Aruba ClearPass Access Management System ... - Mayflex

Aruba ClearPass AccessManagement SystemFREQUENTLY ASKED QUESTIONS

AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEM – FREQUENTLY ASKED QUESTIONSTable of ContentsGeneral Product Questions ............................................................................................................. 51. What is ClearPass? ................................................................................................................. 52. How does ClearPass compare with what enterprises are doing today for BYOD ................. 53. Didn’t Aruba address BYOD already? What does ClearPass add? ......................................... 64. Are enterprises prepared for BYOD? ..................................................................................... 75. What are the different components of ClearPass? ............................................................... 76. Is ClearPass developed at Aruba or licensed? ....................................................................... 97. When is ClearPass available? ................................................................................................. 98. What happens to Amigopod customers? .............................................................................. 99. How will Amigopod customers upgrade to ClearPass Policy Manager? ............................. 1010. Has Amigopod been removed from the pricelist and/or discontinued with the introductionof ClearPass? ........................................................................................................................ 1011. I already have a RADIUS server. Why would I need to buy ClearPass Policy Manager? ..... 1112. Why is ClearPass Policy Manager better than my existing RADIUS server? ....................... 1113. I already have Active Directory to authenticate users, why would I need this? ................. 1214. I already have a NAC solution and want to use ClearPass for provisioning devices. Whatcan I do? ............................................................................................................................... 1215. Will ClearPass work for users that connect to public cellular networks? ........................... 1216. Is ClearPass NAC? Is it competitive for NAC opportunities? ............................................... 1217. How does ClearPass fit into Aruba’s Mobile Virtual Enterprise (MOVE) architecture? ...... 1318. How does ClearPass integrate with Aruba’s mobility controller appliance or virtualcontroller with Instant? ....................................................................................................... 1419. How does ClearPass differ from AirWave? Do I need both? ............................................... 1420. What are the key target markets for ClearPass? ................................................................. 1521. Can ClearPass be deployed on existing networks or does the customer have to upgrade toAruba wired and wireless? ................................................................................................... 15ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIAL – DO NOT DISTRIBUTE PAGE 2

AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEM – FREQUENTLY ASKED QUESTIONS22. Is ClearPass easy to deploy? ................................................................................................ 1523. What are some of the opportunities to position ClearPass? .............................................. 1524. How do customers order ClearPass? ................................................................................... 1625. Does ClearPass provide an interface for integration with other customer infrastructure? 16ClearPass Access Management System Core Features ................................................................ 1726. What are some of the unique capabilities delivered with the ClearPass AccessManagement System? ......................................................................................................... 1727. What are the top advantages of the ClearPass Policy Manager AAA platform? ................ 1728. What identity stores are supported by the ClearPass platform? ........................................ 1729. How many unique accounts can ClearPass Policy Manager handle? .................................. 1830. What devices are supported by the ClearPass Onboard and ClearPass QuickConnectproducts? ............................................................................................................................. 1831. What’s the difference between ClearPass Onboard and ClearPass QuickConnect ............ 1932. How is QuickConnect offered in the Cloud? ........................................................................ 1933. Why is profiling devices important to an enterprise? ......................................................... 1934. How does Aruba’s Dynamic Profiling differ from competitive offerings? ........................... 2035. Where does network access control fit within the ClearPass solution? ............................. 2036. Is ClearPass Mobile Device Management (MDM)? ............................................................. 2137. What about controlling what apps are actually on the device? Some MDM vendors claimthey can do this. ................................................................................................................... 2238. Can the ClearPass Policy solution be used for compliance requirements?......................... 22ClearPass Access Management Licensing ..................................................................................... 2239. How are the ClearPass products packaged and delivered? ................................................. 2240. How does ClearPass Policy Manager handle redundancy and load balancing? .................. 2341. How can customers increase the number of devices that authenticate against theClearPass Policy Manager? .................................................................................................. 2342. Is ClearPass OnGuard required for Policy Manager to work? ............................................. 2343. When would I purchase additional OnGuard licenses? ....................................................... 23ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIAL – DO NOT DISTRIBUTE PAGE 3

AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEM – FREQUENTLY ASKED QUESTIONSGeneral Product Questions1. What is ClearPass?The ClearPass Access Management System is a new security services platform that offersunparalleled simplicity when managing and applying secure role-based network accessacross wireless, wired and VPNs.Providing the industry’s first and only framework built to successfully manage all aspectsof BYOD provisioning and onboarding, ClearPass makes it easy for IT and personallyownedmobile devices to securely connect to any network.The first step is onboarding the device to the network. This includes automaticallyconfiguring the devices settings and assigning it a unique ID.Next it will invoke the appropriate policy. This essentially involves looking at all therelevant context of that user, their device and location, etc. while enabling thepolicy dynamically. It also allows that policy to change as the context of theconnection changes.Finally, the framework handles enforcement of that policy across the globalorganization, over any vendor’s wired, wireless and remote network.2. How does ClearPass compare with what enterprises are doing today for BYODBecause BYOD is relatively new, there are many ways that enterprises are addressingpersonal devices.Open network/Manual device configuration – many enterprises have not yetaddressed the BYOD challenge. It is not uncommon for organizations to allowusers to apply their username and password to any device. This means anemployee’s personal Kindle Fire would have the same level of access as acorporate-issued laptopARUBA NETWORKS CHANNEL PARTNER CONFIDENTIAL – DO NOT DISTRIBUTE PAGE 5

AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEM – FREQUENTLY ASKED QUESTIONSVirtual Desktop – some enterprises address the problem of BYOD withvirtualization. In this scenario, no corporate data can be stored on the device andno applications can be run natively on the device. The challenge here is that VDI islimited in scope and in many cases, does not provide a user experience that isoptimized for mobile handheld devices like the iPad. This is because VDI oftenreplicates a windows machine on a smartphone or tablet.VPN – Many enterprises are addressing BYOD with a short term workaround ofvirtual private networks (VPN). Personal devices must launch a VPN session inorder to gain corporate network access. MDM – According to Gartner, the enterprise MDM market has more than 60players with a wide range of products, services and capabilities. These range fromlightweight approaches that push small mobile agents to the device. Toheavyweight client side management software that supports actions such ascontainerization and selective wipe.Access Control –Access Control vendors ranging from Bradford Networks to CiscoISE address policy control for personal devices and will often assess the risk of thedevice before allowing it to access the network.What makes ClearPass unique is that it does what all of the other point-products can’t do– it offers a comprehensive workflow for BYOD.Onboarding the device. Automatically provisioning the devices settings andchecking to make sure the device hasn’t be compromised in any way or presentany risk.Handling policy decisions and policy enablement. Essentially taking in all theinformation about the context of the user and device and enabling the appropriatepolicy.Finally, handling enforcement of that policy across the global organization, overwired, wireless and remote.3. Didn’t Aruba address BYOD already? What does ClearPass add?With the introduction of the Aruba Move architecture in early 2011, Aruba deliveredBYOD capabilities that addressed the primary challenge at that time, which were iOSdevices connecting to Aruba WLAN networks. MOVE also offered device fingerprinting,self-serve provisioning of iOS devices and context-based policy enforcement across Arubanetworks.ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIAL – DO NOT DISTRIBUTE PAGE 6

AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEM – FREQUENTLY ASKED QUESTIONSWith the addition of ClearPass to the MOVE architecture, Aruba offers far more extensivepolicy enforcement and device provisioning capabilities which can be used across mostvendors’ network infrastructure devices. The ClearPass system also now provides deviceposture assessment and remediation, more accurate device profiling, and centralizedpolicy management visibility.4. Are enterprises prepared for BYOD?While many organizations have started tackling the challenges of personal devices, thereare three major questions that remain: How do I keep my network and my users protected? How do I provide a reliable & intuitive experience to my employees & guests? How do I minimize impact to my IT and helpdesk staff?5. What are the different components of ClearPass?The Aruba ClearPass platform consists of the following products:ClearPass Policy Manager – ClearPass Policy Manager provides the baseline platformfor policy management, AAA, profiling, network access control and reporting. Theresult is centrally managed secure network access that accommodates requirementsacross multiple locations and multivendor networks, regardless of device ownershipand connection method.The ClearPass Policy Manager is available as security hardened virtual or hardwareappliances and turnkey software.ClearPass OnGuard – ClearPass OnGuard, available as a software module of theClearPass Policy Manager, enables organizations to run advanced endpoint postureassessments, as well as baseline network access control (NAC) health checks to ensurecompliance and safeguards before devices connect to a secure network.In addition to anti-virus, anti-spyware and personal firewall checks for devices runningthe Windows, Mac OS X and Linux operating systems, Aruba’s Windows OnGuardagents perform advanced posture assessments, such handling the use of peer-to-peerapplications, VM applications and USB storage devices, with automatic and manualremediation options. Assessments can be performed using Aruba’s Persistent anddissolvable OnGuard agents and well as Operating Systems native agents.ClearPass Onboard – ClearPass Onboard, available as a software module of theClearPass Policy Manager, fully automates device onboarding for IT via a built-inARUBA NETWORKS CHANNEL PARTNER CONFIDENTIAL – DO NOT DISTRIBUTE PAGE 7

AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEM – FREQUENTLY ASKED QUESTIONSadministration interface. ClearPass Onboard offers full self-service provisioning forWindows, Mac OS X, iOS, and Android devices that includes configuration of 802.1Xsettings as well as the distribution and revocation of unique device credentials.Additional features include the ability to push configuration settings for mobile emailwith Exchange ActiveSync and VPN clients for some device types.ClearPass Profile – ClearPass Profile, available as a software module of the ClearPassPolicy Manager, offers the only progressively tiered profiling service for discovering,classifying and grouping all attached endpoints, regardless of the device type. A widerange of unique contextual data – from MAC organizational unique identifiers (OUIs)and DHCP fingerprinting characteristics to identity-centric data – can be collected tocreate context-based access policies.Stored data is also used to identify device profile changes and dynamically modifyauthorization privileges. For example, if a printer appears as a Windows laptop,ClearPass Policy Manager can automatically deny access.ClearPass Guest – ClearPass Guest, available as a software module of the ClearPassPolicy Manager, simplifies workflow processes, allowing receptionists, employees andother non-IT staff to create temporary accounts for Wi-Fi access. Once registered,ClearPass Guest delivers account login credentials to users via SMS text message oremail. Accounts can be set to expire automatically after a specific number of hours ordays.Role-based access control scales to thousands of users. Customizable guest portalallows organizations to apply organization branding and user code of conductmessaging. Self-registration and automated credential delivery streamlines IToperations and efficiency.ClearPass QuickConnect – ClearPass QuickConnect offers an easy way for users toself-configure their Windows, Mac OS X, iOS, Android and Linux devices to support802.1X authentication on wired and wireless networks. Creating a uniquely simplifiedworkflow, ClearPass QuickConnect dramatically reduces helpdesk calls and IToverhead, while propagating the deployment of secure network policies based on802.1X.QuickConnect is available as a cloud service and is licensed yearly based on the totalnumber of devices that require onboarding to an organizations secure network.ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIAL – DO NOT DISTRIBUTE PAGE 8

AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEM – FREQUENTLY ASKED QUESTIONS6. Is ClearPass developed at Aruba or licensed?ClearPass consolidates three distinct integration and development efforts.1. The acquisition of Amigopod in early 20112. The acquisition of Avenda in late 20113. Over one year of internal Aruba development on complementary technology thatwas never productized.These three technologies are brought together into one product offered as either ahardware appliance (ClearPass Policy Manager + licenses) or with limited functionality as acloud-based service (ClearPass QuickConnect).7. When is ClearPass available?A limited number of ClearPass products are available on the Aruba pricelist as of January2012. For SKUs and pricing, please download the latest Aruba pricelist.Products available as of the January 2012 pricelist ClearPass Policy Manager ClearPass OnGuard Amigopod (to be transitioned to ClearPass Onboard, ClearPass Guest)Products available on the April 2012 pricelist ClearPass Profile ClearPass Onboard ClearPass GuestBefore April 2012(Current SKUs)April 2012(New SKUs)AAA CPPM CPPM CPPMNACCPPM CPPM CPPMAugust 2012(Integration)OnGuard OnGuard OnGuardGuest Amigopod Amigopod onlyProfileOnboardN/ACPPMProfileQuickConnect CPPM +Amigopod+Amigopod MDPS OnboardCPPMGuestCPPMProfileCPPMOnboard8. What happens to Amigopod customers?ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIAL – DO NOT DISTRIBUTE PAGE 9

AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEM – FREQUENTLY ASKED QUESTIONSThe April software release of Amigopod will include additional operating system support(Windows, OS X, Android) for MDPS and other incremental updates and bug fixes. This willeffectively provide ClearPass Onboard to Amigopod customersIn the August timeframe Aruba is planning to release a common ClearPass platform thatwill be capable of supporting both Policy Manager (+ OnGuard & Profile) and Amigopod(+Guest & Onboard).At that time, Amigopod customers can upgrade to ClearPass Policy Manager withOnboard if required.The following table looks at the upgrade path for both Avenda and Amigopod customersto ClearPass.AvendaAmigopodAAA No change Add CPPMNACGuestProfileOnboardNo changeUpgrade licenseto GuestAdd ProfilelicenseAdd OnBoardlicenseAdd CPPM +OnGuardUpgrade to CPPM+ Guest licenseAdd CPPM+ProfileUpgrade to CPPM+ Onboard9. How will Amigopod customers upgrade to ClearPass Policy Manager?This will not be a point and click upgrade for Amigopod customers and will most likelyrequire a second appliance (hw or vm) to build and restore that configuration backup inparallel to the existing environment. Details on this upgrade procedure are still to bedetermined as the development is not complete.10. Has Amigopod been removed from the pricelist and/or discontinued with theintroduction of ClearPass?No, the Amigopod product has not been removed or discontinued from the Arubaportfolio of products. Instead, Amigopod will be absorbed into the ClearPass family andrebranded as ClearPass Guest.At its core, Amigopod delivers enterprise-grade guest access using personally-owneddevices into a corporate network, so it is a natural fit to include these capabilities underthe ClearPass umbrella of network security services.ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIAL – DO NOT DISTRIBUTE PAGE 10

AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEM – FREQUENTLY ASKED QUESTIONS11. I already have a RADIUS server. Why would I need to buy ClearPass Policy Manager?ClearPass Policy Manager is required to run the Profile, Guest, Onboard and OnGuardsoftware licenses. Although there may be some overlap in functionality, the PolicyManager provides policy management functionality not provided by standard RADIUSservers. The Policy Manager can co-exist with existing AAA infrastructure by acting as aproxy if needed. Customers can continue to run the two systems in parallel or canmigrate to ClearPass as the primary RADIUS server.12. Why is ClearPass Policy Manager better than my existing RADIUS server?Many existing AAA that include RADIUS and TACACS+ servers are legacy platforms wheremany releases have reached their end of life. Examples are Cisco’s ACS and Juniper’s SteelBelted RADIUS. In each case, customers are required to migrate to a new platform ormaintain two separate products. If you have experienced problems or if you areconcerned about continuing support of the existing platform, you should investigateAruba ClearPass. In addition, the requirements for AAA and NAC have changeddramatically with the emergence of new demands on access security driven by BYODinitiatives. Legacy platforms are not equipped to deal with this new paradigm. Here aresome of the differences between Aruba ClearPass and other AAA offeringsCisco ACS Many Releases Discontinued and EOL’d by Cisco No integrated NAC (Posture/health based enforcement) Performance issues when scaling for large deployments Weak multi-vendor network device support Poor reporting functionality Inflexible policy model – trouble supporting multiple auth sources & types Difficult to configure, manage, and deploy No integrated guest management functionJuniper UAC Difficult to install and manage (Customer feedback) Most expensive solution on the market Works best with Juniper devices. Many features are not available in a multi-vendornetwork infrastructure Very basic guest management functionality No built-in endpoint device audit capabilities Must use the UAC Client (former Odyssey client) for advanced health capabilities Limited clustering for single management and scalability No utility for self-provisioning and configuration for user endpointsARUBA NETWORKS CHANNEL PARTNER CONFIDENTIAL – DO NOT DISTRIBUTE PAGE 11

AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEM – FREQUENTLY ASKED QUESTIONSMicrosoft NPS No support for captive portals Only supports AD as an auth source (no SQL, no LDAP, no Token server, etc.) No context-based policies. Access can only be grated on identity - not location,device, time of day, etc. Only VLAN-based enforcement – Limited VSAs and no downloadable ACLs,TACACS+, or web-based enforcement Limited windows-only health checks with NAP NO VM deployment option13. I already have Active Directory to authenticate users, why would I need this?In order to satisfy the many of today’s usage scenarios while increasing the level ofsecurity provided, an identity based policy management system would be the bestapproach. A full featured solution like Aruba’s can provide many more capabilities toimprove overall security and offload your IT staff from having to manage many aspects ofaccess control, guest management and helpdesk activities.14. I already have a NAC solution and want to use ClearPass for provisioning devices. Whatcan I do?For ClearPass Onboard the NAC solution would first scan the device for vulnerabilities andonly pass validated clients to ClearPass Onboard for provisioning.ClearPass QuickConnect can be used to configure devices prior to connecting to 802.1Xnetworks. The existing NAC solution would then perform a basic health check once thedevice authenticates onto the network.15. Will ClearPass work for users that connect to public cellular networks?Yes, for clients that use VPN clients such as Aruba’s VIA client, a mobile device will alwaysredirect enterprise data back to the enterprise network and be subject to policies definedfor that network.In the case of Aruba’s VIA client, the VPN session is setup automatically, without requiringthe user to initiate. This is very important as many devices today that have both Wi-Fi andcellular capabilities will tend to roam between the two networks without alerting theuser.16. Is ClearPass NAC? Is it competitive for NAC opportunities?While the definition for Network Access Control varies, ClearPass can be considered a NACoffering. However, unlike traditional point NAC solutions, ClearPass brings together role-ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIAL – DO NOT DISTRIBUTE PAGE 12

AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEM – FREQUENTLY ASKED QUESTIONSbased policy management, device onboarding, policy control and reporting into onecohesive, easy to use system.Competitive solutions are either multi-box or just point products, and do not offer theease of use or the multivendor support of ClearPass.Note that Gartner rates ClearPass as the Most Visionary NAC solution on the markettoday!According to Gartner; “The company's ability to support Microsoft NAP-enabledendpoints (Windows 7, Vista and XP SP3) without requiring an agent, its support for non-Microsoft endpoints (via agents), and a strong road map for profiling features has earnedit a high score for Completeness of Vision”17. How does ClearPass fit into Aruba’s Mobile Virtual Enterprise (MOVE) architecture?ClearPass enhances the Aruba MOVE architecture with access management functionality.The ClearPass solution provides three key advantages:Works across every major mobile OS: Extends MOVE device onboarding benefits toinclude not only iOS but now Mac OS X, Windows and Android operating systems todeliver the most dynamic provisioning capable solution in the industry.ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIAL – DO NOT DISTRIBUTE PAGE 13

AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEM – FREQUENTLY ASKED QUESTIONSWorks over any vendor’s network: ClearPass easily and securely extends Aruba’spolicy definition and enforcement capabilities, allowing Aruba customers to defineand implement policies across multivendor wireless networks, switches, routers, andclients. As a result, Aruba can now delivery policy and role-based network access forany organization without the cost and complexities of other solutions while alsoproviding full-featured device posture assessment and profiling.Security visibility and reporting: ClearPass extends Aruba’s AirWave RF visibility tonow include comprehensive security visibility and forensics needed to pinpoint rootcauses for network access issues, per user bandwidth concern and known endpointvulnerabilities.18. How does ClearPass integrate with Aruba’s mobility controller appliance or virtualcontroller with Instant?Although ClearPass can be used on any vendor’s wireless, wired, and remote network,there are inherent advantages to using Aruba access networks for policy enforcement.With the Policy Enforcement Firewall (PEF) capabilities that reside on the MobilityController appliance and Instant virtual controller, policies that are defined on ClearPasscan be mapped directly to firewall roles on the controller. These firewall roles can thentake a variety of actions to improve the security and reliability of the network.Other access networks will typically enforce policies by defining VLANs or downloadingAccess Control Lists (ACLs) within switches and routers. This doesn’t work very well in amobile environment because it maps to a VLAN centric architecture. Because VLANsweren’t designed for policy enforcement, their use is limited and they are very difficult tosetup and maintain.19. How does ClearPass differ from AirWave? Do I need both?Aruba’s AirWave product is designed to provide management and visibility for mobilenetworks and connected users. AirWave is a network management system that employs auser-centric approach, identifying who is on the network, where they are accessing thenetwork, the mobile devices they’re using, and how much bandwidth is being consumedby specific devices.ClearPass compliments a network management system like AirWave by providingcomprehensive management and reporting of security and policy transactions across thenetwork. ClearPass also provides advanced troubleshooting and forensics needed topinpoint root causes for network access issues and known endpoint vulnerabilities.ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIAL – DO NOT DISTRIBUTE PAGE 14

AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEM – FREQUENTLY ASKED QUESTIONS20. What are the key target markets for ClearPass?Enterprise-class RADIUS/AAA services, robust policy management, dynamic deviceprovisioning and advanced guest access capabilities make ClearPass suitable for anyorganization that wants to modernize their network access security infrastructure toaccommodate enterprise-wide mobility and employee BYOD initiatives. This wouldinclude the following examples:K-12 and higher education institutions – District-wide or campus-wide accessdifferentiation, visibility, troubleshooting and manageability that is easy to use anddeploy.Healthcare clinics and hospitals – Mobile device and role-based user authenticationwith long-term archiving by user session to assist with HIPAA compliancerequirements.Large enterprises, distributed enterprises – Scalability to manage tens of thousandsauthentications; devices and mobile users with centralized, single-console operations.Retail organizations – Field-proven multisite support with integrated role-based policyassignment, monitoring and PCI compliance reporting.Government – Consolidation of policies across departments regardless of identitystore type or administrative ownership, for wired and wireless access.21. Can ClearPass be deployed on existing networks or does the customer have to upgradeto Aruba wired and wireless?The ClearPass Access Management system is the industry’s first and only independentplatform for policy management, network access control, and BYOD provisioning andonboarding. While there are advantages when deployed with Aruba wirelessinfrastructure, Aruba ClearPass can be deployed with any existing network infrastructurefrom any major vendor.22. Is ClearPass easy to deploy?ClearPass Policy Manager is a very easy to use/deploy solution which includes many toolsto assist in deployment including a configuration wizard, pre-configured templates, andpolicy simulation to name a few.23. What are some of the opportunities to position ClearPass?The ClearPass Policy Manager can be used for RADIUS upgrades as a number of olderstandalone solutions from Cisco and Juniper have reached end-of-life (EOL).The Policy Manager can be used where other vendors’ network access controlsolutions require a proxy to an enterprise-class RADIUS server.ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIAL – DO NOT DISTRIBUTE PAGE 15

AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEM – FREQUENTLY ASKED QUESTIONSAny organization looking to deploy BYOD and identity-based policy management in anAruba or mixed vendor environment can now choose a single platform that worksacross wireless, wired and VPN networks.The ClearPass solution can also solve customers’ device profiling requirements using atiered and dynamic profiling model which drastically improves the confidence level foraccurately identifying endpoint devices.ClearPass Guest is a proven solution for any opportunity that requires guest access,enterprise and public access.QuickConnect allows you to sell into any non-Aruba environment.24. How do customers order ClearPass?ClearPass software module licensing is based on the total number of authenticatingdevices. When ordering a ClearPass software license, it is important to identify the totalnumber of devices an organization currently utilizes and is looking to migrate towards inthe future to size the solution accordingly. The ClearPass software modules arecategorized in the following way:ClearPass QuickConnect – A cloud-based tool for IT administrators to build deviceconfiguration wizards for connecting devices to wireless or wired networks. ClearPass Policy Manager - The base platform (either a virtual server or fullhardware/software turnkey solution) that includes AAA/RADIUS services, centralizedpolicy management and enforcement functionality, and reporting capabilities.Additional functionality is derived by purchasing the following optional licenses:- ClearPass Onboard – Wizard-driven provisioning and onboarding of devices forwireless, wired, or VPN connectivity to address employee BYOD initiatives.- ClearPass OnGuard – Downloadable or dissolvable agents that perform health andposture assessments as well as remediation capabilities for any Windows or Mac OSX-based device before allowing these devices onto a secure network.- ClearPass Profile – Accurate identification and classification of devices attached to asecure network for policy definition and enforcement.- ClearPass Guest – Secure workflow for allowing guest access to a secure network.Additional guidance around ordering a ClearPass solution as well as obtaining evaluationlicenses is available in the ClearPass Access Management System Licensing and CustomerEvaluation Support sections of this FAQ.25. Does ClearPass provide an interface for integration with other customer infrastructure?ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIAL – DO NOT DISTRIBUTE PAGE 16

AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEM – FREQUENTLY ASKED QUESTIONSYes, an open XML-based API allows for integration with existing IT service managementsolutions and other custom applications. The use of an extensible API permits theaccessibility of ClearPass data to virtually any application developer without specializedknowledge of the platform.ClearPass Access Management System Core Features26. What are some of the unique capabilities delivered with the ClearPass AccessManagement System?ClearPass is the only solution today to seamlessly enable BYOD using a complete user anddevice lifecycle management model; device onboarding and enrollment, identity andcontext-based access control, device revocation, and complete visibility. The ClearPasspolicy engine allows for simultaneous policies using user identity/role-based assignments(i.e. Active Directory credentials), MAC authentication (MAC auth), web authentication(web auth) and 802.1X methods to differentiate user and device access.27. What are the top advantages of the ClearPass Policy Manager AAA platform?The industry’s most intuitive policy Admin interface. Includes pre-configuredtemplates, built-in deployment and helpdesk tools, compliance reporting andmoreFull featured policy management engine and AAA services that abstract thecomplexity of RADIUS and TACACS+ to support all popular use cases (802.1X, Web& MAC auth, etc.). Note that Cisco’s ISE product and many point solutions fromother vendors do not support TACACS+Role-based differentiated access for employees, guests, partner/contractors, ITmanaged and BYOD devices, printers and more.Authentication and enforcement using standards-based protocols for any Arubaand multi-vendor WLAN, Wired, and VPN infrastructure.Innovative clustering techniques support a variety of local and remote deploymentoptions where the Policy Manager can be centrally deployed or distributed to bestsuit customer needs.28. What identity stores are supported by the ClearPass platform?ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIAL – DO NOT DISTRIBUTE PAGE 17

AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEM – FREQUENTLY ASKED QUESTIONSThe ClearPass Policy Manager gives customers the option to authenticate and authorizeend users and devices against Microsoft Active Directory (AD), LDAP, SQL databases, twofactortoken servers, and an internal database.The Policy Manager provides the advantage of being able to authenticate and authorizeagainst separate identity stores, i.e. authenticates users against Active Directory andchecks for MAC addresses against a SQL database.29. How many unique accounts can ClearPass Policy Manager handle?ClearPass is expected to scale to multiple millions of unique accounts. Aruba has tested aconfiguration of 1.5 million entries in a single cluster of ClearPass appliances. This is notthe maximum capacity per cluster; this is the tested capacity with the hardware.30. What devices are supported by the ClearPass Onboard and ClearPass QuickConnectproducts?By the April 2012 timeframe, both ClearPass Onboard and ClearPass QuickConnect willsupport: OS X 10.5/10.6/10.7. Windows XP/Vista/7 iOS 5.0/5.0.1/5.1 Android 2.2/2.3/3.x/4.0 Linux – UbuntuARUBA NETWORKS CHANNEL PARTNER CONFIDENTIAL – DO NOT DISTRIBUTE PAGE 18

AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEM – FREQUENTLY ASKED QUESTIONS31. What’s the difference between ClearPass Onboard and ClearPass QuickConnectDevice SupportOnboardiOS now, Android/Windows/Mac at theend of April, Ubuntu mid May) for dot1XQuickConnectWindows, iOS, Mac OS, Android now,Ubuntu mid May) for dot1XPush Supplicants/Agents Yes YesConfigure VPN Yes NoConfigure Active Sync & YesNoExchangeInstall Programs/Apps Yes (Window's Only) Yes (Window's Only)Push Unique Machine Can push certificates (iOS/Mac Lion) and NoCredentialsUnique Credentials (Android/Windows) todevices and revoke their accessRequires ClearPass Policy YesNoManagerAdministration ClearPass Policy Manager Cloud-based with yearly subscriptionUse CaseBest for enterprise environments wherethere are multiple things to configure onnew devices, especially environmentswhere certs/credentials are requiredBest for environments that experienceconstant change (universities) ororganizations that are moving to dot1Xand do not require certs/credentialsWorks over Any Vendor's YesYesNetworkLicense tracking Through ClearPass Policy Manager Cannot track how many users configuredevices (sold by total number of users /honor system for adherence topurchased usage license)32. How is QuickConnect offered in the Cloud?Administrative functions are managed in cloud where an administrator can configure,download, and store 802.1X configuration install packages. The installation package isthen hosted locally and delivered from an IT owned web server.33. Why is profiling devices important to an enterprise?The most basic requirement for profiling is just to find out what’s on the network. This isimportant not only for reporting but also to help with things like capacity planning.More importantly, profiling is important for implementing policies. With BYOD,enterprises need to create policies based on the context of the connection; who isconnecting, with what device, where and to what applications. But now that networksecurity and user experience are based on context, the accuracy of that context becomesfar more important. It is especially important to ensure the accuracy of things like userrole and device type. If I have different security roles for laptops and smartphones, I needARUBA NETWORKS CHANNEL PARTNER CONFIDENTIAL – DO NOT DISTRIBUTE PAGE 19

AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEM – FREQUENTLY ASKED QUESTIONSto be very confident that the network doesn’t profile a device incorrectly and thus createa security breach.With ClearPass, Aruba now offers the industry’s most accurate device detectioncapabilities that can be used for access control.34. How does Aruba’s Dynamic Profiling differ from competitive offerings?The Policy Manager platform is capable of using baseline fingerprinting data from DHCPand web browsers within a policy, as well as using more advanced techniques directlyfrom Active Directory, device agents and provisioning data.Competitive solutions usually stop at baseline fingerprinting. ClearPass Profile benefits themost from the information gathered by provisioning the device. During provisioning,ClearPass interacts directly with the OS kernel and has full visibility into devicecharacteristics. Solutions that don’t provision the device cannot provide the same level ofprofiling accuracy?35. Where does network access control fit within the ClearPass solution?ClearPass OnGuard licensing utilizes persistent and dissolvable agents to perform postureand traditional NAC health checks against policies that reside in the Policy Manager. Theagents can authenticate any node in a Policy Manager cluster. Pre- and post-admissioncontrols are natively supported through NAC and Microsoft network access protection(NAP) methods.ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIAL – DO NOT DISTRIBUTE PAGE 20

AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEM – FREQUENTLY ASKED QUESTIONS36. Is ClearPass Mobile Device Management (MDM)?The ClearPass Access Management System currently employs a great deal of MDMfunctionality specifically around configuring, provisioning and the secure onboarding ofcomputers, smartphones and tablets, as well as more advanced features such asconfiguring security, VPN and email settings, installing applications (note that applicationinstallation is currently only for Windows devices), managing bandwidth and revokingaccess for lost or stolen devices.There are two reasons that Aruba is moving in this direction with ClearPass:1. Better policy control – To do policy control in a BYOD environment, there is a greatadvantage to also doing device provisioning. Provisioning the device andassociating a unique machine ID with that device provides a level of knowledgeand control that wouldn’t be possible otherwise.2. Less expensive for supporting mobile devices - The other reason is one of simpleeconomics. Customers don’t want to have to buy yet another system for managingdevices. They would prefer that the access network do the majority of what MDMdoes today. And they ultimately want the OS manufacturers to control what’s onthe device with offerings like Windows Server or Mac OSX Server.Much of what MDM does today will be marginalized as infrastructure vendors start tohandle the onboarding process. And Aruba is the first one to take this step.ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIAL – DO NOT DISTRIBUTE PAGE 21

AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEM – FREQUENTLY ASKED QUESTIONSUnlike MDM solutions, ClearPass will address not only handheld mobile devices likesmartphones and tablets, but also the next wave of employee-own devices that oftenconsist of laptops and Ultrabooks. MDM is also limited to devices that have the MDMagent installed, which may not be the case if a device doesn’t trigger installation of theMDM client through ActiveSync.However, some customers may also be looking to perform remote wipes or otherwisefully manage the firmware of a device. In this case, these customers should considerWindows and Mac OS X servers that will handle all Windows, iOS and Mac OS X devices,or third-party MDM products. For customers that have existing MDM solutions in place,Aruba has validated interoperability many of the major MDM providers.37. What about controlling what apps are actually on the device? Some MDM vendors claimthey can do this.Most enterprises don’t want to dictate what an employee can download to their personaldevice. What they want is to limit the use of certain apps when the device is connected totheir corporate network. This is the approach that Aruba ClearPass uses. ClearPass can setpolicies based on application use and keep applications from traversing the corporatenetwork.38. Can the ClearPass Policy solution be used for compliance requirements?Customers are successfully using the ClearPass solution to capture and archive access datain a variety of verticals such as higher education, healthcare, financial services and more.The ability of the ClearPass solution to provide per session user and device informationsatisfies many requirements associated with PCI, HIPAA, Sarbanes-Oxley, and more.ClearPass Access Management Licensing39. How are the ClearPass products packaged and delivered?The ClearPass products are available in the following packages:ClearPass Policy Manager – available as either a 1U appliance or as a VMware virtualappliance.ClearPass OnGuard – orderable software license (ClearPass Policy Manager required).ClearPass Onboard – orderable software license (ClearPass Policy Manager required).ClearPass Profile – orderable software license (ClearPass Policy Manager required).ClearPass Guest – orderable software license (ClearPass Policy Manager required).ClearPass QuickConnect – currently available as a cloud-based service.ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIAL – DO NOT DISTRIBUTE PAGE 22

AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEM – FREQUENTLY ASKED QUESTIONS40. How does ClearPass Policy Manager handle redundancy and load balancing?The ClearPass Policy Manager uses a clustering model that allows you to configureadditional appliances as subscribers to a designated publisher appliance. Alladministrative changes are propagated from publisher to subscriber.Authentications can also be shared across appliances (hardware and VM) in a cluster toload balance incoming requests. Appliances can also be distributed in a clusterdeployment.41. How can customers increase the number of devices that authenticate against theClearPass Policy Manager?If the number of authentications surpasses the limit set on the existing ClearPass PolicyManager hardware and VM appliance, additional appliances can be added in the clustermodel described above to support additional devices.42. Is ClearPass OnGuard required for Policy Manager to work?No, OnGuard is not required for Policy Manager to work. In fact many customers startwith identity-based authentication and AAA, and then add posture assessment and healthchecks at a later time using persistent and dissolvable agents.43. When would I purchase additional OnGuard licenses?OnGuard licenses are structured so that customers can purchase OnGuard agents for all ofthe computers within their organization or start with a targeted group of devices. Forexample, a customer can start by only purchasing agents for their more mobile sales staffand later decide to purchase additional licenses to support a greater number ofusers/devices.Infrastructure Support44. ClearPass is being advertised as an open, multivendor solution. Which vendor productsdoes ClearPass interoperate with?ClearPass Policy Manager, Guest and QuickConnect are currently deployed in networksthat consist of Aruba Networks, Cisco, Hewlett-Packard, Enterasys, Juniper and othernetwork vendor’s products across the globe.Enterprise-class RADIUS, guest management and device provisioning services supportindustry standards regardless of vendor or industry.ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIAL – DO NOT DISTRIBUTE PAGE 23

AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEM – FREQUENTLY ASKED QUESTIONS45. Is there a limit on the number of devices the ClearPass Policy server can support?There is a range that is designated by the physical characteristics of the ClearPass baselineappliance. To support a greater number of devices, customers can purchase additionalappliances to create a cluster that can support very large numbers of devices. Foradditional details and proper sizing of a ClearPass server, check the latest Aruba pricelist.46. Can the ClearPass solution support policies where non-802.1X capable switches exist?Yes. The use of OnGuard agents, or captive-portal registration, allow organizations thatare migrating to more secure 802.1X-capable devices to deploy policy management in aphased manner.Device Profiling/Provisioning Support47. Can ClearPass configure iOS, Windows, Android and Mac OS X devices for 802.1X?Yes. Aruba ClearPass is the only complete configuration, provisioning and onboardingsolution in the industry.48. Once a device has been onboarded is there any software left on the device?No, the ClearPass Onboard executable is purely a configurator, it doesn't actuallyauthenticate you and will still need you to have a valid cert and/or user account which canboth be deleted/revoked if an employee leaves a company49. What happens if someone loses a device, like a phone, that has been configured toaccess the secure enterprise network?ClearPass identifies each unique device associated with a user and access can be revokedfor that individual device without having to manipulate the user’s AD or LDAP credentials.50. How does ClearPass uniquely identify and manage devices?ClearPass issues certificates for IOS and OS X Lion devices and unique credentials for eachWindows and Android device associated with a user so that it can take unique action onthat device. This certificate or credential acts as a unique machine ID.Beyond this we inventory devices and embed data about the device that was enrolledwithin the client certificate/credential such as MAC address, UUID, serial number etc.These unique machine IDs are stored securely within the certificate store.51. Is there an option for users to self-register BYOD devices like smartphones or gamingdevices?ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIAL – DO NOT DISTRIBUTE PAGE 24

AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEM – FREQUENTLY ASKED QUESTIONSYes. A self-registration option allows users to enter information about their devices thatcan then be used during authentication and authorization of devices to create a moregranular and secure policy.52. What type of device attributes are displayed within the ClearPass Policy Managerthrough self-registration or profiling?ClearPass Policy Manager provides the following client device attributes:Device type (i.e. iPhone, iPad, iPod)Device OSDevice OS detailManufacturerModelSerial numberNetwork interface vendorClearPass Appliances Information53. Is ClearPass available as a turnkey appliance?Yes, ClearPass Policy Manager is available as turnkey hardware/software applianceoptimized for running ClearPass software. There are three appliance versions (HW &VMware) currently available;1.) CP-HW-500/CP-VA-500 capable of scaling up to 500 total devices2.) CP-HW-5K/CP-VA-5K capable of scaling up to 5000 total devices3.) CP-HW-25K/CP-VA-25K capable of scaling to 25,000 total devices.Ordering information is available in the Aruba price list.54. Can my customer install ClearPass Policy Manager on an existing server, and/or supplytheir own hardware?Yes, ClearPass Policy Manager can be purchased in a VMware format for ESXinfrastructure and installed on customer supplied servers/hardware platforms. A sizingguide for customer supplied hardware is available on Arubapedia .ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIAL – DO NOT DISTRIBUTE PAGE 25

AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEM – FREQUENTLY ASKED QUESTIONS55. Does ClearPass VM appliance software run on Linux or Windows?No, ClearPass VM software is not supported on Linux or Windows platforms. Supportedversions of VMware are available in the product documentation located here.Customer Evaluation Support56. Are there evaluation versions of ClearPass Policy Manager and QuickConnect availablefor Aruba SEs?Yes. Information regarding how to obtain an evaluation version of ClearPass PolicyManager can be found on Arubapedia. Please make sure that the instructions in the"Licenses" section are followed.SEs can obtain QuickConnect credentials on their own by entering their email addresshere.57. How can my customer request an evaluation version of ClearPass?Customers interested in evaluating ClearPass Policy Manager, OnGuard, QuickConnectand Guest can obtain a software evaluation license through their Aruba SE - ClearPass EvalRequest.ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIAL – DO NOT DISTRIBUTE PAGE 26

AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEM – FREQUENTLY ASKED QUESTIONSGlossary of Acronyms802.1X – IEEE standard for port-based network access controlAAA – authentication, authorization and accountingAD – Active Directory (Microsoft)BYOD – bring your own deviceDHCP – dynamic host configuration protocolEOL – end of lifeHIPAA – health insurance portability and accountability actLDAP – lightweight directory access protocolLMS – license management systemMAC auth – authentication using a media access control databaseMDM – mobile device managementNAC – network access controlPCI – Payment Card IndustryRADIUS – Remote Authentication Dial-In User ServiceSSID – service set identifierTACACS+ – Cisco proprietary, terminal access controller access-control system plusweb auth – authentication using a captive portalARUBA NETWORKS CHANNEL PARTNER CONFIDENTIAL – DO NOT DISTRIBUTE PAGE 27

AP-120 SERIES CONFIGURATIONCLEARPASS ACCESS MANAGEMENT SYSTEM – FREQUENTLY ASKED QUESTIONSAbout Aruba NetworksAruba Networks is the leading provider of next-generation network access solutions for mobileenterprise networks. The company’s Mobile Virtual Enterprise (MOVE) architecture unifieswired and wireless into one cohesive network access solution based on a user’s identity.This gives your enterprise workforce secure access to network resources based on who they are– no matter where they are, what devices they use or how they connect.Listed on the NASDAQ and Russell 2000® Index, Aruba is based in Sunnyvale, California, and hasoperations throughout the Americas, Europe, Middle East, Africa and Asia-Pacific-Japan regions.To learn more, visit Aruba at http://www.arubanetworks.com. For real-time news updatesfollow Aruba on Twitter, Facebook, or the Green Island News Blog.1344 Crossman Ave. Sunnyvale, CA 94089-1113Tel 408.227.4500 | Fax 408.227.4550 | info@arubanetworks.com | www.arubanetworks.com© 2011 Aruba Networks, Inc. AirWave ® , Aruba Networks ® , Aruba Mobility Management System ®, Bluescanner, For Wireless That Works ® , Mobile Edge Architecture ® ,People Move. Networks Must Follow ® , RFprotect ® , The All Wireless Workplace Is Now Open For Business, Green Island, and The Mobile Edge Company ® are trademarks ofAruba Networks, Inc. All rights reserved. Aruba Networks reserves the right to change, modify, transfer, or otherwise revise this publication and the product specificationswithout notice. While Aruba uses commercially reasonable efforts to ensure the accuracy of the specifications contained in this document, Aruba will assume noresponsibility for any errors or omissions. Note: All scaling metrics outlined in this document are maximum supported values. The scale may vary depending upon thedeployment scenario and features enabled.ARUBA NETWORKS CHANNEL PARTNER CONFIDENTIAL – DO NOT DISTRIBUTE PAGE 28