Using Aruba ClearPass for Network Access Control [Use Cases].

In Monitoring, Networking, Security, Wireless by Jesse Rink

Aruba ClearPass Network Access Control article

Organizations today love the idea of anywhere, anytime connectivity, but in their rush to get everything connected, often ignore the need for secure Network Access Control (NAC).  In this article, we show you how you can use Aruba ClearPass to identify, control and respond to common network access issues and scenarios:  

  • A Captive Portal that remembers users and devices
  • Improving wireless performance by minimizing the number of SSIDs
  • Revoking network access of suspect devices
  • Blocking users who abuse network privileges
  • NAC for multi-platform environments
  • Forcing your organization’s devices to stay off the guest wireless
Not a school?
While the use cases we discuss in this article are based on the needs of schools, they apply just as well to any organization looking to find AND control devices on its network.

A clear path to ClearPass.

Many schools employ a laid-back “connect now, secure later” NAC philosophy. Others simply choose the same vendor for security that they use for network infrastructure. Both of these approaches give the illusion of security, but in reality leave big security gaps that enterprising students are ready to exploit.

Aruba ClearPass gives you comprehensive and precise profiling, authentication and authorization for students, systems, and devices trying to access your IT resources. It’s a rock-solid, affordable solution and in our view is ideal for schools.

ClearPass is designed to address key security challenges associated with your school by providing:

Complete visibility.

When network access can be granted from almost anywhere, at any time, knowing what is on the network is the first challenge. ClearPass provides extensive discovery and profiling to enable your IT department to see who and what is connected.

Proactive control.

With ClearPass Policy Manager, every user, system, and device on the network is given access to only those resources that their role requires. ClearPass authenticates every entity and assigns access privileges through policies that adjust permissions based on location, the device used, time of day, type of user and other factors.

Closed-loop response.

Think of ClearPass as the gatekeeper of the network. The same policy engine that enables network access can be used to respond to a cyber-attack. When an alert from the security ecosystem (firewall, endpoint detection, etc.) is received, ClearPass can take a variety of policy-based actions such as re-authentication, bandwidth throttle, quarantine or block.

Best of all, ClearPass provides all of this across multi-vendor environments (Cisco, HPE, Juniper, Palo Alto, Fortinet, etc.) so your NAC solution is not dependent on any one particular vendor.

 

Network Access Control use cases.

Use Case: A Captive Portal that remembers users!

ClearPass use cases - problems

Do you sometimes wish your Captive Portal could remember who people (or devices) are, so users don’t have to log in to the portal every day?

ClearPass use cases - background

Many school districts use Captive Portals (from FortiGate, Palo Alto, Sophos, Lightspeed, etc.) to allow for users/devices to be authenticated for various uses such as logging and policy application. Unfortunately, the Captive Portals built into many products require periodic re-authentication. The constant need to re-authenticate can be met by resistance from staff and other end-users.

Consequently, many organizations start moving unmanaged staff devices onto internal networks to remove the daily Captive Portal prompts or set up static IP addresses for devices to bypass the Captive Portal completely.

ClearPass use cases - solution

Now just imagine for a moment, a captive portal that REMEMBERS everyone automatically and even allows them to use Google/Office 365 as their authentication source in addition to Active Directory. You won’t even need to worry about having to set static/reserved IP addresses for specific users’ web filtering policies either.

The username can be sent from the ClearPass captive portal to your firewall which allows you to apply different policies (such as blocking Facebook) for individual users and groups. You can even do this on your BYOD network with staff or student personal devices too (ClearPass maintains a list of user devices by Mac address), so the captive portal remembers them without prompting them for login credentials every time they connect!

ClearPass resolves this problem by using a Captive Portal that permanently associates a device’s MAC address with a username so that a user only has to log into a Captive Portal once from each device. The username associated with that device’s MAC address can then be sent by ClearPass to your firewall every time that device connects to your network. This allows you to apply different policies (such as blocking Facebook) to individual users and groups without inconveniencing users on BYOD and guest networks.

Aruba ClearPass provides a Captive Portal that has all the amazing benefits of your security appliance’s Captive Portal -without- all the limitations.

This article is based on a special edition of ‘The Source’ – a magazine we produce to help you cut the cost of your IT systems and support. Download the current and previous editions of the magazine below, and if you like what you read make sure to subscribe for future issues.

