Airheads Tech Update 23. november 2017
AirheadsTech Update23. november 2017
2
AgendaAirheads Tech Update
– Innledning
– Anders, Simon og Tore vil sammen gi en oppdatering innen:
– Trådløsteknologi med fokus på Aruba OS 8.x
– Svitsjeteknologi med fokus på nyheter i Aruba OS-Switch 16.04
– Sikkerhetsteknologi med fokus på Aruba ClearPass
– Det vil være fokus på de viktigste nyhetene og hvordan de forskjellige teknologiene spiller sammen for å lage morgendagens robuste nettverksløsninger. Kanskje byr de på en liten demo eller to også.
– Geir vil gi en oppdatering på:
– Aruba Central og nyheter i 2.3.7
– Avslutning/oppsummering
3
InnledningAirheads Tech Update
– Jente- og gutterom finnes i gangen der dere kom inn
– Airheads Tech Updates planlegges kvatalsvis framover
– Airheads Community - http://community.arubanetworks.com/
– Det finnes to norskspråklige grupper:
– Norsk Forum - http://community.arubanetworks.com/t5/Norsk-Forum/bd-p/NorwegianForum
– Airheads Channel Group – Norway
– ABC Networking - https://www.youtube.com/c/ABCNetworking
– Facebook - https://www.facebook.com/groups/564300347107470/
– Airheads Happy Hour
– Spør gjerne underveis
CONFIDENTIAL © Copyright 2015. Aruba, a Hewlett Packard Enterprise Company. All rights reserved
Geir Leirvik
Management systems
Simon Emaus
Switching
Terje Flaarønning
Petter Omberg
Counties & Municipalities
Aleksander Johannesen
Sales Public Sector
Hvem er vi i Aruba Norge …
Anders Lagerqvist
WiFi
John-Patrick Skaar
Retail & hospitality
Fredrik Andersen
Central gov & high edu
Country Manager
Astri Grov
Category Manager
Channel
Per Martin Botten
Presales
Stian Elde
Sales Private Sector
Tore Henriksen
Security
Erik Midthun
Oil/energy, finance & telco
Trinh Nguyen
Christopher Vanay
Transport, logistics
5
Airheads Tech Update
AOS 8The new way to build a network
Anders LagerqvistSenior Systems Engineer
Home of 60K+ Mobility Customers
@ Airheads Community
Gartner 2017 Magic Quadrant for the Wired and Wireless LAN Access Infrastructure
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire
document. The Gartner document is available upon request from Aruba, a Hewlett Packard Enterprise company. Gartner does not endorse any
vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the
highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be
construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties or
merchantability or fitness for a particular purpose.
Source: Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure
October 2017 Tim Zimmerman, Christian Canales, Bill Menezes
ID Number: G00316060
HPE Aruba receives highest product scores in 6 out of 6
use cases in Gartner’s Critical Capabilities Report*
1 2 3
4 5 6
Unified Wired and WLAN Access Wired-Only Refresh/New Build WLAN Only Refresh/New Build
Performance Stringent Applications Multivendor Networking Environment Remote Branch Office With Corporate HQ
*Gartner, Critical Capabilities for Wired and Wireless LAN Access Infrastructure, Menezes, Canales, Zimmerman, November 2017This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Gartner – Link. Gartner does not endorse any vendor,
product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization
and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
© Copyright 2017. Aruba, a Hewlett Packard Enterprise Company. All rights reserved
Connectivity Needs to Adapt to New Requirements
Can the infrastructure easily accommodate new mobile use-cases with the necessary controls?
