Aruba ClearPass Policy Manager C1000 Manual de usuario

ClearPass 6.7 Getting Started Guide| 1

ClearPass 6.7 Getting Started Guide

This Getting Started Guide describes the procedures for installing and configuring ClearPass Policy Manager on

a hardware appliance, as well as how to install ClearPass on a VMware vSphere Hypervisor host and on a host

that runs Microsoft's hypvervisor, Hyper-V™.

Due to a negative performance impact when ClearPass 6.7 is installed on a KVM appliance, Aruba will not post the

KVM image with this release. For more information, refer to the "6.7.0 Upgrades on KVM Hypervisors are Deferred"

section in the ClearPass 6.7 Release Notes.

This Getting Started Guide provides the following information:

lAbout the ClearPass Access Management System

lSetting Up the ClearPass Hardware Appliances

lUsing the VMware vSphere Hypervisor Web Client to Install ClearPass on a Virtual Machine

lUsing Microsoft Hyper-V to Install ClearPass on a Virtual Appliance

About the ClearPass Access Management System

This section contains the following information:

lClearPass Access Management System Overview

lSupported Browsers

lKey Features

lAdvanced Policy Management

lClearPass Policy Manager Hardware and Virtual Appliances

lClearPass Specifications

ClearPass Access Management System Overview

The Aruba ClearPass Access Management System provides a window into your network and covers all your

access security requirements from a single platform. You get complete views of mobile devices and users and

have total control over what they can access.

With ClearPass, IT can centrally manage network policies, automatically configure devices and distribute

security certificates, admit guest users, assess device health, and even share information with third-party

solutions—through a single pane of glass, on any network and without changing the current infrastructure.

Role-Based and Device-Based Access

The ClearPass Policy Manager™ platform provides role-based and device-based network access control for

employees, contractors, and guests across any wired, wireless, and VPN infrastructure.

ClearPass works with any multivendor network and can be extended to business and IT systems that are

already in place.

Self-Service Capabilities

ClearPass delivers a wide range of unique self-service capabilities. Users can securely onboard their own

devices for enterprise use or register AirPlay, AirPrint, Digital Living Network Alliance (DLNA), and Universal Plug

and Play (UPnP) devices that are enabled for sharing, sponsor guest Wi-Fi access, and even set up sharing for

Apple TV and Google Chromecast.

Leveraging Contextual Data

The power of ClearPass comes from integrating ultra-scalable AAA (authentication, authorization, and

accounting) with policy management, guest network access, device onboarding, and device health checks with

a complete understanding of context.

From this single ClearPass policy and AAA platform, contextual data is leveraged across the network to ensure

that users and devices are granted the appropriate access privileges.

ClearPass leverages a user’s role, device, location, application use, and time of day to execute custom security

policies, accelerate device deployments, and streamline network operations across wired networks, wireless

networks, and VPNs.

Third-Party Security and ITSystems

ClearPass can be extended to third-party security and IT systems using REST-based APIs to automate work

flows that previously required manual IT intervention. It integrates with mobile device management to

leverage device inventory and posture information, which enables better-informed policy decisions.

Supported Browsers

The supported browsers for ClearPass are:

lMozilla Firefox on Windows 7, Windows 8.x, Windows 10, and macOS

lGoogle Chrome for macOS and Windows

lApple Safari 9.x and later on macOS

lMobile Safari 5.x on iOS

lMicrosoft Edge on Windows 10

lMicrosoft Internet Explorer 10 and later on Windows 7 and Windows 8.x

When accessing ClearPass Insight with Internet Explorer (IE), IE 11 or above is required.

Key Features

ClearPass's key features are as follows:

lRole-based network access enforcement for multivendor Wi-Fi, wired, and VPN networks

lVirtual and hardware appliances that can be deployed in a cluster to increase scalability and redundancy.

lSupport for popular virtualizations platforms such as VMware vSphere Hypervisor (ESXi), Microsoft Hyper-

V, and Amazon AWS (EC2).

lIntuitive policy configuration templates and visibility troubleshooting tools.

lSupports multiple authentication/authorization sources—AD, LDAP, and SQL dB.

lSelf-service device onboarding with built-in certificate authority (CA) for BYOD.

lGuest access with extensive customization, branding and sponsor-based approvals.

lSupports NAC and EMM/MDM integration for mobile device assessments.

lComprehensive integration with the Aruba 360 Security Exchange Program.

lSAML 2.0 Identity Provider, which allows seamless single sign-on (SSO) to cloud or on-premise applications.

