Aruba Clearpass Extensions

Extensions are like add-ons to ClearPass which run independently, allowing ClearPass to interact with any internal/external applications in real-time, enabling it to deliver different kinds of services

Some examples of ClearPass Extensions

•ClearPass Envoy Integration

•Intel McAfee ePolicy Orchestrator Integration

•Microsoft Intune MDM Integration•Amazon Alexa Integration

•RadSec Proxy

Features of Extensions

-They allow ClearPass to interact with most applications that support APIs−You don’t have to wait for the software release cycle of ClearPass to integrate with a new 3rd party application

−Data is fetched in real time without having to wait for a polling interval−Ability to install only the extensions we are interested in

−Monitor/debug/restart specific extensions linked to a functionality without affecting ClearPass core functions.

−Extend the core functionality of modules like Radius in features like RadSec where the extension can act as a bridge between NAD devices and the Radius module 

for more info, http://www.arubanetworks.com/products/security/network-access-control/clearpass-exchange/

Aruba Clarity Live and Synthetic Feature on Airwave

The power of being “all knowing!”

Aruba Clarity gives you the power to foresee connectivity issues before they impact your Wi-Fi users. Let’s look at two ways you can unleash this power.

Live user monitoring: Get insight into real-time user connectivity, and configure thresholds and alerts to proactively resolve any problems with the different non-RF factors that can affect your end-users’ Wi-Fi experience.

Synthetic testing: Simulate the same user experience using an access point that acts as a client to run the tests – even before the users are in the picture. This is great for completely new rollouts, or simply scheduling regular tests as a best practice. You can even run on-demand tests as needed.

check out for more @HPE Aruba Airwave

Disabling SSID Broadcast will help?

First we will  talk about Wi-Fi Scanning and it types:-

Each 802.11 station periodically scans each RF channel in order to find a BSS to join. The process of scanning is critical when a station is first activated. After powering up, the station will initiate scanning to find an initial BSS to join. As RF conditions change, the station will periodically

scan and possibly reassociate with another BSS.

There are two forms of scanning: passive scanning and active scanning.

Passive Scanning

Passive scanning is the process through which a station listens to each channel (or set of channels) for a specific period of time. The station waits for the transmission of beacon management frames (a.k.a. beacons) having the SSID of the network that the station is configured to join.

Beacons contain fixed fields and information elements that hold information about the BSS which are used by stations to determine whether or not the station may associate. Some vendors allow configuration of access points to remove the SSID value from the beacon so that the access point is not .announcing. its SSID to nearby stations.

Once the station detects beacons from one or more access points, the station will decide which access point with which to associate based on a vendor-proprietary algorithm. The station will negotiate a connection on the applicable channel by proceeding with authentication and association processes. An advantage of passive scanning is that it does not require the transmission of any additional frames, which reduces overhead traffic on the wireless medium and improves overall network throughput.

Active Scanning

Active scanning requires that a station broadcast probe request frames indicating the SSID of the network that the station is configured to join. The station that sends the probe request frames will receive probe response frames from access points within range and having the specified SSID. This process, like that of passive scanning, provides information that the station can use to determine the access point with which to associate. Alternately, a station can send probes containing a broadcast SSID (a null value) that causes all access points within reach to respond.

An access point must reply to all probes that contain the broadcast SSID or an SSID that matches its own. This standard is ignored when the vendor provides a proprietary mechanism allowing the network administrator to disable probe responses to probes with broadcast SSIDs.

This feature is very common in today.s access points and wireless LAN switches. With Ad Hoc networks, the station that generated the last beacon frame will respond to probes. The advantage of active scanning is that it identifies potential access points faster, which may be necessary if the client station is experiencing a rapid decrease in received signal

strength from frames.

Disabling SSID Broadcast:-

- "Hide SSID" Will hide the SSID name in beacon frames so that the casual observer cannot see the name of the SSID in casual AP to client communication.

- "Deny broadcast probe request" means that the AP will not respond to a broadcast probe request that clients send to see what APs are out there.

-Denying broadcast probe requests does cause problems with roaming in some clients.

-When associating to wireless network, even if it is hidden, if a client goes to connect, he must specify the SSID that he is connecting to. In the probe response, the AP MUST reply with the SSID, as well. This is as per the specification, and is another reason why you cannot completely hide an SSID.

Here we saw downside of denying SSID broadcast!!!

Reference:

Why Non-broadcast Networks are not a Security Feature -

https://technet.microsoft.com/en-us/library/bb726942.aspx

Wi-Fi Network Access for Currently Unconnected Things (IoT)

 Wi-Fi Network Access for Currently Unconnected Things (IoT)

For objects with extremely low power requirements to send information across the network, several short-range wireless communication protocols exist. In some cases, these protocols are not IP-enabled and must forward information to a connected IP-enabled device, such as a controller or gateway.

 

Each protocol for more details.

1.  6LoWPAN arose from the need to include extremely low-powered devices with limited processing capabilities as part of IoT, for example, smart meters in a small network.

2. Near field communication (NFC) is a standard for communicating between things in very close proximity, usually within a few inches. For example, NFC works at point of sale between an RFID tag and the reader.

3. ZigBee is another example of an 802.15 protocol suite that uses pairing between a specified source and destination. An example is between a door sensor and a security system that sends an alert when the door is opened.

4. The Bluetooth protocol is typically used between devices that are in close range, such as a smartphone connection to a Bluetooth-enabled headset, or a Bluetooth-enabled wireless keyboard connected to a computing device.