Aruba ClearPass magazine
Download the free magazine!

Use Case: Ease wireless management and improve performance by minimizing the number of SSIDs.

ClearPass use cases - problems

It’s common for schools to broadcast multiple SSIDs in their wireless environment. Each SSID is typically designated for a specific reason or function such as:

  • Staff wireless
  • Student wireless
  • 802.1x based (PEAP, EAP-TLS) wireless
  • Device-specific wireless (Chromebooks, iPads, etc.)
  • Guest wireless
  • Or other SSIDs for a variety of other reasons

ClearPass use cases - background

One thing that is often forgotten is that additional SSIDs create extra overhead and can bring even the best wireless networks to their knees. The impact of having additional SSIDs depends on many factors but directly affects the percentage of airtime used by the 802.11 beacon frames. Why is that important? Because 802.11 beacon frames -typically- transmit at only 1Mb/s. The more time spent sending out beacons, the less time spent on users and devices.

ClearPass use cases - solution

Aruba ClearPass provides a solution for this!  ClearPass gives you tools to allow, or restrict, access to network resources based on nearly ANY criteria about the user, device, location, or a long list of other criteria. As an example, with a single SSID, you can still grant employees access to a set of network resources, while restricting guest users to only have access out to the internet.

These policies are defined within Aruba ClearPass based on criteria chosen in the authentication and authorization profile.

% of Airtime used by SSID Overhead on a typical wireless environment

Aruba Clearpass - % of Airtime used by SSID Overhead on a typical wireless environment

Note how SSID overhead gets significantly worse with co-channel interference. Provided by www.revolutionwifi.net.

Use Case: Instantly revoke network access of “suspect” devices.

ClearPass use cases - problems

Have you ever wanted to ability to instantly revoke network access for suspect devices?

ClearPass use cases - background

  • SCENARIO #1: A device on your network intentionally, or unintentionally attempts to download a virus, or exhibits behavioral patterns that are suspected by the Unified Threat Management capabilities of your Next-Generation Firewall as a possible security threat.
  • SCENARIO #2: A student figures out how to install TOR (a Proxy/ Anonymizer program) or BitTorrent software on a computer lab PC, school tablet, or attempts to run the offending software from a personal device. Wouldn’t the next logical step be to automatically disable network access for the offending device immediately, to maintain the overall integrity of your network?

ClearPass use cases - solution

ClearPass can easily revoke network access for suspect devices without requiring you to track down the device itself. The entire process is automated, regardless of whether the device is wired directly into your wireless or wireless.

One of the great things about ClearPass is that it has the capability to receive NGFW/IPS events and communication from your Next-Generation Firewall.

ClearPass accomplishes this through various means, including methods such as Syslog messaging, SNMP trap reporting, etc. that trigger a RADIUS CoA (Change of Authorization) which results in the suspected device having its network access quarantined or completely revoked, immediately!

Furthermore, the CoA can then be followed up with an email alert sent to the appropriate network administrator so proper remediation steps can be taken with the device in question.

Use Case: Block network access if a student abuses network privileges.

Aruba ClearPass - blocking network access v2

ClearPass use cases - problems

Have you ever wished that you could block access for a student because of inappropriate usage of technology?

ClearPass use cases - background

Imagine a situation where students in your district are continually late paying fees or fines they have incurred. Perhaps a scenario where the student has overdue library books or an unpaid/negative balance on for their food service account.

ClearPass use cases - solution

ClearPass can be configured to allow for these two examples by running custom queries against the library database system or food service database system, and if the system determines that the student has overdue books or has delinquent balances, the student’s network access and privileges can be limited or denied.

The student can even be redirected to a webpage that asks them to return their overdue library books, or make a payment to catch up on their negative balance. There is an almost unlimited set of criteria for blocking network access if a student abuses their privileges.

Keep in mind that ClearPass can also trigger an email to your helpdesk that provides detailed information about which device had its’ access blocked, when it happened, and the reason why, helping to keep your IT support staff informed and aware!

Use Case: Aruba ClearPass in multi-platform environments.

Aruba ClearPass - multivendor environment v2

ClearPass use cases - problems

You want to use ClearPass to manage your guest access, BYOD, and district-owned device wired and wireless access, but you are using a firewall from one vendor, a switch from another, and a wireless controller or access points from a third vendor.