ClearPass 6.7 Getting Started Guide 2

lSAML 2.0 Service Provider, which allows seamless and secure access to ClearPass components using

federated/unified identity.

lAdvanced reporting and granular alerts.

lActive and passive device fingerprinting

lHigh performance, scalability, High Availability, and load balancing

lA Web-based user interface that simplifies policy configuration and troubleshooting

lNetwork Access Control (NAC), Network Access Protection (NAP) posture and health checks, and Mobile

Device Management (MDM) integration for mobile device posture checks

lSocial and Cloud Identity Network and Cloud Application single sign-on (SSO) via OAuth 2.0

lFacebook, Twitter, LinkedIn, Azure Active Directory and Office 365, Google G Suite, and so on.

lDevice and User certificate enrollment via Simple Certificate Enrollment Protocol (SCEP), Enrollment over

Secure Transport (EST) and REST API-based workflows

lAdvanced reporting of all user authentications and failures

lEnterprise Reporting, Monitoring, and Alerting

lHTTP/RESTful APIs for integration with third-party systems, Internet security, and MDM

lDevice profiling and self-service onboarding

lGuest access with extensive branding and customization and sponsor-based approvals

lIPv6 administration support

Advanced Policy Management

ClearPass advanced policy management support includes:

lEmployee access

ClearPass Policy Manager offers user and device authentication based on 802.1X, non-802.1X, and Web

Portal access methods. To strengthen security in any environment, you can concurrently use multiple

authentication protocols, such as PEAP, EAP-FAST, EAP-TLS, EAP-TTLS, and EAP-PEAP-Public.

For fine-grained control, you can use attributes from multiple identity stores, such as Microsoft Active

Directory, LDAP-compliant directory, ODBC-compliant SQL database, token servers, and internal databases

across domains within a single policy.

Additionally, you can add posture assessments and remediation to existing policies at any time.

lBuilt-in device profiling

ClearPass provides a built-in profiling service that discovers and classifies all endpoints, regardless of device

type. You can obtain a variety of contextual data(such as MAC OUIs, DHCP fingerprinting, and other

identity-centric device data) and use this data within policies.

Stored profiling data identifies device profile changes and dynamically modifies authorization privileges.

For example, if a printer appears as a Windows laptop, ClearPass Policy Manager can automatically deny

access.

lAccess for unmanaged endpoints

Unmanaged non-802.1X devices (such as printers, IP phones, and IP cameras) can be identified as known

or unknown upon connecting to the network. The identity of these devices is based on the presence of

their MAC address in an external or internal database.

lSecure configuration of personal devices

ClearPass Onboard fully automates the provisioning of any Windows, macOS, iOS, Android, ChromeOS, and

Ubuntu devices via a built-in enrollment workflow.

Valid users are redirected to a template-based interface to configure required SSIDs and 802.1X settings,

and download unique device credentials.

3 ClearPass 6.7 Getting Started Guide

Additional capabilities include the ability for IT to revoke and delete credentials for lost or stolen devices,

and the ability to configure mobile email settings for Exchange ActiveSync and VPN clients on some device

types.

lCustomizable visitor management

ClearPass Guest simplifies work flow processes so that receptionists, employees, and other non-IT staff can

create temporary guest accounts for secure Wi-Fi and wired network access. Self-registration allows guests

to create their credentials.

lDevice health checks

ClearPass OnGuard, as well as separate OnGuard persistent or dissolvable agents, performs advanced

endpoint posture assessments. Traditional NAC health-check capabilities ensure compliance and network

safeguards before devices connect.

You can use information about endpoint integrity (such as status of anti-virus, firewall, and peer-to-peer

applications) to enhance authorization policies. Automatic remediation services are also available for non-

compliant devices.

ClearPass Policy Manager Hardware and Virtual Appliances

ClearPass Policy Manager is available as a hardware or a virtual appliance. To increase scalability and

redundancy, you can deploy virtual appliances, as well as the hardware appliances, within a cluster.

lFor hardware and virtual appliance installation and deployment procedures, see ClearPass 6.7 Getting

Started Guide.

Virtual appliances are supported on the following platforms:

lVMware ESX and ESXi

For installation and deployment procedures, see Using the VMware vSphere Hypervisor Web Client to

Install ClearPass on a Virtual Machine.

lMicrosoft Hyper-V

For installation and deployment procedures, see Using Microsoft Hyper-V to Install ClearPass on a Virtual

Appliance.

ClearPass Specifications

Hardware and Virtual Appliances

ClearPass is available as hardware or as a virtual appliance. Virtual appliances are supported on VMware

vSphere Hypervisor (ESXi), Microsoft Hyper-V, and Amazon EC2.

lVMware ESXi 5.5 up to 6.5 Update 1

lMicrosoft Hyper-V Server 2012 R2/2016, and Windows Server 2012 R2 with Hyper-V

lAmazon AWS (EC2)

ClearPass Platform

lDeployment templates for any network type, identity store, and endpoint

l802.1X, MAC authentication and captive portal support

lClearPass OnConnect for SNMP-based enforcement on wired switches

lAdvanced reporting, analytics and troubleshooting tools

lInteractive policy simulation and monitor mode utilities

lMultiple device registration portals—Guest, Aruba AirGroup, BYOD (bring your own device), and

unmanaged devices

ClearPass 6.7 Getting Started Guide 4

lAdmin/Operator access security via CAC (Common Access Card) and TLS (Transport Layer Security)

certificates

Framework and Protocol Support

lRADIUS, RADIUS CoA, TACACS+, Web authentication, and SAML v2.0

lEAP-FAST (EAP-MSCHAPv2, EAP-GTC, EAP-TLS)

lPEAP (EAP-MSCHAPv2, EAP-GTC, EAP-TLS, EAP-PEAP-Public)

lEAP-TTLS (EAP-MSCHAPv2, EAP-GTC, EAP- TLS, EAP-MD5, PAP, CHAP)

lEAP-TLS

lPAP, CHAP, MSCHAPv1, MSCHAPv2, and EAP-MD5

lWireless and wired 802.1X and VPN

lOAuth .02

lMicrosoft NAP and NAC

lActive Directory machine authentication

lOnline Certificate Status Protocol (OCSP)

lSNMP generic MIB, SNMP private MIB

lCommon Event Format (CEF), Log Event Extended Format (LEEF)

lSimple Certificate Enrollment Protocol (SCEP)

lEnrollment over Secure Transport (EST)

Supported Identity Stores

lMicrosoft Active Directory

lKerberos

lAny LDAP-compliant directory

lMicrosoft SQL, PostgreSQL, MariaDB, and Oracle 11g ODBC-compliant SQL server

lBuilt-in SQL store

lBuilt-in static-hosts list

lToken servers

lBuilt-in SQL store, static hosts list

lMicrosoft Azure Active Directory (via SAML and OAuth 2.0)

lGoogle G Suite (via SAML and OAuth 2.0)

IPv6 Support

lWeb and CLI based management

lIPv6 addressed authentication & authorization servers

lIPv6 accounting proxy

lIPv6 addressed endpoint context servers

lSyslog, DNS, NTP, IPsec IPv6 targets

lIPv6 Virtual IP for high availability

lHTTP Proxy

lIngress Event Engine Syslog sources

Profiling Methods

lActive: Nmap, WMI, SSH, SNMP

5 ClearPass 6.7 Getting Started Guide

lPassive: MAC OUI, DHCP, TCP, Netflow v5/v10, IPFIX, sFLOW, ‘SPAN’ Port, HTTP User-Agent, IF-MAP

lIntegrated and Third-Party: Onboard, OnGuard, ArubaOS, EMM/MDM, Rapid7, Cisco device sensor

Setting Up the ClearPass Hardware Appliances

This section documents the procedures for installing and configuring ClearPass on a hardware appliance, as

well as how to complete important administrative tasks, such as registering for ClearPass software updates and

changing the admin password.

