Are Network Access Control Solutions Worth It?

Almost every modern business wrestles with the dilemma of finding uncompromising protection for their always-on workforce without sacrificing accessibility, efficiency, and productivity. And it’s not going to get any easier.

Gartner predicts that there will be 70 billion connected devices in circulation by 2020. We all know that the IoT is changing the way that our world does business, but it’s also changing the way that hackers carry out their attacks.

How are you protecting your networks against cyber and IoT-based threats?

Paying for Security is Expensive. But It’s More Expensive Not To.

Network Access Control (NAC) solutions provide premium network security, and Aruba ClearPass offers the gold standard for visibility, control, and response.

That being said, we all know that quality security doesn’t come for free, and ClearPass network access control has a reputation for being a relatively expensive and time-consuming investment. This is primarily because ClearPass offers myriad options and security customizations that take experience and time to implement, making the overall solution technically challenging for in-house teams to establish optimal configurations by themselves.

However, when ClearPass is properly optimized to your environments, it becomes a powerful tool that boosts the health, efficiency, and security of your entire business. Is ClearPass worth the financial and time investments? Let’s see how it works, assess some of the benefits, and consider a use case.

A Network Access Control Solution with End-to-End Protection

Once optimized to your environments, Aruba ClearPass gives you complete visibility and effortless management to onboard new and unknown devices with all categories of access levels.

ClearPass has a lot to offer. And it starts by allowing your IT team to automate the onboarding process while still maintaining compliance with your security policies. For wired ports, there’s a built-in feature called ClearPass OnConnect that detects endpoints connected to wired switches (without AAA enforcement methods such as 802.1x or MAC Authentication). Then there’s ClearPass Onboard that allows employees, contractors, and partners to safely configure their BYOD devices. ClearPass Onboard also provides device-specific certificates to eliminate the need for repeatedly entering credentials throughout the day. And as for visitors who need temporary network access, ClearPass Guest allows IT managers to grant temporary network access to unlimited guests every day, with MAC caching to streamline the guest portal (and once again save everyone the headache of inputting the same credentials over and over). Guest credentials can then be stored in ClearPass for a determined amount of time before they automatically expire.

The Connected Device Burden

How exactly does ClearPass secure your network when so many devices are connected around the clock? ClearPass applies a 3-step closed-loop approach to ironclad security:

  1. Identify
  2. Enforce
  3. Protect


If you can’t see what’s on your network, how can you secure it?

ClearPass allows you to see and assess all the devices that are connecting to your network—both wired and wireless—from a single hub. We’re not just talking smartphones and laptops, but even printers, faxes, automation systems, and surveillance cameras. ClearPass tells you how many devices are connected at any time, how they’ve been connected, and what operating systems they use. In an instant, you can identify any device’s type and model name, MAC address, IP address, NIC vendor, operating system and version number, and VLAN.


You can’t have an across-the-board policy for every type of device. There are too many exceptions.

Modern NAC policies must account for the unique uses and needs from one device to the next—from company printers to personal smartphones. Once your IT team writes the rules of your security policy, ClearPass will use either encryption or a portal to enforce who can onboard a device, as well as the type and amount of devices that a user can onboard. Once a device is granted access onto your networks, ClearPass uses active and passive profiling methods to monitor activity and identify any potential threats.


Obviously, cyberattacks aren’t limited to weekday working hours.

Who’s keeping watch over your network activity at 3AM on a Sunday morning? Who will block traffic and remove a suspicious device’s connection after everyone has gone home for a long holiday weekend? This is where network access control solutions like ClearPass are truly invaluable. ClearPass’ dynamic policy controls protect your network with real-time threat remediation and can instantly steer threats to third-party mitigation systems.

ClearPass also performs health assessments before onboarding new devices in order to filter out any device that doesn’t comply with your company’s anti-virus, anti-spyware, and firewall policies. ClearPass OnGuard is yet another first-rate built-in feature that analyzes endpoints on wireless, wired, and VPN infrastructures. This tool determines whether USB storage devices are allowed, manages bridged network interfaces and disk encryption, and supervises peer-to-peer applications and registry keys.

Aruba ClearPass Partners with Palo Alto Networks

One of the most convenient features of ClearPass is how seamlessly it integrates with other IT partners to ensure:

  • End-to-end network visibility
  • Network policy enforcement
  • Next-generation firewall protection
  • Cloud-based management

A particularly successful use case that we have seen is integrating ClearPass with Palo Alto Networks’ Next-Generation Firewalls. This combined solution eliminates inefficient silos by connecting the endpoints to a single security platform. When ClearPass identifies a security threat on your network, it communicates the IP address to Palo Alto, which then traps and enforces the policy you’ve outlined for that device’s categorization. This applies to any device that accesses your network—both wired and wireless, online or offline. Palo Alto’s traps prevent cyberattacks via a multi-method approach that blocks malware (including ransomware) and prevents exploits from gaining access in your OS or application code—no matter which operating system you use, whether it’s roaming, or connected to your network.

ClearPass Implementation – Choices and Challenges

It’s not just about having the highest quality product; it’s also about implementing that product in the smartest way.

ClearPass’ comprehensive closed-loop approach offers many different features—each with a list of checkbox options and customizations. This is beneficial for your specific network needs, but may be a headache for an in-house IT team to optimize themselves. For full effectiveness, you may need to bring in a NAC ClearPass-specific expert to help you optimize all of the available features.

There’s no denying the financial, ream resource, and time investment required to get your tailor-fit, comprehensive NAC system up and running. But once you discover (and implement) all of the options and benefits that ClearPass has to offer, the resources you spend on the front end will be well worth your security peace of mind into the future.

Looking to make smarter investments in your security? Learn more about ClearPass + IntroSpect to get the most out of your ClearPass implementation.

Posted in: