Simple, Comprehensive Network Access Control with Aruba ClearPass and Juniper Networks

Aruba ClearPass is a best-of-breed network access control platform built around open standards, with multi-vendor interoperability a primary design element. And, when paired with a Juniper Networks access layer? The power and flexibility is industry-leading. Juniper EX-series switches have several advantages over other vendors, such as device configuration simplicity, full user accounting, real-time threat detection, intercept and redirection, and a strong, growing partnership between Aruba and Juniper Networks.

Different equipment has different strengths for specific applications. In this scenario, we imagine a customer who requires very firm control of their access network. They need the following:

  •  Access to specific network resources controlled by role and user or device identity
  • Remediation networks so that workstations may be repaired before joining the corporate network
  • Full visibility into user- and machine-based authentication and login activities anywhere on the network
  • Simple, repeatable configuration across many access network devices, such as switches
  • Real-time detection and remediation of threats

The last two items are where Juniper EX-series switches shine. They make use of industry-standard authentication tools such as 802.1x and RADIUS Change of Authorization, giving them the ability to change port configuration in real time, programmatically, as any authorized, standards-compliant external system commands. For ClearPass access control, this means the included health monitor can cause immediate remediation and redirection on the network access equipment, thus protecting critical data and resources the moment a threat is detected. Switches lacking this feature require an authentication interval before access can be programmatically revoked. Depending on configuration, this is typically at least several hours, and sometimes a day or longer.

In today’s fast-paced threat environment, this is risky.

Full RADIUS accounting support also means ClearPass knows where a user is logged in at any time, on any port, for how long, how much data has been transferred, and so on. This means one can simply query ClearPass and instantly see where and how the user is accessing from. For other vendors lacking this data, ClearPass can only show login attempts. This also means ClearPass cannot direct a network port to close or redirect, because it cannot know if the user is actively logged in at the time a threat is detected.

Does your access network support this level of intelligence?

Configuration management is also another strong point of the EX-series. Most importantly, all the intelligence for a port configuration can be stored in ClearPass, meaning the individual switches need not be hand-configured for every user move, add, removal, etc. Further, EX-series switches share the Junos operating system with other enterprise- and carrier-grade hardware, and this extends down to configuration management. Junos supports templating and cloning and has since its inception. In ideal environments, the only thing that need be configured is the switch’s management identity. Everything else—including trunking uplinks, spanning tree, access profiles and more—can be configured with a single template and enforced and operated programmatically, be it on device, via SSH or NETCONF, or a management platform such as Junos Space.

Does your organization have a complex and highly dynamic access network? Would you like to gain control and visibility into who is connecting, where, when, how, and what they are doing? Would you like to ensure all connected entities are properly remediated, in real time and as threats are detected? And would you like to ensure they have access only to the network resources they need?

Aruba ClearPass provides the solution, and Juniper EX-series switches can enable the full capability with a programmatic, consistent, standards-based and adaptive platform.

Share this: