Aruba ClearPass

It is a product that can be easily used for the security and authorization of wired and wireless networks of all small or large enterprises. It is a necessary product for a security procedure at the network layer, especially to prevent the leakage of critical data to the outside. It is also a product that can be used for authorization in BYOD and GUEST networks for wireless networks. It is a very practical and stable product to use compared to the products of other equivalent companies.

Aruba Clearpass is well suited for organizations that require diverse network segmentation. This system provides the ability to lock down user access to only the resources one needs. The initial setup of a system like this is resource-intensive and may require outside consulting, but once in place, day to day system management is minimal and network visibility is increased.

This product has consistently provided the results needed from it and when issues arose, Aruba TAC was able to provide support effectively. In the previous question, I stated that Aruba Wireless is used as well. With those systems in place with ClearPass troubleshooting becomes much easier. I am sure other issues may arise if calling support while using another vendor for wireless such as Cisco, Juniper, etc.

ClearPass is well suited for 802.1X (PEAP or EAP-TLS) in wired and wireless scenarios. It can also do MAC authentication using its endpoint database. The fingerprinting is robust, as it can verify that a device is reported as the actual brand or model, instead of relying solely on MAC OUI. This is achieved by capturing DHCP request information that has been forwarded to the appliance. Using this information, extensive role mapping can be utilized in enforcement policies. For instance, you can apply one policy to a device that is considered a VoIP phone, but if you only want to target Polycom phones, that can be specified in the role mapping, which then can be enforced as a specific VLAN pushed to the switch port or a specific QoS policy. Downloadable user roles are another impressive feature of ClearPass which can be fully integrated with Aruba switches. Instead of deploying ACLs to switches, you can simply have the switch download the ACL from ClearPass. This helps with issues of management and scalability where extensive L3 segmentation is utilized across a network. Similarly, QoS and other options can also be included in download user roles. There are too many options to list all in this review. I liken the experience to a AAA Swiss Army Knife.

We had some issues with ClearPass integration with AirGroup on Aruba Controller Clusters. Basically, it was tough to get coordinated between the controller support and the ClearPass support.

Aruba ClearPass is ideal in an HP/Aruba environment, and it works well with Active Directory as well. We use it in a busy enterprise environment with an average of 18000-20000 devices connecting daily. Our main applications are streaming video and audio, with other less taxing web environments in use, but most with significant animation.

Our HP/Aruba team has been stellar. Always there to support us proactively, worked hard to build relationships with the staff, really top-notch.

It works very well with Aruba wireless controllers and, according to the demos, with Aruba switches for wired NAC. Works well for guest portals with self-registration. Posture checking - Onguard - is limited on Macs, but extensive on Windows. Onboarding with EAP-TLS on android phones requires an app. However, wired NAC is very hard with non-Aruba switches. Policies can be very granular.

Support, unfortunately, is one thing that Aruba needs a lot of improvement. While some engineers are skilled, others have been quite low-quality. Engineers tend to not take ownership and one needs to keep calling to get a case moved forward in a timely manner. In my experience, many times an engineer owning my case would leave office and not be in the next day without resolving the case or handing it off properly. Licensing support in particular has been handled very poorly.

We have quite a few visitors to our campus and we don't want to have a set PSK for the wireless so we have configured a guest network where visitors can create an account and gain access to the internet and we don't have to "manage" it since the accounts will expire after a certain time. We have RF scanners in our warehouses and we want them to be allowed on the network and be put into its own VLAN. ClearPass can do this flawlessly by keying off of the MAC address when it comes online and putting it into the correct VLAN. This makes it so we don't have to add each device individually to the system. The only time ClearPass would not be appropriate is in a small deployment where the cost to value wouldn't make sense.

Aruba tier 1 support is not that great if your issue is more complex. For simple issues, the first contact is usually fine but if I know the issue is more complex I ask them from the start to escalate the issue which they are always happy to do. From there, their support have been great and I have had confidence that they know what they are talking about and there is a quick resolve. Airhead forum support is pretty good since it's community-based and I can find many answers to question there.

Aruba ClearPass is perfect for implementing 802.1x access. Having the ability to configure the system to drop users into the proper network ad-hoc is invaluable when you have a large organization; the old method of manually configuring interfaces as employees move around is gone. If you are looking for something that has robust and easy to access logs, you will have to look at an external tool; the built-in options with ClearPass are not that great.

Technical support is easy to get a hold of and responsive to requests. There are certain options in the command line that TAC keeps to themselves for troubleshooting purposes, and I am not a fan of having to call in for support to have a deep-dive into a given issue. I would like it if the robust logging commands and controls were available to owners/administrators of the system.