Mantra Networking Mantra Networking

Aruba Networks: Aruba ClearPass

Aruba Networks: Aruba ClearPass
Created By: Lauren R. Garcia

Table of Contents

  • Overview
  • Cluster and Extension Considerations
  • Integration Details (API & External Services)
  • Certificate Management
  • Example Enforcement Profile Setup
  • Captive Portal and Visitor WLAN
  • Using the Configuration API
  • Troubleshooting & Best Practices
  • Conclusion

Aruba ClearPass Overview

What Is Aruba ClearPass?

Aruba ClearPass is a comprehensive network access control (NAC) platform designed to secure wired, wireless, and VPN network environments. It provides advanced authentication, authorization, and accounting (AAA) services, guest access management, device onboarding, policy enforcement, and robust integration capabilities. ClearPass stands out for its rich support of both traditional and modern identity sources, flexible policy creation, and seamless integration with existing infrastructure.

Why You Need to Know About Aruba ClearPass

  • Security and Compliance: ClearPass allows you to enforce strong access controls, ensuring only authenticated and authorized users or devices can connect to your network. This is crucial to prevent unauthorized access, data breaches, and to comply with regulatory frameworks.
  • Visibility and Control: Gain deep visibility into who and what is on your network, from laptops to IoT endpoints. ClearPass provides real-time insights and forensic-level logging for audits and troubleshooting.
  • Guest and BYOD Flexibility: Built-in workflows support guest onboarding, device self-registration, and streamlined BYOD (Bring Your Own Device) experiences without sacrificing security or user experience.
  • Automation and Scale: With robust APIs and tight integration with third-party systems (e.g., Active Directory, MDM, firewalls), ClearPass enables automated provisioning, dynamic policy enforcement, and orchestration across diverse enterprise environments.

How Aruba ClearPass Works

ClearPass operates as a centralized policy manager on your network. Its workflow typically includes:

  • Authentication: When a user or device attempts to connect, ClearPass intercepts the request and verifies identity using sources such as AD, LDAP, RADIUS, or certificates.
  • Policy Evaluation: The platform evaluates a set of policies based on user role, device type, posture (e.g., compliance status), location, time, and other contextual factors.
  • Enforcement: Depending on policy outcome, ClearPass communicates with network switches, wireless access points, VPNs, or firewalls to grant, restrict, or deny access. Enforcement actions can include VLAN assignment, role mapping, web redirects, and posture checks.
  • Onboarding and Guest Management: ClearPass provides guest registration and onboarding portals, allowing visitors and employees to securely provision their devices onto the network, often with automated certificate deployment and minimal IT touch.
  • Integration: ClearPass integrates with security ecosystems and IT workflows. For example, it can share context with SIEM platforms, update firewall rules dynamically, or trigger adaptive responses based on threat intelligence.

Overall, Aruba ClearPass is a core component for any organization aiming to improve network security posture, enable zero trust principles, and automate identity-driven access across an increasingly complex and heterogeneous infrastructure.

Cluster and Extension Considerations

When deploying Aruba ClearPass in a clustered environment, planning the deployment and management of extensions is crucial for stability and scalability. Follow these steps to ensure proper cluster extension configuration:

  1. Install Extensions on Each Node Individually:
    • Extensions are not automatically synced across cluster members.
    • Manually upload and install required extensions on every node in the ClearPass cluster.
  2. Choose Extension Operation Mode:
    • Periodic Sync Mode:
      • Install the extension on one or more nodes (often on publishers).
      • If using multiple nodes for sync, stagger their schedules to avoid simultaneous updates to the central database.
    • HTTP Authorization Source Mode:
      • The extension must be installed on every cluster member handling authentications.
      • Use the same IP address for the extension on all nodes. Duplicate IPs are permitted since traffic stays internal to each node.
  3. Maintain Extension Version Consistency:
    • All nodes should run the same version of each extension to avoid compatibility issues.
    • Update extensions on every node during upgrades or patching.
  4. Test Failover and Redundancy:
    • Verify extension functionality during simulated node failovers.
    • Check that critical services provided by extensions remain available throughout the cluster.
  5. Monitor and Audit Extension Activity:
    • Enable logging on each node for all installed extensions.
    • Regularly review logs for errors, failures, or version mismatches.

Tip: Document all cluster extension deployments, including node assignments and update schedules, to streamline future maintenance and reduce risk during scaling or recovery events.

Integration Details (API & External Services)

ClearPass offers robust APIs and integration options for third-party services, enabling automation, orchestration, and external data integration. The following steps will guide you through setting up and securing API access and using external services for dynamic authentication and authorization.

  1. Create an API Client:
    • Navigate to Administration > API Services > API Clients.
    • Click Add to create a new client.
    • Enter the Client ID, secret, and set an expiration, if desired.
    • Set the Grant Type to match the authentication flow (e.g., password for OAuth2 username/password authorization).
  2. Assign Operator Profile Privileges:
    • Go to Administration > Operator Logins > Profiles.
    • Create or modify a profile to assign required privileges. This includes:
      • Read-Only access to policy data
      • Write access for creating or updating endpoints/accounts
      • Admin for full control over configuration API operations
  3. Test API Authentication with OAuth2:

    Use a tool like curl to validate your API client and user credentials. Below is a sample API token request:

    curl -X POST "https://clearpass.hostname/api/oauth" \
  -H "Content-Type: application/json" \
  -d '{"grant_type": "password", "username": "api_user", "password": "your_password", "client_id": "ClearPassClient"}' \
  -m 30 \
  -v \
  -k

    This will return an access token you can use in further API calls.

  4. Enable External Authorization Sources (Optional):
    • Navigate to Configuration > Authentication > Sources.
    • Add external identity sources such as AD, LDAP, SQL, or a REST-based HTTP service.
    • Assign them to your service rules for user or device-based authentication.
  5. Use API Explorer for Interactive Testing:
    • Log in to the built-in ClearPass API Explorer interface.
    • Browse available endpoints to perform configuration, endpoint lookups, and enforcement actions.
    • Useful for testing queries or simulating automated workflows before pushing into production.

Best Practice: Always use HTTPS and rotate your API client secrets on a regular basis. Apply role-based access control (RBAC) to limit what each API client can retrieve or modify.

Certificate Management

Proper certificate management in Aruba ClearPass is essential for securing communication between clients, servers, and external integrations like guest portals or network devices. Follow the steps below to manage server and trust certificates within your ClearPass deployment:

  1. Access the Certificate Store:
    • Go to Administration > Certificates > Server Certificate.
    • Here you can view existing certificates, generate CSRs, or import new certificates.
  2. Generate a Certificate Signing Request (CSR):
    • Click Create Certificate Signing Request.
    • Fill in the required fields such as Common Name (CN), Organization, and Country.
    • Important: Include Subject Alternative Names (SANs) for all IPs or hostnames if using ClearPass in a cluster or captive portal deployment.
    • Download the CSR and submit it to your preferred Certificate Authority (CA).
  3. Import a Signed Certificate:
    • Once the CA returns the signed certificate, return to the Server Certificate section.
    • Click Import Certificate and upload the signed certificate along with any intermediate chain or root CAs.
    • Select the appropriate usage type (e.g., Server Authentication, HTTPS, RADIUS).
  4. Install Trusted Root and Intermediate CAs:
    • Go to Administration > Certificates > Trust List.
    • Click Add to upload any root or intermediate certificates used by your internal PKI or third-party CAs.
    • These certs are required for client certificate validation and secure SSL communication.
  5. Assign Certificates to System Services:
    • Navigate to Administration > Server Manager > Server Configuration.
    • Click on the hostname of the server and scroll down to the Service Certificates section.
    • Assign the proper certificate to HTTPS, RADIUS EAP, and other enabled services.
  6. Verify Certificate Bindings:
    • After assignment, restart affected services if prompted.
    • Test portal connections, EAP authentications, and API integrations to ensure SSL handshakes complete successfully.

Tip: Monitor certificate expiration dates regularly and plan renewals in advance to avoid disruptions in authentication or portal access.

Example Enforcement Profile Setup

Setting up enforcement profiles and policies in Aruba ClearPass allows you to define exactly what actions the system should take after a successful authentication. Follow these steps to create a basic enforcement profile and use it in an enforcement policy:

  1. Create an Enforcement Profile:
    • Navigate to Configuration > Enforcement > Profiles and click Add.
    • Provide a unique Name and (optionally) a Description for your profile.
    • Select the appropriate Template (e.g., ClearPass Entity Update Enforcement or Aruba RADIUS Enforcement).
    • Click to the Attributes tab and add required attributes (such as VLAN Assignment, Role, or custom attributes, depending on your use case).
    • Click Save to finish creating the enforcement profile.
  2. Create an Enforcement Policy:
    • Go to Configuration > Enforcement > Policies and click Add.
    • Enter a Name for the policy, and set the Enforcement Type (e.g., RADIUS).
    • Optionally, choose a Default Profile for unmatched requests.
  3. Define Enforcement Policy Rules:
    • Click the Rules tab within your enforcement policy.
    • Click Add Rule and set your matching criteria (for example, Role equals Guest or Device Type equals Printer).
    • For each rule, select the enforcement profile you created earlier to be applied when the rule matches.
    • Repeat as necessary to build up all needed conditions and actions.
    • Click Save to apply.
  4. Reference the Policy in a Service:
    • Associate your enforcement policy with the relevant Service (e.g., your 802.1X wireless or guest access service) under Configuration > Services.
    • In the service settings, locate the Enforcement Policy section and select your new policy from the dropdown.
    • Save your service configuration.
  5. Test and Validate:
    • Authenticate a test user or device to ensure the correct enforcement actions are applied.
    • Check logging and monitor live sessions to confirm behavior matches your enforcement rules.

Tip: Use descriptive names for profiles and policies, and carefully document your rule logic to simplify troubleshooting and future modifications.

Captive Portal and Visitor WLAN

Deploying a Guest WLAN with Captive Portal in Aruba ClearPass enables secure, self-service network access for visitors while enforcing authentication and usage policies. Follow these structured steps to configure your environment:

  1. Create the Visitor WLAN (SSID):
    • Log into your managed wireless environment (controller or Aruba Central).
    • Navigate to WLANs or Wireless Networks and click Add SSID.
    • Set SSID Name (e.g., Visitor or Guest).
    • For Primary Usage, select Guest.
    • Configure VLAN assignment for guest traffic separation.
    • Save and continue to security settings.
  2. Enable Captive Portal Authentication:
    • In your WLAN settings, set Security Level to Open or Captive Portal.
    • Select External Captive Portal as the splash page type.
    • Enter the ClearPass server's FQDN or IP address. Ensure this matches the certificate used on ClearPass for HTTPS.
    • Set the login URL to point to your ClearPass Guest or registration page as configured earlier.
    • Enable HTTPS to secure guest credentials.
  3. Configure Pre-Authentication Access Controls:
    • Permit access to DHCP, DNS, and the ClearPass captive portal before authentication.
    • Restrict access to all other resources until authentication succeeds.
    • Optionally, rate-limit pre-authenticated clients to conserve bandwidth.
  4. Build the Captive Portal in ClearPass:
    • Log in to ClearPass Guest.
    • Go to Configuration > Pages > Self-Registration and click Create new self-registration page.
    • Name your self-registration page and select or customize a portal template.
    • Set login options and configure registration/email/SMS receipt as desired for your visitor workflow.
    • Save and publish the portal.
  5. Assign Certificates for Secure Access:
    • Import a valid SSL certificate on the ClearPass server with SANs covering all portal URLs.
    • Test portal access over HTTPS to avoid browser security warnings.
  6. Configure Role Mapping and Enforcement:
    • In ClearPass Policy Manager, create roles such as Guest Pre-Auth and Guest Internet.
    • Map authenticated users to the Internet-only or restricted roles as needed.
    • Set dynamic enforcement policies based on registration status, sponsor approval, or MAC caching.
  7. Integrate with Visitor Onboarding or Third-Party Services (Optional):
    • Enable integration to provision credentials or send notifications to visitors upon successful registration.
    • Configure workflows to print passes, send SMS/email access credentials, or link with visitor management platforms.
  8. Test and Validate the Guest Workflow:
    • Connect a test client to the guest SSID and verify redirection to the captive portal.
    • Complete registration and ensure network access is granted post-authentication.
    • Review logs for successful authentication, role assignment, and access enforcement.