This section contains the following information:

lAbout the ClearPass Hardware Appliances

lClearPass C1000 Hardware Appliance

lClearPass C2000 Hardware Appliance

lClearPass C3000 Hardware Appliance

lBefore Starting the ClearPass Installation

lActivating ClearPass

lLogging in to the ClearPass Hardware Appliance

lPowering Off the ClearPass Hardware Appliance

lResetting the System Passwords to the Factory Defaults

About the ClearPass Hardware Appliances

Aruba provides three hardware appliance platforms:

lClearPass Policy Manager C1000

lClearPass Policy Manager C2000

lClearPass Policy Manager C3000

Table 1: Functional Description of the ClearPass Hardware Appliance Ports

Port Description

Data port (Gigabit

Ethernet)

The Data port (ethernet 1) provides a point of contact for RADIUS, TACACS+,

Web authentication, and other dataplane requests. This configuration is

optional. If this port is not configured, requests are redirected to the

Management port.

iLO port The iLO (Integrated Lights-Out) port is an Ethernet port that provides out-of-

band management facilities. The iLO port makes it possible to perform

activities on the ArubaOS switch or an HP server from a remote location. The

iLO card has a separate network connection (and its own IP address) to which

one can connect via HTTPS.

Available on theClearPass C2000 and C3000 hardware appliances.

Management port

(Gigabit Ethernet)

The Management port (ethernet 0) provides access for cluster administration

and appliance maintenance using the WebUI, CLI, or internal cluster

communication. This configuration is mandatory.

ClearPass 6.7 Getting Started Guide 6

Port Description

Serial port The Serial port is used to initially configure the ClearPass hardware appliance

using a hard-wired terminal.

SPAN ports A SPAN (Switched Port Analyzer) port is a method of monitoring network

traffic. The switch sends a copy of all network packets seen on one port (which

is the monitored or source port) to a destination SPAN port, where the packets

can be analyzed.

Available on the ClearPass C3000 hardware appliance.

USB ports Two USB v2.0 ports are provided on each ClearPass hardware appliance.

VGA connector You can use the VGA Connector to connect the ClearPass hardware appliance

to a monitor and keyboard.

ClearPass C1000 Hardware Appliance

The ClearPass Policy Manager C1000 hardware appliance (SKU: JZ508A) is a RADIUS/ TACACS+ server that

provides advanced policy control for up to 500 simultaneous sessions.

The ClearPass C1000 appliance has a single 1 TB SATA disk with no RAID disk protection.

Figure 1 shows the ports and components on the rear panel of the ClearPass C1000 hardware appliance. The

function of each of these ports and components is described in Table 1.

Figure 1 Ports and Components on the ClearPass C1000 Hardware Appliance

Callout

Number C1000 Port/Component

1 Fan

2 Power Supply

3 Serial port

4 Data port

7 ClearPass 6.7 Getting Started Guide

Callout

Number C1000 Port/Component

5 Management port (eth0)

6 USB ports (2)

7 VGA Connector

You can also access the ClearPass hardware appliance by connecting a monitor and keyboard to the hardware

appliance.

Table 2 provides the specifications for the ClearPass Policy Manager C1000 hardware appliance.

Table 2: ClearPass C1000 Appliance Specifications

ClearPass C1000 Appliance Specifications

Hardware Model Unicom S-1200 R4

CPU (1) Eight Core 2.4 GHz Atom C2758

Memory 8 GB (2 x2 GB)

Hard drive storage l(1) SATA (7.3K RPM), Serial ATA

l1 TB hard drive

Serial Port Yes: RJ-45

Performance &Scale Please refer to the ClearPass Scaling & Ordering Guide

Form Factor

Rack mount Included

Dimensions (WxHxD) 17.2” x 1.7” x 11.3”

Weight (max configuration) 8.5 lbs

Power

Power consumption (maximum) 200 watts

Power supply Single

AC input voltage 100/240 VAC auto-selecting

ClearPass 6.7 Getting Started Guide 8

ClearPass C1000 Appliance Specifications

AC input frequency 50/60 Hz auto-selecting

Environmental

Operating temperature 5º C to 35º C (41º F to 95º F)

Operating vibration 0.26 G at 5 Hz to 200 Hz for 15 minutes

Operating shock 1 shock pulse of 20 G for up to 2.5 ms

Operating altitude -16 m to 3,048 m (-50 ft to 10,000 ft)

ClearPass C2000 Hardware Appliance

The ClearPass Policy Manager C2000 hardware appliance (SKU: JZ509A) is a RADIUS/ TACACS+ server that

provides advanced policy control for up to 5,000 simultaneous sessions.

