Aruba ClearPass Policy Manager NAC Solution Review

Originally designed as a network access control (NAC) solution, Aruba ClearPass continues to evolve into a portfolio of network security tools. Even as the capabilities expand, ClearPass continues to deliver on its central purpose of controlling network access at scale.

To compare Aruba ClearPass against their competition, see the complete list of top network access control (NAC) solutions.

Who is Aruba?

Aruba, a Hewlett Packard Enterprise (HPE) company, provides mobility and IoT solutions for organizations of all sizes. A pioneer in wireless networking, Aruba now offers infrastructure services as software from the public or private cloud to enable secure connectivity for a wide range of devices including mobile and IoT. The company was founded in 2003 and is a wholly owned subsidiary of HPE.

Aruba ClearPass Policy Manager

Aruba ClearPass provides role- and device-based network access control for employees, students, contractors and guests across any multi-vendor wired, wireless and VPN infrastructure. ClearPass provides a foundation for network security with the ability to:

• Identify users and devices connecting to networks
• Detect the state of connecting devices
• Construct and enforce policies
• Provide vendor agnostic integration

ClearPass has become a family of products that support the main NAC functions:

• Policy Manager allows IT staff to implement policies for how users and devices connect and what corporate data they can access to provide core NAC functionality
• OnGuard licenses: An agent, dissolvable agent, or agentless tool that check in-depth for device status to deliver endpoint assessments
• Compliance Suite licenses: Enable integration with Device Insight
• Onboard licenses: Onboarding options for employees to register devices

Agents

For endpoint posture assessment and remediation, Aruba offers ClearPass OnGuard, available flexibly as a persistent agent, agentless, or as a dissolvable agent. Persistent agents will be predominately deployed on corporate-owned computers. Dissolving agents can be deployed temporarily to BYOD and visitor devices to ensure minimum requirements before allowing any form of network access. Agents can be deployed to Windows, MacOS and Linux operating systems with some capabilities not available for macOS or Linux..

Applicable Metrics

Aruba ClearPass is deployed in high-volume authentication environments (e.g. 10+ million authentications a day) as well as distributed environments requiring local authentication survivability across multiple geographies (e.g. 30 points of presence). Users report a 25,000 concurrent user appliance can “easily handle between 250 and 300 authentications per second.” The company also maintains an extensive list of third party integrations (firewalls, SIEMs, MDM/EMM, Network Access Devices, etc.).

Security Qualifications

When ClearPass is running in FIPS Approved mode, it utilizes a FIPS 140 2 validated cryptographic module. It is also on the U.S. Department of Defense Unified Capabilities Approved Products List (UC-APL).

Features

• Multiple enforcement methods (RADIUS, TACACS, SNMP) supported as well as the OnConnect proprietary non-RADIUS enforcement
• User database options for Active Directory, LDAP, and SQL
• Device fingerprinting and comprehensive posture assessment identifies type and model name, MAC address, IP address, network interface card vendor, operating system and version
• Onboarding options for defining authority to onboard corporate and bring-your-own-device (BYOD) devices and number of onboarded devices per user
• Self-service onboarding with built-in certificate authority (CA)
• OnGuard security options define and enforce minimum levels of health required to allow network access to a device
• Robust Guest access options customizable for branding or sponsor-based approvals to allow self-service, temporary guest accounts to access the network
• Context-based policy engine supports granular policy enforcement using user role, device type, authentication method, location, time-of-day, and more
• Wireless Intrusion Prevention
• Government certified with FIPS 140-2 Level 2 / 3 validation, Common Criteria Type-accreditation, and listed within the Unified Capabilities Approved Product List.
• Cyber Catalyst by Marsh Designation verifies ClearPass as an effective security tool to reduce risk by eight of the largest cyber insurers

Pros

• Vendor agnostic: can propagate access policies for other vendors, including Cisco
• Integrates security alerts from over 170 security and IT management solutions and can act as a clearing house for attack alerts
• Flexible deployment options: Physical or virtual appliances; stand-alone or deployed in clusters.
• Wired, wireless, and Virtual Public Network (VPN) network access support
• Extensive third-party integration
• Automatically blocks unauthorized devices and those that do not meet minimum security standards
• Intuitive policy configuration templates and troubleshooting tools
• Single-sign On (SSO) support for Ping, Okta, and more
• IOT device support using MAC address authentication

Cons

• Requires multiple licenses to establish functional NAC
• More expensive option in the short term
• Little community support
• Setup can be complex and challenging

Intelligence

ClearPass Exchange and ClearPass Extensions allow integration with third parties to share information with other vendor platforms. Additionally, it can bi-directionally share information from UEBA products such as Aruba IntroSpect (formerly Niara), which provides machine learning based-security analytics to adjust network access should threat indexes reach certain levels.

