Aruba ClearPass OnGuard and Meraki Integration

Aruba ClearPass OnGuard and Meraki Integration
Estimated Reading Time: 3 minutes

With the rising demand for BYOD on wireless networks, there is an increase in the security challenges associated with ensuring the identity of the end user. Aruba ClearPass is a Network Access Control (NAC) solution that works natively with 802.1x technology. 802.1x technology is an effective way to supply the network with greater security while consuming low bandwidth. ClearPass is capable of role-mapping and VLAN assignment based on a per device policy setup. This functions as a security/audit authentication augmentation for any network

Wireless network security within the education market where the number of users and types of devices are diverse, is especially difficult. An ideal security solution is one that enables a convenient scalable deployment to multiple locations and seamlessly integrates with network devices.

Below is the basic concept of a ClearPass 802.1x workflow:

In one particular use case, in order to deliver best practice security for a college campus environment the requirement to enable BYOD. In order to achieve this, we integrated Meraki WiFi Technology with Aruba ClearPass. SERRO successfully achieved this setup was by providing a solid security posture and deep device inspection using the ClearPass OnGuard agent.

OnGuard provides either a persistent or dissolvable agent that can be used to perform advanced posture assessment and compliance checks of a device. The agent can be used to perform a variety of posture checks on the end user device before granting authentication, including verification, checking for organizational belonging via active directory (AD), verifying antivirus status and firewall setup, and checking for security package updates, among others. It is also possible to create a remediation page and perform some auto remediation tasks using the OnGuard agent. OnGuard is supported on several different platforms, including Microsoft Windows (Vista+), Apple Mac OS 10.7+, and Linux RHEL4+, Ubuntu 12.x+, CentOS 4+, Fedora Core 5+, and SUSE 10.x+. Therefore, there are very few cases in a BYOD environment where a user could not utilize the agent properly.

The workflow we implemented for this environment is as follows:

1. A remote student tries to connect to the Meraki WiFi network on the campus.
2. Client is assigned initial role and given limited network access.
3. Client is presented with Captive Portal Login Page.
4. Controller forwards login information to ClearPass.
5. ClearPass verifies against SQL DB.
6. ClearPass sends a change of authorization (COA) to disconnect the client and force it to reconnect.
7. Once authenticated, the user will have to download and run the dissolvable OnGuard agent.
8. The OnGuard agent will provide posture assessment and the computer will receive a Healthy Device token, after which it will be allowed to stay on the network.
9. All Unhealthy Devices will receive a message and will be disconnected from the network.
10. All Healthy Devices will be given their proper role mapping for network access.

Overall, the customer was pleased with the security posture check that SERRO implemented using Aruba ClearPass. The high availability (HA) features, as well as the publisher-subscriber setup, made rolling the solution out to multiple endpoints after the initial deployment, extremely easy. One of the most important benefits was the ability to ensure that only healthy and compliant devices gained access to the network, while still maintaining an exceptional user experience. We found Aruba ClearPass Onguard is ideal for many customer facing service oriented environments. SERRO’s experience working with Aruba ClearPass Onguard NAC solution was a positive one; we look forward to implementing Aruba ClearPass Onguard in more networks in the future.