10
Customers have been asking for …
Simplicity of operations &
flexibility of deployment
Improved reliability at all
levels
Automated controls to
improve user experienceUnprecedented
Network Security
11
Simplify and scale campus wireless LANs with virtualization
Autonomous APs
Controller based WLANs to
enable seamless mobility, ease of
management and improved security
2002 2016
Mobility Controller
Virtual ApplianceMobility Master
(HW/VM)
12
What’s new in ArubaOS 8?• Mobility Master
• New GUI and configuration hierarchy in 8.0
• Virtual Mobility Master for ESXi, KVM and Hyper-V
• Virtual Mobility Controllers
• Supported for VMware and KVM in 8.0
• Controller Clustering
• AP and user Load Balancing within controller cluster in 8.0
• Hardware support
• Mobility Master Hardware Appliance 8.1
• AP-304/5 & AP-207 support in 8.1
• AP-203, AP-303 & AP-360 support in 8.2
• Live Upgrade in 8.1
• Simplifies controller & AP upgrade process
• No impact on users during software upgrade
• Different software versions in the network since 8.2
• Per User tunnel Node in 8.1
• Unified policy across wired and wireless
• Per Port tunnel Node in 8.0
• MultiZone
• Share AP’s securely among different controllers
13
Why Clustering?
1 Stateful Client FailoverUser traffic uninterrupted upon controller failure
3Client Load BalancingUsers automatically load balanced across cluster members
2Seamless Campus RoamingClients stay anchored to a single Mobility Controller when roaming across controllers
Mobility Master/Standby
MCMC MC
4AP Load BalancingAPs are automatically load balanced across cluster members
14
Mobility Master Hardware Appliance - Overview
• x86 platform based on Intel Haswell-EP / Broadwell-EP Technology using E5-2600 v3/v4 CPU family
• Solid State Drive for better reliability
• Three Models⎻ MM-HW-1K: Support up to 1,000 Devices
⎻ MM-HW-5K: Support up to 5,000 Devices
⎻ MM-HW-10K: Support up to 10,0000 Devices
• Dual redundant load shared power supplies
• TPM Module supporting SHA2
• Platform monitoring of power supplies, fans, thermal
• Mechanical Form Factor
⎻ 1 RU (H x W x D – 1.73” x 17.4” x 15.79”)
15
Ease of network scaling
Hierarchical configuration
• One centralized place to push all
configuration to all controllers
• More modern and simple UI
• Reduce time to configure network
• Provision APs and wireless networks with
simple steps
16
Reliable network upgrade
Live Upgrade of Mobility Controllers
Real-time upgrade to the latest OS with zero
downtime
• No need for through upgrade planning or
maintenance window
• Healthcare, Higher Ed cannot afford downtime
• Excellent customer feedback!
In-service Upgrade
• Upgrade major features and functions, such as
NB APIs, AirGroup, AppRF, ClientMatch
17
Business apps with
custom signatures
Skype for Business, Cisco
Jabber/Spark & Wi-Fi calling
Automation and extensibility
Mobility
Master
Cluster of
Mobility Controllers
APIs for context sharing and
configuration
AirMatch for high
density WLAN
automation
18
Network controls for unified communications Awareness for Wi-Fi Calling, Cisco Jabber and custom apps
Unified Communications
• Custom AppRF definitions beyond the 2500+
apps that’s automatically identified by AOS
• Update signatures without an Aruba OS
upgrade
• Automatic classification, health metrics for Wi-
Fi calling and Cisco Jabber
• Wi-Fi calling provider
19
Network controls for mobilityMultiple tenants on the same access point with MultiZone
LoCtrl2
CSw1 CSw1
LoCtrl1
Aruba 7200Mobility Controller
Aruba 7200Mobility Controllers
Network A Network B
MultiZone
• Multiple secure separated networks
• SSIDs terminate on different controllers
• Efficient use of Wi-Fi resources
• Secure data separation
• Multiple vertical use cases:
• Government (classified vs. unclassified)
• Airports (public, airport security, airline staff)
• Shopping malls (staff, service provider,
retail stores)
• Service providers such as AT&T and
Verizon
20
AirWave
ClearPass
Simplifying network operation at multiple levels
Mobility Master
Cluster of
Mobility Controllers
Centralized
management of Virtual
Mobility Controllers and
mobility controllers
MultiZone for
multi-tenant
access points
Zero-touch
provisioning Centralized licensing
Hierarchical config and New UI
Per user tunnel node
21
Unified wired and wireless policy
Per User tunnel node
• Unified and centralized policy control
• Specific traffic user/device role is sent to the Controller
• Extending controller access roles such as firewall to wired access users
• Higher availability and scalability
Tunnel Aruba Controllers
Tunnel
ClearPass
Mobility Master
Switch support available in ArubaOS-S 16.04
22
More flexibility for license deployment
Centralized licensing
• Centralized licensing – all licenses hosted from
one single location MM
• Optional segmentation of license pools across
different departments within the same
organization
Chemistry300 license
Mathematics200 license
University 500 license
23
AOS 8.2: IPv6 Enhancements
– SNMP and v6 MIBs
– DNS
– DHCP helper address
– Ping support in UI
– ULA for Auth server host
– Firewall support
– AP Bridge user
– ACL support
– Remote show
– Controller Clustering
– Policy Based Routing
– External Captive Portal
© Copyright 2017. Aruba, a Hewlett Packard Enterprise Company. All rights reserved
Enabling APIs and Ecosystem
Micro-location services
Meridian with mobile app
development SDK and REST APIs
Cloud networking
Central with REST APIs to share
context and program infrastructure
Policy management
ClearPass with a unified API library
and Extensions repository
Network management
AirWave with northbound XML APIs
for data consumption
Location analytics
Analytics and Location Engine
(ALE) with northbound REST APIs
Network controls
AOS8 with REST APIs to share
context and program infrastructure
25
New Campus APs
26@ArubaNetworks
Hospitality Access Points
Remote Access Points
Indoor Access Points
303
Medium density
~1.2 Gbps
320 Series
High Performance
Dual uplink, 2.5 Gbps, BLE
330 Series
Highest Density
Dual uplink(one 802.3bz),
2.5Gbps, BLE
310 Series
High Performance
1.7 Gbps, BLE
300 Series
Medium Density
Single uplink, 1.7Gbps, BLE
207
Medium density
~1.3 Gbps, BLE
103H 4 ports
802.11n
RAP-3
3 ports
RAP-109
2 ports
205H 4 ports
802.11ac
303H 4 ports
802.11ac
Wave 2
203R
11ac
3 ports
203H 2 ports
802.11ac
Flex radio
Outdoor Access Points
270 Series
Higher perf. (3SS)
802.11ac
360 Series
High perf. (2SS)
802.11ac Wave 2
Rugged Access Points
228 Series
High Density/Perf.
Dual uplink, 1.7 Gbps
Evolving the Industry’s Best 802.11ac Portfolio
318 Series
High Density/Perf.
Dual uplink (1 SFP),
2.0 Gbps, BLE
340 Series
Highest Density
Dual uplink(one 802.3bz),
Dual 5GHz, 4.3Gbps, BLE
370 Series
Highest perf. (4SS)
802.1ac Wave 2, BLE
27@ArubaNetworks
Aruba enables deployment flexibility with Unified APsAll new APs from January 2017+ are Unified
Unified AP
(UAP)
Controller-based (CAP)Centralized encryption/switching
Larger mobility domains
Advanced services at scale
Controllerless (IAP)Many individual remote sites
Simplified management
Minimal onsite HW and IT
*All APs can also be deployed as Remote Access Points
360303H 203H
203R340 318 370
28@ArubaNetworks
340 Series Access PointsHighest Performance and Density 802.11ac Wave 2
• Dual radio with internal (345) and external (344) antennas
• 5GHz: 2,166 Gbps max (4SS VHT80 or 2SS VHT160, 1024-QAM)
• 2.4GHz: 800Mbps max (4SS VHT40 clients, 1024-QAM)
• Transmit Beamforming and Advanced Cellular Coexistence
• AP-344: 4 x RP-SMA for dual-band antennas + 4 x RP-SMA for 5GHz antennas
when operating in Dual-5GHz mode (remove snap-on cover to utilize)
• AP-345: 8 x cross-polarized downtilt omni antennas (four dual-band, four 5GHz)
• Dual-Radio (peak 3.0 Gbps), Dual-5GHz (peak 4.3 Gbps) or Auto Modes
• Dual uplinks with hitless PoE failover (one 2500BASE-T, one 1000Base-T)
• Integrated BLE radio
• Temperature range: 0C to +50C
• Max PoE+ Power: 21.9W in Dual-Radio mode, 25.1W in Dual-5GHz mode
• Intelligent Power Mode enables operation with 802.3af or 802.3at
• How does it compare to 330 Series?
• Same size (225mm x 224mm x 52mm)
• Eliminates 5GBASE-T (optimize cost; no need for >2.5GBASE-T)
• Eliminates dynamic antenna polarization (optimize cost; minimal loss)
• Adds Dual-5GHz Mode
Availability
Pricelist: Nov 6th, 2017
S/W: ArubaOS/InstantOS 8.3.0.0
Shipping Q1 2018
29@ArubaNetworks
Dual 5GHz ModeDone Right
• Doubles 5GHz Performance
• Doubles Client CapacityPerformance
• Only solution in market designed with filtering to isolate the two 5GHz radiosIsolation
• Manual Mode Selection
• Automatic: dynamic switching based on clients, load and RF environment
Operation
TrustedInnovators
Unafraid to disrupt
Thousands
of Partners
“Customer First, Customer Last” Culture
Complete Indoor
Location Solution
Market Leading,Enterprise-Class
Integrated wired and wireless
Leading SecurityComprehensive policy
engine, behavioral analytics and traffic
segmentation
Comprehensive Networking Portfolio
THE ARUBA DIFFERENCE
Mobile-First Architecture
Open,Multi-Vendor
Single Architecture Across All Locations /
Deployments
Global Reach and Go-to-Market,Fortune 100 Customer Base backed by
© Copyright 2017. Aruba, a Hewlett Packard Enterprise Company. All rights reserved
Thank You
Wireded networking by Aruba
News and use cases
Simon EmausSystems Engineer
34
Introduction to ArubaOS-Switch
ArubaOS-Switch is the new name for the switch OS
– Reflect alignment with Aruba Mobile-First solution and support for Aruba software such as AirWave, ClearPass, and Activate
Based on 30+ years of networking leadership
– Continuation of HPE pioneering works in Ethernet switching
Commitment to innovations
– SDN, granular security, and performance enabled by the ProVision ASIC
Dedicated to continual improvements
– Adding advanced features, enhanced instrumentation and supportability with focus on high quality that enterprise customers expect
INDUSTRY DRIVERS:
MOBILE, CLOUD, IOT STILL ON THE RISE
CLOUD
$127BCloud Spending
IOT
20.8BIoT Devices
MOBILE
6.4BConnected Things
Access
Ag
gre
ga
tio
n
Co
reARUBA CAMPUS SWITCHING
COMPLETE PORTFOLIO TO MEET CUSTOMER NEEDS
37
Medium enterprise campus
Large enterprise campus
CAMPUS DEPLOYMENTS
Mobile workplace is mission critical
• Network must be resilient
Multiple tools and inconsistent policies
• Network must be unified and secure
More capacity demanded at edge
• Network must be scalable
CAMPUS WIRED INFRASTRUCTURE PAIN POINTS
OLD INFRASTRUCTURE WON’T CUT IT
PROPRIETARY INFLEXIBLE MONOLITHIC HARD-CODED MANUAL
PUTTING MORE DEMANDS ON IT AND THE NETWORK
MOVING TO A MOBILE FIRST NETWORK
Policy: unified and multi-vendor
Manageability: end-to-end and multi-vendor
Wireless: best-in-breed
Wired: optimized for wireless and IoT
aggregation
Network analytics for IT, user analytics for Line-
of-Business
End-to-end compelling TCO
KEY REQUIREMENTS FOR A MOBILE FIRST NETWORK
43
How to solve IoTIn your network
44
Per Port Tunneled-Node
45
What is Tunneled Node?
