Aruba recently announced the release of ClearPass 6.11 and if you’re like most people, it probably didn’t attract much (if any) of your attention. However, this release has big implications for existing customers.
So, in the interests of brevity and a focus on what’s important:
- Aruba refers to ClearPass 6.11 as a Long Support Release (LSR), which means support for all previous releases will cease in December 2023. 6.11 will have a minimum 2-year active development cycle and will be supported until the next LSR after that.
- Among a host of relatively small changes, there is one big change - the underlying operating system will change from CentOS to Red Hat Enterprise Linux (RHEL) 8.x. This is being done as a platform for future development, but also to shift from traditional BIOS to the modern UEFI/EFI boot loading system to improve security.
- This OS change will require customers to follow a reinstallation or reprovisioning process to complete the upgrade.
In other words, you do need to upgrade to 6.11 to avoid losing support, but you can’t just perform a typical upgrade and move on. Extra effort will be needed to ensure all your existing infrastructure still works.
The big positive of this change though is confirmation of the longevity and future plans for ClearPass. There has been a bit of speculation around the role of ClearPass long term, but this pivot sets the platform up for the next evolution of ClearPass. What might that be? We have some hunches, but nothing we can share yet; however, we will be the first to let you know once things become clearer.
In the meantime, there are also a lot of other new features in this release, and it would be remiss of us not to mention them, but feel free to skip straight to the ‘what’s next’ section at the end.
- ClearPass will now include the hostname in the browser Title to help identify when multiple tabs are open which host you are connected to.
- Tables now have the freeze top row effect in many areas to help maintain data when using longer table value sizes.
- Access Tracker now keeps the highlight on the row you are opening when you move the mouse away to better identify where you were.
- Both Enforcement Policies and Enforcement Profiles allow you to re-order elements now.
- Customers will now be able to work with larger Device Group sizes again, sizes are now 20 (default), 100, 500, and 1,000 again.
Authorization with Azure Active Directory
- Using any authentication method, customers can now configure their ClearPass to use Azure Active Directory (AAD) as their authorization source. This allows customers to use the Microsoft Graph API system to retrieve user group membership from AAD as customers are moving to the cloud without introducing security risks.
- Support for IPv6 is now moving into the final stage. Stage four (4) begins with IPv6 support in RadSec (all forms), Nmap profiling, and OnGuard in this release.
- The system is also already in process to update our "IPv6 Ready" and USGv6.1certifications.
More REST APIs
- This release moves 8 of the most popular legacy APIs into REST and introduces Insight to the REST API space.
- To customers still using Legacy APIs – don't worry, we may not be enhancing them any longer, but we don't plan to remove them anytime soon!
- New features are added to help make it easier for admins to diagnose what may have happened or to make it faster to work with TAC if required.
- Custom Fingerprint Rule changes are now logged in Audit Viewer. Logs can now be downloaded for specific modules only. RADIUS reload times are now logged at INFO log level. Disk I/O metrics and TACACS+ lookup/processing times are logged.
- Graphite data is now also available on ClearPass to work with using Grafana.
- OnGuard customers can now "pull" logs from clients when they next connect to the network, so admins do not need to always be online.
New Insight Reports
- New reports to help customers better track devices using MAC address randomization (also now noted as an attribute on Access Tracker entries).
- A new dashboard has been added to display the most frequent MAC addresses making OnGuard posture requests to help identify network problems by identifying increases in authentications from specific clients.
- Customers using EAP-TLS can generate reports now to identify the client versions in use, allowing them to weed out the TLSv1.0 and v1.1 systems on their network quickly.
- A new compliance report is available to identify if the net-change in core configuration has changed through the day.
- Individual audit messages continue to be available as always, but the new compliance report will indicate if the system is returned to "gold standard" configuration when run.
- This release also adds REST API functionality to work with Insight reports!
Variables in DUR & dACL
- Customers have been asking to return variables (like vlan-name %) in DUR and dACl definitions but have not been able to do this outside of using the IETF device definitions. Customers are now allowed to return variables in DUR and dACL systems (subject to what the infrastructure NAD can accept).
- TACACS+ has been around for nearly 20 years before it finally moved from "the draft" to an actual RFC in late 2020. The RFC introduced a few changes that were implemented in earlier ClearPass releases, but the remaining RFC compliance functionality is now available.
- With increased functionality, logging information has been increased to also allow customers to better track the lookup & processing times for the connections making it easier to work and troubleshoot when needed.
TLS Session Cache for EAP authentication
- When enabled, changes in ClearPass that normally trigger all systems to re-auth in the background no longer require full authentication to occur. Instead, the system will use the cached information to validate against. This is especially useful in EAP-GTC environments where frequent changes would cause end users to re-enter MFA token passcodes frequently.
CAPPORT (RFC 8908) Support
- RFC 8908 allows the presence of the captive portal to be sent in the DHCP response (or RA or DHCPv6) to notify Android (v11+) and Apple (iOS 14+, macOS Big Sur+) devices to open the real browser automatically and connect to the portal.
MAC Address Linkage to Central or COP Clients page
- A popular feature with AirWave customers has always been the ability to open the MAC address of a system from the Access Tracker in another tab on AirWave. With more customers migrating to Central or Central On-Premises this is now able to provide the same functionality. When linked the MAC address on an Access Tracker record can directly open the same client information in Central/COP.
Beta Support MACsec
- ClearPass now includes support for MACsec (802.1AE) functionality. It is currently only validated with Aruba switches (AOS-CX) but will be fully supported in the future as additional testing is completed.
Onboard Certificate Mutual TLS Authentication
- Support for mTLS is something that is part of EST that was not included when ClearPass first added EST. The system is now updated to support using mTLS to enroll (or update) certificates for devices like AOS-CX switches.
- In addition to IPv6 support expanded, OnGuard now supports grace periods for all health categories, more than one (1) AV client check, certificate-based authentication on macOS and Linux clients, SHA2 (256 and 512) file hash checks.
- Client logs can now be collected without needing to be online at the same time. Administrators can trigger the client to upload OnGuard logs to a remote server when it next connects to the network without the administrator being present to trigger the collection.
Getting Upgrade Help
Ultimately, the key message you need to take away from this post is that you need to start planning your ClearPass upgrade now. We’ve already performed a number of these upgrades and can advise you on the best way to perform this upgrade with the least impact on your environment. Talk to your Account Manager or contact us on 1300 850 400 to discuss the next steps.