ClearPass use cases - background

In many scenarios, selecting the best product for your needs typically results in an environment that includes different vendors for each of your core products.  Those products are often fairly unaware of each other or have read-only access to each other.

ClearPass use cases - solution

ClearPass provides a central location for network access control event logging and coordination across -ALL- of your infrastructure.

If you have Palo Alto firewalls, HPE Aruba switches, Cisco wireless, and ServiceNow for your ITSM (IT Service Management), Aruba ClearPass has direct integration with all of those products and can set up Service Chaining such that ClearPass can facilitate two-way communications that generate all of the appropriate actions.

Consider an example where your school’s firewall sees malware downloading to an endpoint device. The firewall can report the threat to ClearPass which allows ClearPass to tell your HPE Aruba switch, or Cisco wireless, to disconnect or quarantine the device! Furthermore, ClearPass can then create a helpdesk ticket so when that offending user calls in for support, they are not trying to find out which product is causing the problem – your IT team will already have a service ticket with “actionable” information.

ClearPass provides a way to make all of your infrastructure work together to solve real problems.

Use Case: Force district-owned devices to stay OFF the guest wireless network.

ClearPass use cases - problems

How many times have you found district-owned devices incorrectly connected to the guest wireless network instead of the preferred secured wireless network?

ClearPass use cases - background

This scenario is often encountered when mobile devices such as iPads, Chromebooks, etc. are allowed to travel off-site/home with the staff member or student and the user needs the ability to join the device to a foreign SSID (such as their wireless network at home).

Unfortunately, when those same devices come back to school, the user may incorrectly connect to the guest wireless network (intentionally, or unintentionally) which may break certain functionality for that since the device cannot communicate properly to internal resources/network (due to ACL restrictions in place), and can even have limited performance due to possible bandwidth restrictions placed on the guest wireless network.

ClearPass use cases - solution

You can take advantage of ClearPass to keep those school owned devices off your guest wireless network!

Aruba ClearPass can keep district-owned devices off the guest wireless in a variety of ways, such as by integrating with Active Directory or Google Admin to determine if a device is a district-owned device, but another even simpler method – Zero-Touch! – is to configure ClearPass so that any device that has previously joined a non-guest wireless network (such as during MDM/Enterprise Enrollment, post- OS deployment with Windows, etc.) has a special “Attribute” applied to it, which indicates the device cannot connect to the guest wireless in the future.

Now your district-owned devices will be forced to stay off the guest wireless network, and all with Zero-Touch administration!

 

Aruba ClearPass works with your existing technology vendors

 

Aruba ClearPass partners

Next Steps

If you’d like to find out more about Aruba ClearPass and how it can be used to improve your school’s network security, check out the resources below or get in touch!

Explore more Aruba ClearPass resources:

About Source One Technology

We’re the IT services partner of choice for 45+ schools and districts, including private, public, charter and choice schools across Wisconsin. And as an approved E-rate vendor we help schools get the most of out of federal funding with expert advice and discounted service rates for education customers.

Why do we produce ‘The Source’ magazine?

We’re regularly asked for advice about a range of IT and networking issues in schools, and so we share tips, tools and resources online and also in free printed resources like this magazine. It’s all just a taster of what we love doing – giving honest, practical IT advice and solving problems.

Our Services

We configure, optimize and maintain your network and infrastructure.

  • Firewalls – Protecting your organization from risks and vulnerabilities.
  • Network Infrastructure – Providing the backbone and highway for your devices to operate.
  • Server Infrastructure – Windows 2003, 2008, 2016, Mac, and Linux operating systems.
  • Wireless Infrastructure – 1:1 wireless rollouts and school-wide wireless deployments.
  • Google Services – Chromebook management, deployment, and management.
  • Email Services – Google for Education and Office 365 email solutions.
  • Backup Solutions – Providing onsite and offsite data recovery.
  • Performance Monitoring – Making sure your environment is healthy and performing as expected.

Share this Post

About the Author
Jesse Rink

Jesse Rink

Twitter

Jesse is the owner of Source One Technology and has been providing IT services to schools, nonprofits and SMBs in Waukesha, Milwaukee and SE Wisconsin for over 18 years.