Tunneled Node • Extends the AP-controller tunneling scheme to the access switches
Per-port tunnel
• GRE tunnels from each port transport all traffic to/from “tunneled” interfaces
• Traffic from other interfaces is forwarded normally by the switch
• Management and control traffic is NOT tunneled
Policy enforcement
Products• 5400R switch series with v2 and v3 modules• 3810 switch series
• 3800 switch series• 2930F switch series• 2920 switch series
46
Trust QoS
* Tunneled Node is not supported in 2540/2530/2620.
Tunneled Node: unified policy enforcement for wired and wireless clients
Consistent wireless-wired network architecture
Centralized role-based policy enforcement
Access to Aruba controller’s security features such as Firewall, packet inspection and finger printing
Enhanced security with traffic separated by tunnels
Redundant controllers supported
47
ClearPassPolicy Manager
Use case: Unified Policy Enforcement
Local controller
Policy enforcement(CPPM, Skype for
Business, etc.)
Guest mgmt
Device profiling
3rd party MDM
3rd Party Directory Svc
Core Switch
(VSF/IRF)
WLANTunnel
Wired LANTunnel
SDN/API Skype for Business (Lync Edge server)
LAN
WWW WAN / VPNs
48
Per port Tunneled Node supported models
Aruba 5400 (V2)
Aruba 5400R (V3)
Aruba 3810M
Aruba 2930F/M
En
terp
rise
an
d S
MB
Bra
nch
Aruba 3800
Aruba 2920
Modular Aggregation, access, small core 10Gb
High density modular with full PoE+, REST API,
OpenFlow, Advanced L3
Fixed Aggregation, access, small core
High density modular with full PoE+, Smart Rate,
VSF stacking, REST API, OpenFlow, Advanced L3
Modular Aggregation, access, small core 40Gb
High density modular with full PoE+, Smart Rate, VSF
stacking, REST API, OpenFlow, Advanced L3
Fixed Aggregation, access, small core
High density modular with full PoE+, Smart Rate,
stacking, REST API, OpenFlow, Advanced L3
Fixed access switch, full PoE+ up to 1440W,
Smart Rate, stacking, REST API, OpenFlow, Basic
L3
Fixed access switch, PoE+, Smart, stacking,
REST API, OpenFlow, Basic L3
49
Per User Tunneled-Node
50
Per User Tunneled Node
Aruba Controllers
3810
Tunnels
ArubaAP
5400R
2930M
Secured and flexible control of access layer
– Use Aruba ClearPass authentication and switch’s User Role to tunnel selective user/device to the Aruba Controllers
– Policies (e.g. QoS, ACL, VLAN, rate-limit) can be enforced at Tunneled Node ports
Access to Controller’s applications
– Users can access Controller’s applications such as stateful firewall and Aruba AppRF
Higher availability and scalability
– Load balance to multiple controllers for high scalability
– Stateful failover to standby management module for high availability
– Sticky controller: avoid bouncing tunneled sessions between different controllers
Available on the Aruba 5400R with v3, 3810, 2930F, 2930M
– Requires AOS 8.1 or later in the controllers
*Requires ArubaOS-Switch 16.04 software release
51
Per user Tunneled Node supported models
Aruba 3810MModular Aggregation, access, small core 40Gb
High density modular with full PoE+, Smart Rate, VSF
stacking, REST API, OpenFlow, Advanced L3
Stackable with modular 10GbE/40GbE, Smart Rate,
up to 1440W PoE+, REST API, OpenFlow, Access
OSPF, Central
Modular Aggregation, access, small core 40Gb
High density modular with full PoE+, Smart Rate, VSF
stacking, REST API, OpenFlow, Advanced L3Aruba 5400R (V3)
Aruba 2930M
En
terp
rise
an
d S
MB
Bra
nc
h
Aruba 2930FFixed 1/10GbE uplinks, up to 740W PoE+, VSF
stacking, REST API, OpenFlow, Access OSPF,
Central
52
ClearPass Authentication – Client View
• Windows Client is plugged into tunneled-node port
• Enter proper user credentials into 802.1x authentication settings
• Client will authenticate and receive IP address
53
ClearPass Authentication – Access Tracker
• Client user access can be monitored from the Access Tracker in ClearPass.
