New Features in the 6.12.0 Release
The following new features are introduced in the ClearPass Policy Manager 6.12.0 release.
CLI
The following new features are introduced in the CLI in the 6.12.0 release.
| * | A new CLI command, , lets administrators clear the Post-Authentication cache on a configurable daily or weekly schedule. The syntax and usage are as follows: (CP‑46662) |
Syntax:
system flush-postauth-cache [-s <status> -p <period> -d <day> -t <time>]
Where
| - | -s <status> = Specifies whether to enable or disable periodic cache flushing. Allowed values are , , or . If the command is entered, shows the current enabled or disabled status. If the command is entered, the following additional commands must also be entered. |
| - | -p <period> = If the flag is set to , specifies the interval at which the script to clear the cache will run. Allowed values are or . If is specified, the script is run every day and the -t <time> value must also be provided. If is specified, the script is run once a week and both the -d <day> and -t <time> values must be provided. |
| - | -d <day> = If the flag is set to , specifies the day of the week. Enter as three letters with initial letter uppercase (Mon, Tue, Wed,...). |
| - | -t <time> = Specifies time of day to run the script to clear the cache. Enter hour and minutes in 24-hour format. |
Example:
system flush-postauth-cache -s enable -p week -d Fri -t 21:05
| * | Support is now included in the CLI for disabling TLS v1.0 and TLS v1.1. Two new commands, and , allow administrators to easily verify and disable weak TLS versions through the CLI instead of through the API or UI. When the command is executed to modify the cluster-wide parameter setting, the event is included in the and all services are restarted. The command can only be executed on the publisher; it is then replicated to all the subscribers in the cluster. This command is not available in FIPS mode. (CP‑48132) |
The new TLS commands are as follows:
| - | This is the parent command. To show the list of commands related to TLS and cipher settings, enter by itself. |
| - | To display the current TLSv1.0 and TLSv1.1 system settings, enter the command. Available on the publisher and the subscribers. |
| - | Manages TLSv1.0 and TLSv1.1 support. To disable the specified TLS version or versions for all servers in the cluster, enter the command on the publisher along with the version and type options. Only available on the publisher. |
Syntax:
crypto disable-tls -v <version> [-t <type>]
Where
| - | -v <version> = Specifies TLS version. Allowed values are , , and . |
| - | -t <type> = Specifies traffic type. Allowed values are , , , and . The default value is . |
Example:
crypto disable-tls -v both -t All
Guest
The following new features are introduced in ClearPass Guest in the 6.12.0 release:
| * | For customers with security policies that block internet access from ClearPass, some Extensions can now be installed as an offline file. On such systems that do not have a connection to the online Extension Store, the offline Extension's metadata is first imported and installed as an offline Extension patch. The Extensions can then be created from the Extension Store user interface. (CP‑42608) |
This feature is only available for selected ClearPass Extensions. Customers who want an offline Extension that is not available yet may submit a request for it to their product team or TAC. When the offline Extension file is available, it can be downloaded from the HPE Networking Support Portal. Be aware that after offline Extensions are installed, ClearPass cannot auto-update them in an offline environment. Users are encouraged to check the HPE Networking Support Portal regularly for updates to their installed offline Extension.
To use this feature:
| 1. | Customers with offline ClearPass who want to install offline extensions need to go to and disable the online Extension Store. Doing so enables offline extensions. It also stops background queries for online Extensions, improving page loading time. In the field, uncheck the new check box. |
| 2. | In the portal's list, click and then click the button for the imported Extension. |
| 3. | Go to and click . The imported Extension is displayed. Click the Extension to display the options, and then click and complete the configuration. |
| * | Two new states, and , are now added to the information shown for ClearPass Extensions at . Together with the existing and states, these added states provide more detail. They let the user know whether an Extension was stopped by the user or stopped unexpectedly, and include an exit code. Definitions for each of the four states are as follows: (CP‑47921) |
| - | The ClearPass Extension is currently running. |
| - | The ClearPass Extension has been administratively stopped and is not running. This indicates the ClearPass administrator manually stopped the Extension, either by using the button in the user interface or by the equivalent API call. |
| - | The ClearPass Extension is not running and stopped running due to a non-administrative stop. The exit code can be viewed in the window. A stopped Extension will be in the exited state if it stopped for any reason other than the administrator stopping it — for example, if the system abruptly stopped working due to an out-of-memory error. |
| - | The ClearPass Extension is currently restarting. When the ClearPass Extension last exited and the exit code that it exited with can be viewed in the window. |