Delivery

Physical appliance provides advanced policy control for up to:

• 500 simultaneous sessions (C1000)
• 5,000 simultaneous sessions (C2000)
• 25,000 simultaneous sessions (C3000)

Virtual Appliance supports major virtualization options:

• Amazon AWS (EC2)
• KVM on CentOS 7.7. Ubuntu 18.04, and Ubuntu 20.04
• Microsoft Azure
• Microsoft Hyper-V 2016/2019 R2/2019
• VMware ESXi up to 7.0

Clusters of physical and virtual appliances can be deployed to expand reach or improve resilience through redundancy.

Pricing

HPE Aruba offers three types of mutually excludable licenses:

• Permanent licenses that do not expire, but often require additional fees for updates and support
• Subscription licenses that expire in one, three, or five years. After expiration, the product will continue to operate, but updates and changes (configuration, service, etc.) are not available
• Evaluation licenses typically between 90 and 180 days (3-6 months)

Each appliance must have a Policy Manager Platform base-level license (available as permanent or evaluation licenses only). ClearPass application licenses also sold based on the level of capabilities required:

• Entry licenses:
  • Available as permanent or evaluation licenses
  • Supports a limited number of core features: 802.1X Authentication, MAC authentication, web-based user registration and authentication, MFA, OnConnect, some 360 Security exchange capabilities
• Access licenses:
  • Enable the full suite of features, authentication types, and Guest functionality
  • Network Scan only functions on Policy Manager servers with an Access license
  • Available as permanent, subscription, or evaluation licenses
• Access Upgrade licenses: 
  • Allow the upgrade of an Entry license to an Access license
  • Available as a permanent license only
  • All Entry licenses must be upgraded simultaneously
• OnGuard licenses: A permanent, non-expiring license for Policy Manager OnGuard
• Compliance Suite licenses
  • Available in one, three, and five year subscriptions
  • Enable Policy Manager to integrate with Device Insight
  • Are required for each device for OnGuard deployment
  • Dissolvable agents may only be deployed once per 24-hour period
• Onboard licenses:
  • Minimum of 100 licenses
  • Available as permanent, subscription, or evaluation
  • Allows Onboard-generated device certificates

Costs vary based upon the appliance, level of support, the number of devices supported,  and duration of the licenses. HPE Aruba provides an ordering guide and will list prices on their website, but those sales will be fulfilled by partners. Prices through partners may be eligible for promotional or bulk discounts, so the prices listed may be representative, not exact.

Sampling published partner pricing approximates the suggested retail prices as:

• Appliance costs:
  • $7,500 – C1000 (500 concurrent sessions)
  • $12,100 – C2010 (5000 concurrent sessions)
  • $20,300 – C3010 (25,000 concurrent sessions)
  • $4,300 – VM-based appliance
• $2,800 ClearPass Access Perpetual License, 100 concurrent endpoints
• $1,670 ClearPass Access 1-year subscription, 100 concurrent endpoints
• $710 ClearPass Entry perpetual license, 100 concurrent endpoints
• $3,200 ClearPass Access Upgrade license, 100 concurrent endpoints
• $3,500 OnBoardperpetual license, 100 users
• $2,450 OnBoard 1 year subscription, 100 users
• $2,250 OnGuard perpetual license, 100 users
• $1,120 OnGuard 1 year subscription, 100 users

Bottom Line: Great for Volume Use Cases

Aruba ClearPass provides flexible deployment options to manage high volumes of concurrent users, both employees and guest users. The options for automatically onboarding and authenticating users enables the high volume surge of user requests associated with concert venues, sports stadiums, convention centers, airports, and other locations where temporary guest user requests can surge and ebb on a regular basis.

While a more expensive option, HPE and Aruba back their ClearPass product with the confidence inspired by their brand, robust support options, and a large partner network.

This article was originally written by Drew Robb on July 7, 2017, and updated by Chad Kime on March 29, 2023.