• Shows what source the user is authenticating with (i.e. RADIUS), which ClearPass service profile is being used, and whether the login was accepted or rejected.
54
Even more features….
55
Aruba integration features
Management AirWave
PolicyClearPass
Zero Touch
Provisioning
Cloud Mgmt.Aruba Central
Wireless-
optimized
16.01 16.02 16.03
RADIUS/TACACS+, 802.1x,
MAC Auth, Int. Captive Portal
Dynamic VLAN / ACL / CoS / Rate-Limit
Attrib.; CoA & Disconnect
Discover switches
Basic monitoring
Zero Touch Provisioning (ZTP) with
AirWave using DHCP
Support for 2540
Wired user visibility
Activate firmware upgrade
Static IP User Visibility
Support for 2920 and 2930F
Full configuration & management
from the cloud
Rogue AP detection with IAP
Auto configure VLAN, PoE
priority/power
User View CLI command
Trust QoS
Per-port Tunneled Node **
ZTP with Aruba Activate **
IPSec support for Airwave
connection**
Support for 2540 and 3810M
Partial Config Management (CLI
Window)
Ext. Captive Portal Redirect
CoA Initiated Port Bounce
User Role
Full config. mgmt.
CLI Window
Firmware Upgrade
** IPsec, and Activate-based ZTP are not supported in 2530, 2620. Tunneled node is not supported on 2530, 2620 and 2540
* IPsec for management traffic only
16.04
Full support for 2930M, switch
topology map
Custom Trusted Anchor, ZTP with
IPsec* enhancement
Support for 2530 and 2930M
Per-User Tunneled Node**
Downloadable User Roles
56
Aruba Integration Features* in 16.04
Support for 2530 and 2930M on Aruba Central**Additional Platforms on
Aruba Central
Batch processing, AnyCLI for REST interfaceAruba Central
Custom Trusted Anchor, ZTP with IPsec** enhancement Activate/Central
Per User Tunneled Node
Support for 2930M, switch topology mapAirwave Integration
* Not all Aruba switches support all the features listed here
** IPsec for management traffic only
Scalable, secured, and flexible control of access layer
HPE Aruba Company Confidential
57
Features in ArubaOS-Switch 16.04
Add support for BFD (Bidirectional Forwarding Detection) in static routeBFD Enhancement
Set rate limit on control protocols to protect CPU overload Control Plane Policing
(CoPP)
Standard compliance for Smart Rate portsIEEE 802.3bz
IPv6 Enhancements
/31 subnet, system boot diagnostic, enhanced fan/power/temp status
and report, custom MAC delimiterSystem Enhancements
HPE Aruba Company Confidential
IPv6 default gateway on OOBM port, set IPv6 router preference
Thank you
ClearPass
Tore Henriksen23. november 2017
Today’s Digital Workplace Concerns
Device Visibility
Over 90% of customers do not
know how many and what types are on their networks
Connection Options
Customers lack plans for BYOD, IoT, wired, wireless and VPN policies
User Logins
Customers want help withaccess for employees, guests, students, doctors
Internet of Things (IoT)
No single IoT Management Tool
Low cost devices
Little or no security
New attack vectors
“Hackers infect army of cameras”
“2,122 data breaches caused by IoT”
“Connected medical devices:The Internet of things-that-could-kill-you”
The DYN attack
62
MAKE IoT
SECURE AGAIN
Question of the Day – Week - Month - Year
WHAT
ISTHE
Visibility – the first step
Device Visibility Enhanced
DHCP
SNMP
SSH
TCPWMI
CDP, LLDP
OnGuard
Accurate Policy Decision
NMAP
• NMAP Port-based Scanner
• On-demand or pre-scheduled scans
• Granular visibility for like devices
• Enhances our competitive advantage
Mac OUI
NMAP Scan
Two IoT Endpoints
AfterBefore
Temperature Sensor
Lighting Sensor
NEW WAY:
Create your own Fingerprints!