The ClearPass C2000 appliance ships with two x 1TB SATA disk drives. These drives are managed by an LSI

RAID-1 controller. The drives are configured as a RAID-1 pair. The LSI controller presents to ClearPass a single

virtual 1TB drive, masking the two underlying physical drives.

Figure 2 shows the ports and components on the rear panel of the ClearPass C2000 hardware appliance. The

function of each of these ports and components is described in Table 1.

The image of the ClearPass C2000 hardware appliance shown here includes the optional redundant power supply.

Figure 2 Ports and Components on the ClearPass C2000 Hardware Appliance

Callout

Number C2000 Port/Component

1 and 2 USB ports (2)

3 iLO (Integrated Lights-Out) port and Management port (eth0)

4 VGA Connector

5 Data port (eth1)

9 ClearPass 6.7 Getting Started Guide

Callout

Number C2000 Port/Component

6 UID (Unit ID)

The UID LED helps you identify and locate a system, especially in high-density rack

environments. Additionally, the UID is used to indicate that a critical operation is

underway on the host, such as Remote console access or ROM flash.

The "current state" (on or off) of the UID is the last state chosen using one of these

methods. If a new state is chosen while the UID is blinking, this new state becomes

the current state, and takes effect when the UID stops blinking.

NOTE: The Unit ID Light web page does not automatically refresh itself if the state

of the actual light changes after the page is loaded. To ensure the page accurately

reflects the state of the UID Light, click on the Virtual Indicators link to update the

page.

7 Power Supply

8 Optional redundant Power Supply

You can also access the ClearPass hardware appliance by connecting a monitor and keyboard to the hardware

appliance.

Table 3 provides the specifications for the ClearPass C2000 hardware appliance.

Table 3: ClearPass C2000 Appliance Specifications

ClearPass C2000 Appliance Specifications

Hardware Model HPE DL20 Gen 9

CPU (1) Xeon 3.5Ghz E3-1240v5 with four cores (8 Threads)

Memory 16 GB

Hard drive storage l(2) SATA (7.2K RPM) 1TB hard drive

lRAID-1 controller

Out-of-Band management HPE Integrated Lights-Out (iLO) Standard

Serial Port Yes: Virtual Serial via iLO

Performance &Scale Please refer to the ClearPass Scaling & Ordering Guide

Form Factor

Rack mount l1U SFF Easy Install Rail

l1U Cable Management Arm

ClearPass 6.7 Getting Started Guide 10

Este manual sirve para los siguientes modelos

Tabla de contenidos

Manuales populares de Servidor de otras marcas

HP AlphaServer ES47 Manual de usuario

Dell

Dell PowerEdge R410 Manual de usuario

PowerNAS

PowerNAS CMA Manual de usuario

Supero

Supero FatTwin F617R3-FT Manual de usuario

MSI

MSI P1-109N-L70 Manual de usuario

Dell

Dell PowerEdge XE9640 Manual

Dell

Dell PS4100 Instrucciones de montaje

EtroVISION

EtroVISION EV3151 Manual de usuario

NEC

NEC Express5800/T110j Manual de usuario

HP ProLiant Gen9 Manual de usuario

Compaq

Compaq ProLiant 3000 Manual

Dell

Dell PowerEdge 3YPMN Manual de usuario

iRobo

iRobo IPC2U Manual de usuario

Nortel

Nortel 1000 Con?guration guide Manual de usuario

Asus

Asus AP7500 Manual de operación y mantenimiento

Avid Technology

Avid Technology AirSpeed 5000 Manual de usuario

HP Integrity rx2600 Guía de instalación

Milestone

Milestone Husky IVO 350T Manual de usuario