant, profiling within ClearPass will fingerprint and scan a device to determine what it really is. Giving you the insight to see if it is a laptop running linux or a maliciously installed raspberry pi. For example, if we were to connect a printer to the network ClearPass would profile that device using DHCP profiling, LLDP, SNMP, and NMAP scanning to determine what type of device it is. Once we have identified the device as a printer we automatically assign it to the printer VLAN via OnConnect which uses SNMP traps sent to the switch.
Of course, if your devices are 802.1X compliant ClearPass provides a consistent experience, but uses a different workflow. When users connect and disconnect their devices a secure workflow utilizes AAA and 802.1X protocols, which are especially important on wireless networks. ClearPass keeps your network and devices secure while giving greater control over policy-enforcement.
OK – now you have all these devices connected, but you want to gain Insight into what these devices are, who is consuming the most bandwidth, or proactively troubleshoot authentication errors? Then ClearPass Insight has what you are looking for. The completely revamped interface takes a less is more approach, giving administrators real-time analytics and alerting without the need to dedicate a full time person to a single product.
One of the best features added to Insight is the watchlist. With a watchlist you are able to identify devices or users that deserve priority care, such as your CEO. If your CEO runs into a problem authenticating to the network your administrators can receive an alert. Allowing them to investigate and fix the problem before the CEO has a chance to put in a trouble ticket. Not only making you look good, but giving you the ability to ensure key parts of your organization are always able to connect.
Finally, your devices are connect and you have real-time analytics to keep your users happy. What now? Well why not extend the functionality of your ClearPass system into other areas such as your multi-factor authentication solution or your visitor registration system. Aruba has added ClearPass Extensions into the base product to allow application developers to build third-party integrations that can be used for anything from policies to end-user experience. One great example of Extensions came from a company we saw at MFD Live – Envoy. Envoy is changing the way visitors are registered when they come to your facility and are using the ClearPass APIs to issue guest credentials to your network. The folks over at Envoy have a really great product and I strongly encourage you to check them out.
While ClearPass Exchange is currently limited to partner organizations, the ClearPass development team at Aruba has mentioned that they are planning to open the APIs to allow anyone to write their own applications. Imagine the possibilities of what you could create, or even what problems you could solve within your own environment given these tools.
In summary, Aruba ClearPass 6.6 is an incredible revamp of an already great solution. OnConnect’s ability to apply policies to non-802.1X devices gives you a way to secure your wired network until that 802.1X project is kicked off. The profiler even includes Nmap port scanning for greater fingerprint granularity. You also gain real-time visibility into the health of your network with Insight, not to mention giving priority to those users who need it most. Developers can build the applications that enhance your users’ experience with Extensions – why not build an app that brews a fresh pot of coffee when the CEO connects to the AP outside their office?