OLD WAY:
Wait for new Fingerprints to be made and/or manually
override devices 1:1
Enhanced Profiling and Policy – Solving IoT Issues
Understanding Device & IoT Connectivity Options
Customers want to managewhat devices connect
Only some support secure connections
50% of IoT may bewired
• ClearPass supports any customer infrastructure and need
First F
loor
Second F
loor
Third F
loor
Wired vs WirelessSecuring the ports
CONTROLLERS
SWITCHESACCESS POINTS
SMALL NUMBER OF UNUSED CONTROLLERPORTS TO CLOSE (ZERO with VM)
1000’s of CORE, DC, CAMPUS & EDGEPORTS TO DEFINE, CLOSE & SECURE
SOFTWARE CONTROLS FOR
“COLORLESS” PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
user/role device type / health
locationtime / day
Enforce A Per Device Policy
Adaptive Policy Using Device Ownership
Enterprise Laptop BYOD Phone
Authentication EAP-TLS
SSID CORP-SECURE
Authentication EAP-TLS
SSID CORP-SECURE
Internet OnlyInternet and Intranet
Adaptive Policy Using Device Ownership
Enterprise Laptop
Authentication EAP-TLS
SSID CORP-SECURE
Authentication EAP-TLS
SSID CORP-SECURE
Internet OnlyInternet and Intranet
1. Uses same identity store and EAP type
2. Leverages profiling and owner data
3. No need for separate SSIDs
BYOD Phone
NEW WAY:
Simplify with ClearPass, separate traffic dynamically
OLD WAY:
Without advanced policy, separate traffic by SSIDs
Value of a Policy Engine vs. AAA
user/role device type / health
locationtime / day
Enforce A Per Device Policy
ClearPass
ENFORCEIDENTIFY PROTECT
ClearPass Core Functionality
76
NETWORK EDGE
Multi-Vendor
Wired/Wireless/VPN
NETWORK
COREProfiler
AAA/RADIUS
NAC
Cert. Authority
Onboarding
Guest
Device Registration
Visitor
Employee
Employee BYOD
Headless Devices
Contractor
Administrator
USERS
Policy – Visibility - Workflow
AD/LDAP
SQL
Token
PKI
IDENTITY
SOURCES
ClearPass
User/Role
Time/Day
Location
Device Type/Health
CONTEXT
Internet of
Things (IoT)
BYOD and
corporate owned
REST API,
Syslog Security monitoring and
threat prevention
Device management and
multi-factor authentication
Helpdesk and voice/SMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
ClearPass Exchange: End to End Controls
Adaptive Trust Context Sharing
Firewall policy
adapts to needContext sharedEmployee access
• Thomas
• Mac OS 10.9.3
• Marketing
• 10.0.1.12
Works with AD, LDAP, ClearPass dB, SQL dB
No agents/clients required
Ingress Engine Third-party Threat Protection
Adaptive Trust Defense based on real-time threat detection
** Firewall / IPS
LAN/WLAN
User connects and
uploads threat
NGFW/IPS sends
event to ClearPass
ClearPass isolates
client
• Offers enhanced user experience as ClearPass can initiate user
notifications, help-desk tickets, and update third-party security solutions
• ** Device in step 2 can be MDM/EMM, SIEM, etc.