Tip: Regularly update guest portal content and review access policies for security compliance. Document all configurations to support audits and future changes.

Using the Configuration API

The Aruba ClearPass Configuration API provides powerful automation capabilities for managing users, endpoints, device attributes, and configuration objects. This is especially useful for integration with network management systems, MDM platforms, or custom automation tools. Follow these steps to get started with the Configuration API.

  1. Enable API Access on ClearPass:
    • Log into the ClearPass Policy Manager as an admin.
    • Navigate to Administration > API Services > API Clients.
    • Click Add to create a new API client that will authenticate third-party tools.
    • Set required fields like Client ID, Secret, and choose desired Grant Type.
    • For automation use cases, the client_credentials or password grant type is common.
  2. Assign Proper Access Roles:
    • Navigate to Administration > Operator Logins > Profiles.
    • Create or modify a profile with access to Configuration API endpoints (e.g., Read All Endpoints, Modify Configuration).
    • Apply this profile to the user or API client account.
  3. Obtain an Access Token (OAuth2):

    Use a tool such as curl or Postman to authenticate and retrieve a token:

    curl -X POST "https://clearpass.example.com/api/oauth" \
  -H "Content-Type: application/json" \
  -d '{"grant_type": "password", "username": "apiadmin", "password": "your_password", "client_id": "config_api"}' \
  -k -v

    The response will return a token you will use in subsequent API calls.

  4. Use the Token in an API Call:

    Here’s an example for retrieving endpoints:

    curl -X GET "https://clearpass.example.com/api/v1/endpoint" \
  -H "Authorization: Bearer <access_token>" \
  -H "Content-Type: application/json" \
  -k

    This will return a JSON payload of all endpoint records visible to the API client.

  5. Perform Common Tasks via the API:
    • Create a new endpoint: POST to /api/v1/endpoint with JSON payload.
    • Update endpoint attributes: PUT to /api/v1/endpoint/{id}.
    • Delete an endpoint: DELETE to /api/v1/endpoint/{id}.
    • Create user accounts: POST to /api/v1/local-user.
  6. Use API Explorer for Reference and Testing:
    • Log in to the built-in API Explorer from https://clearpass.example.com/api-docs.
    • Browse available endpoints, try sample queries, and verify responses in real-time.
  7. Logging and Monitoring:
    • Enable logging for API calls under Administration > Server Manager > Logging.
    • Monitor API usage to ensure compliance with rate-limits and detect unauthorized access attempts.

Tip: Always use HTTPS, restrict API usage with role-based access controls, and rotate client secrets regularly as a security best practice.

Troubleshooting & Best Practices

Effective troubleshooting and adherence to best practices play a critical role in maintaining a stable and secure Aruba ClearPass deployment. The following steps guide you through recommended techniques and proactive strategies for diagnosing issues and optimizing system performance.

  1. Check the Access Tracker:
    • Navigate to Monitoring > Live Monitoring > Access Tracker.
    • Use this tool to trace real-time authentication attempts, enforcement results, and policy actions.
    • Drill into individual request entries to view timestamps, service matches, and role assignments.
  2. Enable and Review Debug Logs:
    • Go to Administration > Server Manager > Server Configuration.
    • Select a server, then open the Service Control tab to enable detailed logging for services like TACACS+, RADIUS, and Audit.
    • Logs are accessible via the Logging section and downloadable for external analysis.
  3. Verify Certificate and Trust Settings:
    • Expired or misconfigured certificates often result in failed HTTPS or EAP authentications.
    • Navigate to Administration > Certificates > Server Certificate and Trust List to ensure validity.
    • Perform test authentication to validate SSL trust relationships.
  4. Monitor Cluster Synchronization:
    • In multi-node deployments, go to Administration > Server Manager > Cluster Wide Parameters.
    • Ensure all nodes show healthy status, synchronized time, and consistent configuration versions.
  5. Common Issues and Resolutions:
    • No Policy Match: Confirm the client request matches the correct service based on protocol, SSID, or network device.
    • Role Mapping Failure: Check authentication source conditions and attribute mappings within the role mapping policy.
    • Username Not Found: Verify external identity sources like Active Directory or LDAP are reachable and properly configured.
  6. Routine Maintenance Best Practices:
    • Backup Your Configuration: Schedule regular configuration backups to be stored off-device for disaster recovery.
    • Update Software and Extensions: Keep the ClearPass OS, plugins, extensions, and dictionaries updated for security and feature enhancements.
    • Use Named Operator Profiles: Avoid using default admin credentials. Assign RBAC roles to control access by task or department.
  7. Security Hardening Tips:
    • Disable unused services (e.g., SSH, HTTP) on cluster nodes unless required.
    • Enforce TLS 1.2 or higher across all services integrated with ClearPass (e.g., APIs, Radius).
    • Limit API client access to specific configurations using scoped operator profiles.
  8. Performance Optimization:
    • Use the Insight database rotation policies to archive or truncate historical logs and reduce CPU load.
    • Distribute services like Captive Portal, TACACS+, or Radius across different nodes in a cluster for better throughput.

Tip: Always document your configuration changes, upgrade paths, and integration details. This ensures a clear operational history and accelerated troubleshooting in future incidents.

Conclusion

Throughout this blog post, we've explored Aruba ClearPass from multiple angles—diving into its architecture, configuration, extensibility, and powerful security features. Here's a quick recap of the key takeaways:

  • Cluster and Extension Considerations: Understanding how ClearPass handles clusters ensures high availability and consistent extension behavior. Manual extension installation across nodes and thoughtful sync scheduling are key to maintaining stability.
  • Integration Details (API & External Services): ClearPass can be tightly integrated with external systems via its rich API interface, enabling dynamic role assignments and policy enforcement based on real-time identity context from sources like Active Directory, SQL, and REST APIs.
  • Certificate Management: Managing server and trust certificates properly is critical for secure VPN access, EAP authentication, and captive portal functionality. SANs, trusted anchors, and service bindings should always be aligned.
  • Enforcement Profile Setup: Creating well-defined enforcement profiles and policies allows for granular access control based on device posture, user identity, and context—ensuring the right level of access is granted to the right endpoint.
  • Captive Portal & Visitor WLAN: Guest onboarding is easy with ClearPass’ self-registration portals, captive portal support, and role-based enforcement, empowering secure and user-friendly visitor experiences.
  • Configuration API Usage: The ClearPass Configuration API opens the door for deep automation. Whether you're provisioning endpoints or updating attributes from an MDM tool, the API greatly enhances operational efficiency.
  • Troubleshooting & Best Practices: ClearPass provides excellent tools for live monitoring, access tracking, and log inspection. With regular audits, software updates, RBAC implementation, and system backups, you can ensure that your NAC environment remains resilient, secure, and performant.

Whether you're just starting with ClearPass or scaling a global deployment, the power of this platform lies in the flexibility it provides to meet diverse identity and access challenges. Combine it with good design practices and a proactive operations approach, and you'll be well on your way to delivering a secure network access solution that's built for scale.

Thanks for following along—and happy securing! Be sure to check out future posts where we’ll cover deeper integrations, real-time scripting with ClearPass Extensions, and automation strategies using Ansible and APIs.

Share Share Share Share Share Email