Scribd
Upload
9 views11 pages

Central NAC - TechDocs - NAC

HPE Aruba Networking Central offers a cloud-based Network Access Control (NAC) service that simplifies secure access for remote and hybrid workers by providing consistent security controls and visibility over network infrastructure. The system allows seamless onboarding of devices through cloud identity integration, enabling automated security and management at scale. Central NAC supports various operating systems and utilizes 802.1X and MAC-based authentication methods to enhance network security and user experience.

Uploaded by

nileshkahar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
9 views11 pages

Central NAC - TechDocs - NAC

HPE Aruba Networking Central offers a cloud-based Network Access Control (NAC) service that simplifies secure access for remote and hybrid workers by providing consistent security controls and visibility over network infrastructure. The system allows seamless onboarding of devices through cloud identity integration, enabling automated security and management at scale. Central NAC supports various operating systems and utilizes 802.1X and MAC-based authentication methods to enhance network security and user experience.

Uploaded by

nileshkahar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

Central NAC ClearPass Tech Corner HPE Networking Support Portal Documentation Portal

Central NAC
1: Central NAC Intro
2: Central NAC Onboard

1 - Central NAC Intro


Introduction to HPE Aruba Networking’s authentication service on HPE Aruba
Networking Central

Central NAC
Company dynamics have changed in the past few years, welcoming an unprecedented volume of
remote workers, as well as those working in hybrid environments. However, unreliable network
access and new security concerns can disrupt business and cause help desk calls to soar.

Applying consistent security controls and ensuring users have seamless access to apps and data
in the office, at home, and on the go is a critical mandate. HPE Aruba Networking Central
simplifies this process for IT with Cloud Auth cloud-based Network Access Control (NAC),
extending its ability to deliver a single point of visibility and control over all network infrastructure
and related security services.

Featuring an easy-to-use interface and dashboard, HPE Aruba Networking Central makes it easy
to onboard new clients, as well as to monitor and troubleshoot issues that prevent users from
connecting to the network. End users are authenticated and provided authorizations for
appropriate network access through fine-grained policies as configured by the administrator in
HPE Aruba Networking Central.

With privacy concerns rising, HPE Aruba Networking Central leverages 802.1X for onboarding
corporate devices and MAC-based authentications for non-802.1X devices. These authentication
methods coupled with AI-based Client Insights captures and profiles all devices on the network for
enhanced visibility and security.

Cloud identity
Cloud Auth on HPE Aruba Networking Central enables end users to connect to wired and wireless
networks securely and automatically. The cloud-native security service integrates with a
company’s existing cloud identity store such as Google Workspace or Azure Active Directory to
authenticate the user’s information and assign them the right level of network access.

Automated security at scale from Edge to Cloud


Cloud Auth is an integral part of HPE Aruba Networking Central NetConductor, which streamlines
the adoption of identity-based access and simplifies IT operations by delivering advanced, cloud-
native configuration, management, and security services, including intent-based policy automation
and orchestration, and AI-based discovery and profiling of all connected clients

Central NAC Architecture

Central NAC is built to scale and handles billions of authentication request per week.

INFO

Here are some of the per tenant scale limits that exist in Central NAC:

Users = 300,000 users in the IdP (Microsoft Entra ID / Okta / Google Workspace)

MAB = 100,000 defined MAC addresses

MPSK = 5,000 in Foundation license


2 - Central NAC Onboard
Onboard provides seamless cloud-based onboarding and secure role-based
policy for users and devices

End-user device Onboarding


Employee devices can easily be configured for seamless connection to wired and wireless
networks. Managed through HPE Aruba Networking Central, end users are authenticated through
the company’s cloud identity store with an enrollment link provided on HPE Aruba Networking
Central. Using company credentials to log in, the user will be redirected to the identity store for
authentication.

Client devices can be configured using HPE Aruba Networking Onboard, a client app that installs
an Enterprise Passpoint Profile on the client device. With the Enterprise Passpoint Profile,
anytime the user walks into range of the network, the client device will automatically connect with
the appropriate network access rules as configured by the admin through HPE Aruba Networking
Central.

HPE Aruba Networking Onboard provides automatic renewals, requiring no additional onboarding
steps and upkeep from the end user, while allowing the admin to change and update policies at
any time. It is supported on macOS, Windows, iOS, and Android operating systems.

The HPE Aruba Networking Onboard client app provides a seamless way for end users to
connect to corporate networks.
Onboarding worklfow
Central NAC policies in Aruba Central define a set of rules and authorize users and devices to
access networks. Users can authenticate through cloud identity providers like Microsoft Entra ID
or Google Workspace, and download network profiles to access enterprise wireless network. After
downloading the network profiles, your devices can connect automatically to the enterprise
wireless network.

The following workflow shows the steps required to connect wireless devices to the network using
Central NAC.

Onboarding Workflow
Onboarding starts from a provisioning page which takes the end users to a login page associated
with the identity source configured in Central NAC. There are several different ways to distribute
the onboarding URL depending upon the environment. Using QR codes is one easy and user
friendly way if the goal is to onboard smart phone and similar devices that can scan a QR code. If
you have a guest network with a captive portal page, the onboarding URL can be embedded in
the captive portal page as well. You could also add the onboarding URL to an FAQ page on your
organization’s internal portal.

INFO

The following operating systems support both browser-based onboarding and app-based
onboarding:

Windows 10 version 1803 or later versions


Windows Server 2016 or later versions (supports only app-based onboarding)
Android 9 or later versions
macOS 10.13 or later versions
iOS 12.1 or later versions

WARNING
The iOS 15.0 and iOS 15.1 versions are not supported because of a bug in iOS. The iOS
15.2 version is supported.

Prerequisites for Onboarding


Ensure that you have the onboarding URL shared by the network administrator. The
onboarding URL is used to connect your device to wireless network using Central NAC. You
should also obtain your Microsoft Entra ID or Google Workspace credentials from your
network administrator to authenticate using the URL.

On Windows devices, ensure that the Wi-Fi adapter is enabled to install the network profiles
and connect to the network.

Ensure that the Hotspot 2.0 or Passpoint feature is enabled on your Android device.

TIP

To enable the settings on Android devices, Go to Settings > Connections > Wi-Fi > Advanced
> Passpoint or Hotspot 2.0. The location of the Hotspot 2.0 or Passpoint settings may differ
slightly among devices.

For better UI rendering experience on laptop devices, ensure the screen resolution is
1920x1080 (Full HD/1080p).

Aruba Onboard Sample Videos


iPhone Onboarding
0:00 / 1:41

iPad Onboarding
0:00 / 1:13

Android Onboarding
0:00 / 1:40

Windows 11 Onboarding
0:00 / 2:25

Chromebook Onboarding

0:00 / 2:30

Onboarding FAQs
Q: How does certificate renewal work with Aruba Onboard App?

A: Onboard App notifies the user when a certificate is about to expire and prompts the user to
renew the certificate. Expiration notification gets triggered when the certificate is at 80% of its
lifetime.

Q: What happens when the client changes their password on the cloud based identity
provider after onboarding and installing the network profile? Do the clients have to repeat
the onboarding process and install a new network profile?

A: There is no impact to the onboarded device even if the user changes their Entra ID password.
Once the profile is installed, the certificate within the profile is used for authentication. The device
will still be able to connect to the SSID mentioned in the network profile using the certificate. It can
also do a profile refresh successfully. If the user deletes the profile, only then they will need to use
the new Entra ID password to login to the onboarding page to be able to download the network
profile.

Q: Cloud Identity Provider API limits - what happens if a customer hits API limits?

Q: Aruba onboard app behavior for USB ethernet dongle plugged on a wired port. Whats
the expected behavior for the USB dongle ?

Q: What certificates does Central NAC use?

A: Every Central NAC account or tenant comes with a unique root and intermediate (signing)
certificate authority certificates which are used to issue certificate to onboarded devices. This is a
private CA that is managed automatically by Central NAC.

Q: How to renew client certificates. Is the update only possible if the device is not in
shutdown or deep sleep mode at the moment of the update?

Q: Private Root CA expiration - Is the client certificate automatically renewed when the
private root CA expires?

A: The private CA would be renewed automatically prior to the expiration. This ensures that the
client certificates will continue to work without having to renew.

Q: Central Upgrade. Does Central NAC authentication become unavailable while Central is
upgrading?

A: Central NAC would continue to authenticate users even if Aruba Central is down or undergoing
maintenance.

Q: If the identity source is out of service, can clients continue to authenticate?

A: Onboarding new devices requires authentication against the identity source and hence would
not be possible. Existing devices that already have a profile installed will be able to authenticate
successfully. If there was any changes made to the group membership of the user, those changes
would only be read by Central NAC once the service is restored. So authorization would use the
last known group memberships.

Q: How long does the certificate renewal take

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy