Aruba ClearPass Reviews

Before ClearPass we were using the native captive-portal on our Wi-Fi controllers (Aruba) to authenticate users but this was causing httpd daemons to overload the CPU on the controllers. This situation created a denial of service condition on the Wi-Fi which was a major call driver for us.

Before ClearPass we were using the native captive-portal on our Wi-Fi controllers (Aruba) to authenticate users but this was causing httpd daemons to overload the CPU on the controllers. This situation created a denial of service condition on the Wi-Fi which was a major call driver for us.

Ability to drill down on items like “System CPU Utilization” or “Device Family” stats from the dashboard. As of right now you need to pick up to 5 items listed on the Dashboard but they seem to be static.

The interface is a little confusing as is setting up some of the options but this is partially due to the flexibility of the product. There are wizards available to create policy which is helpful. We’re primarily using it for RADIUS based AAA for 802.1x Wireless.

One and a half years primarily using the Policy Manager module, and one year using the Guest module. No Onboarding use as of yet.

MS AD integration was a bit of a problem at the beginning until our SE realized that the ClearPass servers need to be joined to the domain before AD lookups can be done.

I haven't experienced any issues.

I haven't experienced any issues.

Mixed – our current SE does not seem to have much knowledge about configuration of ClearPass and I have been referred to their “ClearPass Expert” on a couple of occasions but I have yet to speak to him/her. Aruba TAC has been able to help the few times I’ve called.

Our existing wireless infrastructure is Aruba so it made sense to use their solution for AAA. We did a trial with Win Server 2012 RADIUS and that worked as well, however it does not offer as many options as ClearPass does.

Initial setup was fairly straightforward following the “Start Here” wizard. Our only real “snag” was the Active Directory integration, but that was remedied by our SE.

The licensing model wasn’t explained terribly well to us so we vastly under-purchased. This has unfortunately caused us a bit of trouble over the last year. The licensing numbers are based on unique connected authenticating endpoints per day, averaged over 7 days. When we purchased the product we were under the impression that the licensed nodes were concurrent devices, of which we typically see 8000+ in the middle of the day. Our licensing ended up being 19000+ unique devices and we’ve had to put together a cluster of 4 Clearpass nodes to accommodate this.

The licensing model wasn't explained terribly well to us so we vastly under-purchased. This has unfortunately caused us a bit of trouble over the last year. The licensing numbers are based on unique connected authenticating endpoints per day, averaged over 7 days. When we purchased the product we were under the impression that the licensed nodes were concurrent devices, of which we typically see 8000+ in the middle of the day. Our licensing ended up being 19000+ unique devices and we’ve had to put together a cluster of 4 ClearPass nodes to accommodate this.

Tread carefully when estimating the number of unique device nodes for licensing. If using Active Directory for MSCHAPv2 authentication make sure that you add Clearpass to the Windows Domain.

There are many features of ClearPass that are worth mentioning -- mainly the extensive support of almost all networking protocols ‎and mobile platforms, the flexibility to integrate with other systems, the debugging and logging facilities, and finally the ability to fully customize web login and payment pages.

It has eliminated unauthorized access to the corporate network, hence minimizing the threat level.

If the UI is simplified and improved, bugs are minimized, and the support becomes more responsive, it would be perfect.

I've used it for two years.

There were major bugs that caused us to spend an extensive amount of time for recovering the configurations. Aruba has fixed it upon our request and provided details.

It's very good, but not excellent.

No, we did not.

It was extremely complex in our heterogeneous, scattered environment. To be able to deploy a NAC solution without ‎causing downtime is a tedious task.

It was a mixed team working together.

Sizing is very important as the licenses of Aruba ClearPass are quite expensive.

Use the DHCP options for a long time to profile all types of devices communicating on a network. ‎Keep ClearPass in monitoring mode and start blocking profiled devices in batch.

The most valuable feature for us it the granular, logic-based nesting of objects which gives highly customizable control over AAA for TACACS+ and RADIUS.

Device profiling for basic/intermediate NAC is also highly useful.

Providing granular control over which devices are permitted to join our corporate wireless network, as well as in-depth AAA (accounting, in particular) for TACACS+ sessions, is huge. We can refer back to these logs at any time, which are especially useful when we undergo organization-wide audits.

Having a global business presence, CPPM helps us to ensure all sites are compliant with a unified set of standards passed down from our corporate headquarters.

• I'd like to see greater ability to customize backups – locations, transfer protocols (SCP/SFTP, etc).
• Small tweaks like scroll bar distances within large Enforcement Policies. More customization for SNMP traps (types), a well as published MIB files so that we can utilize our network monitoring environment more heavily with polling specific aspects of CPPM.
• Hardware requirements for VM templates we use (CP-VA-5K) are, quite frankly, absurd (very high disk storage requirements).

I've used it for just over three years.

I don't recall any issues with deployment.

I don't recall any issues with stability.

I don't recall any issues with scalability.

Technical support was not all that great, actually. They are responsive, but oftentimes are VERY reluctant to initiate a screen-sharing session or give in-depth answers. URL links to knowledge-base articles are very typical for initial answers, which (1) slows resolution, and (2) increases frustration.

It seems, in general, that technical support is more interested in closing new cases than they are in actually solving the root issues. 90% of the questions I’ve had I’ve had solved (for free, mind you, without any maintenance fees) using Aruba’s Airheads online user-based forums.

The solution was implemented before I gained ownership of it. I'm not sure of the history behind it.

A local vendor was used.

Do your due-diligence in understanding how the product works before you deploy. CPPM (and many like it – Cisco ISE and ACS) are very complex in the way they are configured and operate.

If you can design the solution before implementation, you have a much better chance of scaling well, easily, and with little down-time as you grow the product throughout its life cycle in your organization.

• Open standards-based Networks Access Control, 802.1x
• Excellent API/third party integration module
• Radius server features
• Visibility reporting (see who accessed the network with which device, etc.)
• Onboarding solution for BYOD

• Security of wired and wireless network increased significantly without any complexity for our user community.
• Integration with existing tooling/databases improved efficiency and visibility.
• Less components to manage (we phased out MS NPS, Cisco ACS).
• Guest experience improved while "load" on IT lowered.

How the licenses-in-use counting works in educational environments could be improved.

Also, appliance sizing could be improved, as the gaps from 500 to 5,000 and from 5,000 to 250,000 is too large. There should be 2,500 and 10,000 appliances as well.

No issues with deployment.

No issues with stability.

No issues of scalability.

ClearPass offers a complete NAC solution including standard AAA functions with advanced policy enforcements for multi-vendor wired and wireless networks.

It has automated the bring-your-own-device process through the Onboard feature and posture health check validation through the OnGuard module, plus it has a robust and customized guest management experience.

I’ve designed and implemented ClearPass for several enterprises that were looking for a compete NAC and guest management solution. ClearPass was the best fit to address different client requirements and tailor the security access policy based on their needs.

Reporting module has room for improvement. It also need integration with SIEM solutions and Next Generation Firewalls.

We've used it for three years.

There are a few issues here and there but they're not worth mentioning.

It's very good.

It depends on the scenario, but if the use cases and prerequisites were defined correctly before the implementation then it will be easier to implement.

I started with an in-house implementation and consulted the vendor team when it’s required.

ClearPass has competitors, but it has kept its leadership position within the Magic Quadrant for the last three years.

I would advise you to at least include ClearPass in any PoC.

The most valuable feature is the OnGuard agent which performs posture assessments.

This product helps the organization to perform the NAC concept and check the health of computers before granting them access to the network.

Access Tracker section and ClearPass Insight have rooms of improvements.

For Access Tracker: it would be great if Aruba added more information in the Access Tracker section, such as an endpoint’s IP address, device category, name/description of network device, and SHL name, if any.

For ClearPass Insight: it currently has low limits and a lot of use cases couldn’t be applied by the customer which required customization by the Aruba TAC. This is the thing that consumes the most time and could lead to performance issues for ClearPass Insight.

We've used it for two years.

No issues encountered.

No issues encountered.

No issues encountered.

9/10

9/10

I didn’t use another solution.

When there are a lot of requirements, the initial setup will be complex, so it depends on the organization’s requirements.

It was through a vendor team, and I would advise anyone going to implement this solution to enable all features during the initial setup and try to get some reference from the vendor in order to contact them and ask them about their experience.

For licensing, it depends on the organization’s capacity.

I didn’t evaluate another solution.

I would advise you to get support directly from the vendor and not use the partner support.

Our company provides professional services and we implement the features based on the customer requirement. All the features in ClearPass are good and work the way they need to.

Based on our implementations for many customers, it seems that they're most interested in the OnGuard feature that checks the compliance of corporate laptops and which restricts network access for users who are not compliant with security policies.

The reporting feature in ClearPass has found devices that are non-compliant had has addressed issues during the initial implementation phase.

Our customers also often request the guest feature, which they find very useful.

The OnGuard agent requires some enhancements.

We've used it for the last three years.

It works best when you plan deployment according to device behavior while integrated in the network.

It's been generally stable.

It scales well in our customer network environments.

Our TAC is very responsive and very helpful. They are able to provide solutions for all the new requirements by creating customized SQL queries and configs.

I worked initially with Cisco ISE, but I didn't really get to know it well. My company currently provides ClearPass solutions only.

We plan deployments considering all the configuring that needs to be done on the other integrated devices. The setup always ends up smooth and straightforward.

You should test all the requirements during the PoC itself so that the planning and deployment will be smooth.

The most valuable feature is the guest on-boarding (BYOD provisioning, centralized access policies, posture assessment, etc.)

It has improved WiFi security and guest on-boarding to our networks.

It could be more vendor independent.

I've used it for one year.

I have had issues in regards to the stability.

The technical support is satisfactory. However, there is a room for improvement.

I did not use any other similar product.

The initial setup was quite complex because of the lack of detailed documentation.

I implemented it in-house. My advice is to first set up the pilot for a small environment and then go all out.