Aruba ClearPass Technology Expert

Core Expertise

ClearPass Policy Model

ClearPass uses a Service-based policy model. Each Service represents a distinct authentication/authorization use case.

Service components:

Service
  ├── Service Rules  -- When does this service apply? (NAS type, RADIUS attribute conditions)
  ├── Authentication
  │     ├── Methods  -- EAP-TLS, PEAP, EAP-FAST, PAP, MAC-AUTH
  │     └── Sources  -- AD, LDAP, SQL, HTTP, Static list
  ├── Authorization
  │     └── Sources  -- Additional attributes from AD, LDAP, Endpoint DB
  ├── Role Mapping
  │     └── Rules    -- Map attributes to ClearPass roles
  └── Enforcement
        └── Profiles -- What to return (VLAN, ACL, attributes) based on role

802.1X Service Configuration

Example: Corporate Wired 802.1X Service

Service: Corporate_Wired_Dot1x
  Service Rules:
    RADIUS:NAS-Port-Type EQUALS Ethernet
    
  Authentication:
    Methods: [EAP-TLS], [PEAP], [EAP-FAST]
    Sources: [Active Directory]
    
  Authorization Sources:
    Source: [Active Directory]
    Filter: sAMAccountName = %{Authentication:Username}
    Attributes: memberOf, department, title
    
  Role Mapping:
    Rule: IF AD:memberOf CONTAINS "Domain Computers" THEN role = Corp_Computer
    Rule: IF AD:memberOf CONTAINS "Domain Users" THEN role = Corp_User
    Rule: IF EndpointStatus = "Registered" THEN role = Registered_Device
    Default: Unknown_Device
    
  Enforcement Profiles:
    IF [Corp_Computer] AND [Posture:Healthy]:
      VLAN = 100 (Corporate)
      Aruba-User-Role = Employee
    IF [Corp_Computer] AND [Posture:Quarantine]:
      VLAN = 200 (Remediation)
      Aruba-User-Role = Quarantine
    IF [Unknown_Device]:
      VLAN = 300 (Registration)
      Aruba-User-Role = Guest
    Default: Deny-Access

Device Profiling and Fingerprinting

ClearPass profiles devices using a combination of probes:

Profiling methods:

Endpoint profile database:

• Stores all profiled devices in ClearPass Endpoint Repository
• Each endpoint has attributes: IP, MAC, hostname, OS family, device category
• Profiles updated dynamically as new probe data arrives
• Manual override available for specific devices

Custom profiling rules:

Endpoint Classification Rule:
  Name: Custom_IoT_Sensor
  
  Conditions:
    DHCP:option55 CONTAINS "01,03,06,12,15"  (specific option order)
    AND MAC:OUI EQUALS "00:1A:2B"             (vendor OUI)
  
  Device Fingerprint:
    Category: IoT
    Family: Industrial Sensor
    Name: CustomSensor v1.0
    
  Certainty: 50

OnGuard Posture Assessment

OnGuard is ClearPass's posture agent that validates endpoint health:

OnGuard deployment modes:

• Persistent agent -- Installed as a service; always running
• Dissolvable agent -- Downloaded at connect time via browser; runs once; deletes itself
• Web-based -- Lightweight check via browser extension

Health check classes:

OnGuard Posture Policy: Windows_Corporate

  Services:
    Class: AntiVirusStatus
      Vendor: CrowdStrike
      Product: Falcon
      Required: Running, Definition age < 3 days
      
  Services:
    Class: DiskEncryptionStatus
      Vendor: Microsoft
      Product: BitLocker
      Required: Enabled, Status = FullyEncrypted
      
  Operating System:
    Class: OperatingSystemRemediation
      OS: Windows 10, 11
      Required: Latest service pack
      
  Patch Management:
    Class: PatchManagement
      Vendor: Microsoft
      Product: Windows Update
      Required: Critical patches installed

ClearPass posture workflow:

1. Client authenticates (RADIUS/802.1X)
2. ClearPass returns restricted access (redirect URL to OnGuard portal)
3. Client downloads OnGuard agent (if dissolvable)
4. OnGuard scans endpoint, reports health to ClearPass
5. ClearPass updates posture attributes in the active session
6. RADIUS CoA sent to update authorization to full access or quarantine

Guest Access Configuration

ClearPass provides a flexible guest access system:

Guest portal types:

• Web Login -- Simple credential login page
• Self-Registration -- Guest creates own account with custom fields
• Sponsored -- Employee sponsor creates guest account via sponsor portal
• SMS/Email verification -- OTP sent to guest's phone/email for verification

Self-Registration Guest Flow:

1. Guest connects to Guest SSID
2. Any HTTP request redirected to ClearPass Guest portal
3. Guest fills in registration form (name, email, phone, reason)
4. ClearPass creates temporary account (duration: 8 hours, 1 day, etc.)
5. Optional: send credentials via email/SMS
6. Guest logs in with credentials
7. ClearPass authenticates guest account
8. Authorization: VLAN = Guest, ACL = Internet-Only
9. Session active for configured duration

Guest portal customization:

• Full HTML/CSS/JavaScript customization
• Company branding, logo, custom fields
• Terms of Use acceptance required
• Multi-language support
• NPS (Net Promoter Score) surveys on login/logout

TACACS+ Configuration

ClearPass provides TACACS+ for network device administration:

TACACS+ Service: Network_Device_Admin
  
  Service Rules:
    TACACS+:Service EQUALS shell
    
  Authentication:
    Sources: [Active Directory]
    
  Role Mapping:
    Rule: IF AD:memberOf CONTAINS "Network-Admins" THEN role = Full-Admin
    Rule: IF AD:memberOf CONTAINS "NOC-Operators" THEN role = Read-Only
    Default: Deny-Access
    
  Enforcement:
    IF [Full-Admin]:
      TACACS+ Shell Profile: privilege-level=15
      TACACS+ Command Authorization: permit all
      
    IF [Read-Only]:
      TACACS+ Shell Profile: privilege-level=1
      TACACS+ Command Authorization:
        permit: show .*
        deny: .*

ClearPass Insight

ClearPass Insight provides reporting and analytics on network access:

Key reports:

• Authentication attempts (successes/failures by user, device, location)
• Endpoint status (profiled devices, categories)
• OnGuard health check results
• Guest usage (registrations, active sessions)
• RADIUS/TACACS+ trends

Custom dashboards:

• Widget-based dashboard builder
• Real-time and historical data
• Export to PDF/CSV for compliance reporting

Integration with SIEM: ClearPass can send syslog to SIEM for authentication events:

Administration > External Servers > Syslog Targets
  Server: splunk.corp.local:514
  Format: Syslog (CEF or standard)
  Events: All authentication events

REST API

ClearPass exposes a comprehensive REST API for automation and integration:

Authentication:

# Get API token
curl -X POST "https://clearpass.corp.local/api/oauth" \
  -H "Content-Type: application/json" \
  -d '{
    "grant_type": "client_credentials",
    "client_id": "your-client-id",
    "client_secret": "your-client-secret"
  }'

Common API operations:

# Get endpoint by MAC address
curl -X GET "https://clearpass.corp.local/api/endpoint?filter=%7B%22mac_address%22%3A%22AA:BB:CC:DD:EE:FF%22%7D" \
  -H "Authorization: Bearer YOUR_TOKEN"

# Create a guest account
curl -X POST "https://clearpass.corp.local/api/guest" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "username": "visitor_john",
    "password": "TempPass1!",
    "attributes": {
      "name": "John Visitor",
      "email": "[email protected]",
      "expire_time": 86400
    }
  }'

# Disconnect/quarantine a session
curl -X POST "https://clearpass.corp.local/api/session-action" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "mac_address": "AA:BB:CC:DD:EE:FF",
    "action": "CoADisconnect"
  }'

# Assign endpoint to group
curl -X PATCH "https://clearpass.corp.local/api/endpoint/MAC:AABBCCDDEEFF" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"attributes": {"endpoint_status": "Known", "device_type": "Corporate Laptop"}}'

OnConnect (Agentless MAC Authentication)

OnConnect enforces network access for unmanaged devices (OT, IoT, printers) without requiring an agent:

How it works:

1. Device connects; switch sends RADIUS MAC-AUTH request
2. ClearPass checks Endpoint Database for known MAC
3. If known: assign appropriate policy
4. If unknown: assign default (registration VLAN or deny)
5. ClearPass profiles the unknown device via DHCP/SNMP
6. Once profiled: update endpoint record, trigger CoA to update access

OnConnect configuration:

Service: OnConnect_MAC_Auth
  Service Rules:
    RADIUS:Service-Type EQUALS Call-Check  (MAC-AUTH indicator)
    
  Authentication:
    Methods: [MAC-AUTH]
    Sources: [Endpoints Repository]
    
  Role Mapping:
    IF Endpoint:Status = "Known" AND Endpoint:Category = "Printer":
      Role = Printer_Device
    IF Endpoint:Status = "Known" AND Endpoint:Category = "IoT":
      Role = IoT_Device
    IF Endpoint:Status = "Unknown":
      Role = Unknown_Device
      
  Enforcement:
    Printer_Device: VLAN = Printers(50), ACL = Print_Only
    IoT_Device: VLAN = IoT(60), ACL = IoT_Limited
    Unknown_Device: VLAN = Registration(300)

Troubleshooting

Access Tracker

The primary troubleshooting tool in ClearPass is the Access Tracker:

Monitoring > Access Tracker
  - Real-time authentication events
  - Expand event to see:
    - Request (all RADIUS attributes received)
    - Authentication (which source, which method, result)
    - Role Mapping (which role was assigned and why)
    - Enforcement (which profile was applied, which attributes returned)
    - Error details (if authentication failed)

Common failures and diagnostics:

• "Authentication failed": Check Authentication Source configuration, verify credentials work
• "No service matched": Review service rules; ensure conditions match the incoming request
• "Role assignment: [Unknown Device]": Role mapping rules didn't match; check attribute values in Request tab

Cluster Health

Administration > Server Manager > Server Configuration
  - View cluster node status
  - Check replication status
  - View services running on each node

Common Pitfalls

1. Service rule overlap -- Multiple services matching the same request; ClearPass uses the first match (top to bottom). Review service ordering when unexpected service is being used.

2. Attribute case sensitivity -- ClearPass is case-sensitive for some attribute comparisons. An AD group named "Domain Admins" won't match a rule checking for "domain admins".

3. OnGuard agent compatibility -- OnGuard must match the ClearPass server version. Outdated OnGuard agents may fail posture checks. Update agents when upgrading ClearPass.

4. Guest portal HTTPS redirect -- Guest portals require valid HTTPS certificates. Self-signed certificates cause browser security warnings that many users cannot bypass, breaking guest access.

5. API rate limiting -- ClearPass API has rate limits. Third-party integrations that poll too frequently can hit limits. Use webhooks/subscriptions where available instead of polling.