Editor's note: Aruba Networks is the winner of the October SearchNetworking Network Innovation Award for its ClearPass...
Access Management System, a mobility management solution that manages and secures network access for any device or user across wired, wireless and VPNs through a centralized system.
The terms "mobile device management" and "bring-your-own-device (BYOD) management" are largely undefined. They can mean anything from basic mobile device cataloguing to complex network access control (NAC). For Aruba Networks, BYOD management means unifying management of the access control layer across wired, wireless and VPNs so that policy and provisioning can be controlled for any user, device or location from a central spot. That's the basis of the company's ClearPass Access Management System.
Aruba ClearPass acts as a NAC solution, an on-boarding and provisioning appliance, a guest networking manager, and it allows users to self-provision their own devices as necessary. We sat down with Robert Fenstermacher, Aruba director of product marketing, to learn more about ClearPass, the winner of the SearchNetworking Network Innovation Award.
Please run down the basics of ClearPass.
Robert Fenstermacher: ClearPass is an integrated platform for managing network services on mobile devices. At the core of the solution is the ClearPass Policy Manager, which is a full blade server and policy authority that acts as the single point of policy across an organization's wired, wireless and remote infrastructure. It will work with any network vendor; it can be used as a portal for users to manage their own individual devices; and it gives full visibility into what types of devices connect to the network.
Policy Manager can be built out [with software licenses] to support the requirements of bring your own device (BYOD). The first one is ClearPass Onboard, a software license that allows you to fully automate the device onboarding process. It configures the device and makes it productive for employees when they first connect their personal device. ClearPass OnBoard also has a full certificate authority and validity responder so it can identify individual devices, associate them with users and then manage that association.
Read more about mobility management
BYOD policy: More than onboarding and security
BYOD management: Using a device catalogue to control users
Enterasys offers BYOD network management
The next component is called OnGuard, which turns the policy manager into a full NAC solution with posture assessment and remediation. You can associate and authenticate devices and determine if they meet the minimum security criteria identified by your organization.
Next there is ClearPass Guest, which focuses on the onboarding process and onboarding workflows for guests. But it also interacts with guest users in a way that is relevant for the business. So in a retail setting that might mean pushing promotions [to customers]; or in a university environment, it might mean promoting events. Then there is a cloud service called ClearPass Quick Connect, and this is a subset of what you get in the OnBoard license. It automatically configures a device to get onto the network.
Was ClearPass originally developed to be a BYOD and mobile device management solution?
Fenstermacher: ClearPass is actually the result of three technologies and two different acquisitions. There was the acquisition of Amigopod, which had a focus on guest access. And there was the acquisition of Avenda [Systems], which focused on access management. Simultaneously for the past 18 to 24 months there was a lot of internal development on similar functionality. I think the idea was to bring all of these together into an access management platform that would handle not only corporate-issued devices, but also BYOD.
[However], I think when the development and the acquisitions started, we could not have predicted just how massive a BYOD trend would be. A couple of years ago, BYODs were primarily iOS-based devices, and guest networking was also very important. We've been able to leverage that innovation to extend to other mobile platforms.
Is there a benefit to buying a mobile device management (MDM) or BYOD solution from a wireless LAN company?
Fenstermacher: The good thing about Aruba's perspective is that for the entire history of our company we have been laser focused on the challenge of mobility, and I think BYOD is a very natural extension of that. If we look at our early customers in this space, they are [organizations] that were deploying Wi-Fi in its earliest form. It was verticals like higher education, which were the first to experience personal devices at least at scale. So it's a natural evolution for us to look at the management of access for those devices. A lot of the innovation that is happening within the mobility space is around scaling for personal devices, security for those devices [and] improving the end-user experience on those devices.
How does ClearPass manage access and connectivity for both BYOD and remote offices?
Fenstermacher: When it comes to mobile devices, people expect a consistent experience wherever they go, whether it’s in their office, in a conference room, in a remote [office], in a coffee shop, or at home. It's critical that companies unify that infrastructure to give this consistent experience. The first step to mobility is unifying the access layer, and the simplest way to do that is to centralize the management and control of that network.
Then you have a couple of benefits. The first is that it's a lot less costly to deploy unified access infrastructure. This is what we've been calling 'network right-sizing'. It also gives a more consistent experience. When you provide a central management and control infrastructure, you're managing the network, the policies and user and devices from one place, so it doesn't matter where they connect. Our infrastructure works in all of those places -- not only in campus Wi-Fi and wired infrastructures, we also provide infrastructure that goes into a remote office or even in a teleworker environment.
We also make a VPN software that will recognize when a user is not connected to one of those corporate-owned infrastructures, and it will automatically initiate, so you always have that secure connection with consistent policies and user experience.
With ClearPass, is policy based on location, user or device?
Fenstermacher: It has to be a combination of all of those, and I would add application use also. We look at who the user is and their role in the organization -- that's becoming more complex. We typically gain that through the authentication process. When they authenticate, they provide credentials and we use identity stores like Active Directory to identify their role.
Understanding who [is connecting] is important, but understanding what is [connecting] is equally important. Not just what type of device it is, but also the ownership of that device. Is it a corporate-owned iPad or a personally owned iPad? You may want to execute a different policy based on the device and your comfort level with it. There are a lot of techniques that we use -- basic things like finger printing and browser detections. We can also do more advanced finger printing like correlating SNMP [simple network management protocol] information or we can look at network heuristics and how the device authenticates. To determine whether it's a corporate-owned or personally owned device, you could set up an asset database for devices you issue as a corporation and then match that at the time the device authenticates.
The location is also becoming increasingly important. Some of our customers that are in the technology space, for instance, may want to allow BYOD in their administrative buildings, but not in research and development facilities that they deem to be more restrictive or secure. We can do this by setting up zones of physical location across an organization.
The fourth one I would add is device usage [and applications]. You may want to prioritize applications that you have deployed as an organization and deprioritize personal applications like Skype, for instance.
The really important thing is that all of these are dynamic, so you aren't just invoking policy at the point of authentication, you are always looking at how that device is used.
Can ClearPass work across technology from any networking vendor?
Fenstermacher: Most networks are multivendor. We accommodate over 130 vendors for this solution -- that is one of the hallmarks of ClearPass.
You've mentioned the importance of scale in ClearPass, can you explain?
Fenstermacher: We are hearing from our customers that their current infrastructure can't support the scale of mobile devices that are connecting. Five years ago, [these organizations] could never have predicted the number of authentication requests or the types of policies they would need to define today. That's been a big selling point for ClearPass -- we can cluster our appliances and support over 1 million devices. It has been an appropriate solution for very large organizations and large venues.