CLEARPASS CONVERSATION GUIDE Purpose: Goal: How to use: This document is designed to help you steer customer discussions with respect to the ClearPass solution. It will be useful as an initial conversation starter or after positioning Aruba/ MOVE to begin discussing ClearPass. By following this guide, you will step through a series of solution based qualifying questions to arrive at the specific ClearPass features in which to focus on. Start on page 2 by posing the high level questions shown in the dark blue text boxes. If the customer responds positively, proceed to the second level questions shown in the gray arrows attached to each blue text box. Once you have posed those questions, proceed to the appropriate flow chart: BYOD (page 3) AAA (page 5) NAC (page 6) Guest (page 7) On page 4, you will also notice a chart entitled BYOD. Use this when a customer states that they do not have a BYOD initiative. On the final page is a chart with key features, benefits, and sizing tips for each of the products.
Do you have a BYOD initiative? Go to BYOD chart How do users authenticate for network access? Go to AAA chart Are you looking to deploy NAC or replace an old NAC system? Go to NAC chart Do guests/visitors require network access? Go to Guest chart
BYOD What is your decision criteria for device access? Known (identified or Company owned) vs. Unknown (Unidentified or Personally owned) 1. Position CPPM + profiling for device based, differentiated access or CPPM with basic MAC authentication. 2. Position CPPM+Onboard for benefits listed below Access will be granted by device type (laptops have full access while tablets are restricted) Position CPPM + Onboard for automated device configuration/provisioning and detailed device information for policy. Describe the different types/classes of users & devices in your environment. (For user handling, refer to AAA chart) Is network security a driver for your BYOD initiative? Position Aruba's strengths as an enterprise wide, policy based security platform Device specific security options are important, especially password, remote wipe, jailbroken devices Onboard + CPPM provides device revocation & ios password options. Today, we do not have other MDM functions. Is your IT staff spending too much time configuring endpoint devices? Present the benefits of Onboard with respect to automating the user workflow and configuring the device Position CPPM and Onboard for automated device configuration/provisioning.
NO BYOD Security concerns will dictate the need for deploying a policy based approach. Go to BYOD and AAA charts. Do you have security concerns? What are they? Do you allow personally owned devices on your network? Are you authenticating users? If YES, go to AAA chart. If NO, pitch QuickConnect for auto configuration if using.1x. Denying access IS a policy. Describe how ClearPass can help today and in the future when a BYOD project is initiated.
AAA CIsco ACS or Juniper Steel Belted RADIUS (SBR) State that ACS 4.X and SBR are End of Life (EOL). Pitch benefits of CPPM and ACS trade-in program. What AAA solution are you currently using? Microsoft or Free RADIUS Posiiton platform not optimized for today's network security demands. Pitch benefits of CPPM. Do you have a AAA/RADIUS solution in place today? Do you authenticate your users today? Using Active Directory Pitch CPPM as full AAA/policy solution for extra security and policy flexibility to support differentiated access. Pitch CPPM as full AAA/policy solution for extra security and policy flexibility to support differentiated access. A RADIUS server is a required component in an 802.1X enabled network. Pitch CPPM as full AAA/policy solution for extra security and policy flexibility to support differentiated access. Are you planning to deploy 802.1X? Position CPPM and captive portal for web based user authentication.
NAC Printers and other devices that do not support 802.1X or have users associated with them. (Goal to prevent MAC spoofing.) Position CPPM + profiling for device based, differentiated access or CPPM with basic MAC authentication. Known (identified or Company owned) Describe the different types/classes of devices in your environment. Do you define NAC as device based access control? Are you attempting to secure all wired ports? Unknown Position CPPM + profiling to auto discover all devices on the network and provide visibility BYOD Go to BYOD conversation Position CPPM + OnGuard for health checks via permanent or dissolvable agents. Do you wish to perform health or posture checks on devices? What types of devices (Windows, Linux, Mac) and what type of checks do you wish to support? Highlight our support for the embedded Microsoft NAP agent for Windows platforms.
GUEST Self registration Position ClearPass Guest fully automated guest registration and delivery of credentials via SMS, email, or print Mostly day visitors that require internet access Sponsor based registration Position ClearPass Guest secure, sponsored based approval workflow to ensure authorized, trackable access What are your guest access management requirements? Longer term visitors (temporary workers or contractors) that are connected to a department or project Position CPPM with local user accounts (or AD) and differentiated access based on identity and project Large events with many people requiring internet access Do you require customization of the captive portal? Position ClearPass Guest and the customization service Position ClearPass Guest and highlight the capability to import bulk visitor accounts and provide credentials pre-registration.
Product Key Features Benefit Sizing Onboard Automatic configuration of endpoint for 802.1X and other parameters Automatic provisioning of unique credentials and device registration Reduction of IT effort to manually configure devices Complete visibility of devices and associated users. Secure mgmt of device if lost/stolen. Total number of endpoint devices that will connect to portals Flexible, policy based system to satisfy multiple use case scenarios Reduced cost - Single platform to manage all network based policy Total number of authenticating devices Policy Manager Increased visibility and correlation of user, device, authentication data Reduce IT time and effort to view collection of data points to solve issues faster + Automatic detection of all devices on the network Reduce IT effort - Visibility to all network connected devices Total number of devices connected to the network profiling Detection and categorization of unmanageable devices Increase security - Prevent MAC spoofing and wired port hijacking Device categorization and population of CPPM database Enable BYOD by creating device based policies OnGuard Health/posture checking of laptop and desktop devices Compliance based checking of devices for unacceptable applications or behavior Reduce chances of virus and malware based attacks Reduce risk and network usage associated with unsecure or problematic applications Total number of devices being health checked (Windows, Linux and Macintosh only) Guest Automated workflow for enabling guest access Reduction of IT staff (sponsors) time and effort to manually provision guests Total number of guests per day Custom look-and-feel for different guest or sponsor portals Improved user experience www.arubanetworks.com 1344 Crossman Avenue. Sunnyvale, CA 94089 1-866-55-ARUBA Tel. +1 408.227.4500 Fax. +1 408.227.4550 info@arubanetworks.com 2012 Aruba Networks, Inc. Aruba Networks trademarks include AirWave, Aruba Networks, Aruba Wireless Networks, the registered Aruba the Mobile Edge Company logo, Aruba Mobility Management System, Mobile Edge Architecture, People Move. Network Must Follow, RFProtect, and Green Island. All rights reserved. All other trademarks are the property of their respective owners. Guide_ClearPassConversation_06XX12