1 2 3
More Ways to Talk To ClearPassClearPass 6.6 has double the APIs
ClearPass Exchange: End to End Controls
BYOD and
corporate owned
Support for Popular Solutions and Apps
Infrastructure Security SIEM Device Management MFA Services
ClearPass Policy Manager and more…
CLEARPASS POLICY MANAGER
Onboard Guest
REMOTE LOCATION
OnGuard
ClearPass Onboard – Simplifying BYOD
• User and IT friendly Automated one time user registration / no IT
intervention
• SecurityIT managed, 802.1X and Certificates
• ContextData added to profile for adaptive policy and
troubleshooting
• SimplifyForce use of built in device security for encryption
and PIN/Fingerprint verification. Simplifies
MDM/EMM deployment.
Certificate Distribution for BYOD
• Domain
• Key &
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
• Domain
• User
• Device
• Key & Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
User’s device redirected to portal1 User enters AD credentials
to start onboard2 Automatically places user on proper network segment3
Doctor
Easy No PasswordsSecure
Enter the password for “Acme-net”75%
Authentication Using Unique Device Certificates
Authentication Using Unique Device Certificates
User’s device redirected to portal1 User enters AD credentials
to start onboard2 Automatically places user on proper network segment3
Doctor
Easy No PasswordsSecure
Enter the password for “Acme-net”75%
• IT determines who can onboard devices
• Access differentiated by role and device
• Devices not entered into active directory
• No need for employees on guest network
ClearPass Guest – Access Options
• Consistent Guest ExperienceAccess across locations and devices
• SponsoredGuest access for consultants, temporary
employees and contractors
• SecureAccess to required infrastructure only, not the
entire domain
• No ITIT should not be involved in creating secure
guest access
Customizable Portal Features
Your branding and data fields✔
Advertising – mobile app, more…✔
Integration with 3rd party billing &
property management systems✔
Portal per department, location✔
Social login, MAC cache, QoS✔
www.grandarubahotel.com
www.levisstadium.com
ClearPass OnGuard – Keeping the Enterprise Healthy
• Automated Endpoint ComplianceHealth checks before access. Identifies poor
behavior
• Wired & Wireless EndpointsEnsures posture compliance for laptops/computers
• Minimize RiskForces use of anti-virus, anti-spyware, firewalls,
disk encryption
• RemediationManual or full integration with Helpdesk solutions
ClearPass OnGuardAccess Network
Automate Device Health Checking
Detect
non-compliant
devices
Block access to network resources
across wired, wireless & remote
ClearPass OnGuardAccess Network
Detect
non-compliant
devices
Automate Device Health Checking
Block access to network resources
across wired, wireless & remote
Minimizes risk to network
Allows user self service
ClearPass OnGuardAccess Network
Detect
non-compliant
devices
Auto-remediate
the device
Automate Device Health Checking
OnGuard Is Better Than Ever
– Better Policy Manipulation
– Support for regular expressions (RegEx) in registry and installed application health classes.
– Better OS Support
– Persistent agent can now run as a system service on Windows
– Native dissolvable agent auto upgrade support
– OnGuard can now check if Mac OSX clients are missing any patches or not and if auto-remediation is enabled install missing patches.
– Better Visibility
– Access Tracker visibility for posture classes and host agent details
– New system tray icons
Thank you
Tore [email protected]
96
Avslutning/oppsummeringAirheads Tech Update
– Airheads Event Star Wars - http://page.arubanetworks.com/fy18-nor-airheads-sw_lp.html
– Aruba 8400 og ArubaOS-CX
– Aruba 360 Secure Fabric
– Star Wars film
– Send gjerne noen tilbakemeldinger til