| * | All Galleria and custom skins for ClearPass Guest are now included by default in each upgrade patch. This feature allows ClearPass administrators to use or customize any of these skins when creating a custom portal without requiring assistance to access them. (CP‑48128) |
| * | Traditional Chinese language translations are now supported in all Guest and Onboard workflows. (CP‑49136, CP‑51536) |
| * | ClearPass Guest now supports Ruckus Cloud in web logins and guest self-registrations. (CP‑49273) |
| * | The cloud identity (social logins) areas of ClearPass Guest now include some new fields and options: (CP‑51307) |
| - | It is now possible to configure multiple instances of any provider on one page. For example, the configured providers may include two or three options, each with a different . To create an instance that shares a provider with an instance created prior 6.12, we recommend that you create a new instance. |
| - | A new column is added to the table of configured providers in the form, and shows the display name of each provider that is configured. To derive the value of the display-name label, ClearPass first uses any value that was configured for the field in the advanced properties. If the field is not configured, then the default value is used. |
| - | A new field is added to the form and is used to upload an icon file for the provider. |
Insight
The following new features are introduced in Insight in the 6.12.0 release:
| * | Insight can now monitor and store the RadSec and RADIUS accounting commands that are executed on AOS-CX switches and generate Insight reports from the information. (CP‑44883) |
Onboard
The following new features are introduced in Onboard in the 6.12.0 release:
| * | In Onboard network settings, the description for the AES security version is now revised to clearly indicate that both WPA3 and WPA2 are supported. This is a cosmetic change; WPA3 was already supported with AES but it was missing from the description. Now on the tab, the option for AES is shown as . (CP‑45485) |
| * | ClearPass Onboard is now supported on iOS 17.x. (CP‑51123) |
OnGuard
The following new features are introduced in OnGuard in the 6.12.0 release:
| * | Support was added for the following products: (CP‑47259) |
| - | CrowdStrike Falcon 7.x (macOS) |
| - | CrowdStrike Falcon 6.58.17210.0 (Windows) |
| - | KACE 13.1.19 (macOS) |
| - | KACE 13.1.19 (Windows) |
| - | McAfee AntiVirus Plus 16.0 R111 (Windows) |
| - | Trellix 10.7.9 (macOS) |
| - | XProtect 2173.X (macOS) |
| - | XProtect 2172.x (macOS) |
| - | XProtect 2171 (macOS) |
| * | Support was enhanced for the following products: |
| - | Cortex XDR (Windows) |
| - | CrowdStrike (6.52.16606.0) (Windows) |
| - | CrowdStrike Falcon (Windows) |
| - | Cyber Eye Security Agent (Windows) |
| - | Kaspersky Endpoint Security (Windows) |
| - | McAfee AntiVirus Plus 16.0 R51 (Windows) |
| - | McAfee Internet Security (Windows) |
| - | McAfee LiveSafe – Internet Security 16.0 R26 (Windows) |
| - | Microsoft Defender ATP (Windows) |
| - | Trend Micro Apex One Security Agent (Windows) |
| - | Windows Defender (Windows) |
| - | Windows Firewall (Windows) |
| * | Support was added for the following operating systems: (CP‑51123, CP‑51206) |
| - | macOS 14 (Sonoma) |
| * | Support for several additional languages is added to OnGuard in the 6.12.0 release. The ClearPass OnGuard Persistent Agent and Native Dissolvable Agent for Linux, macOS, and Windows are now localized in Arabic, Basque, Chinese, Danish, Dutch, Italian, Norwegian, Portuguese, and Swedish, and can display text in these languages based on the current operating system (OS) language. The cumulative list of all languages now supported by OnGuard is as follows: (CP‑34467, CP‑46213, CP‑46216, CP-46217, CP‑46985, CP‑47004, CP‑47156, CP‑48171, CP‑48172, CP‑49363) |
|
|
|
|
||||||||||||
|
|
|
|
||||||||||||
|
|
|
|
||||||||||||
|
|
|
|||||||||||||
|
|
|
| * | OnGuard now uses a new computed attribute, , to send the client device's serial number in WebAuth requests. This feature lets ClearPass administrators identify devices by their serial numbers in order to validate them for access and track them in the company's asset management system. (CP‑48287) |
The attribute is available for rules in role mapping, services, and enforcement profiles, and can be used to assign a role to the client device. It is supported by the OnGuard Persistent Agent, Native Dissolvable Agent, and Agentless OnGuard on Windows and macOS. On supported Linux flavors, the attribute is only supported by the Persistent Agent and Agentless OnGuard.
As part of this feature:
| - | Two new columns, and , are available for OnGuard reports in ClearPass Insight. |
| - | On the tab, the area includes the attribute and shows the device's serial number. |
| * | A new health class, , is added for Windows 10, Windows 11, Windows Server 2022, and macOS. Administrators can use the health class to specify which operating systems to allow or disallow based on the OS Name, version, build number, and other information. This feature is supported by the OnGuard Persistent Agent, Native Dissolvable Agent, and by Agentless OnGuard. It is not supported for Linux OS. (CP‑48288) |
At , the configuration for the health class includes an section and an section. Administrators can configure multiple rules for each section. The following attributes are available for the rules:
| - | (Windows only) Examples: Windows 10, Windows 11 |
| - | Examples: Windows 10 Pro, Big Sur, Monterey, Ventura |
| - | Examples: 19044 (build number for Windows 10), 20F71 (build number for macOS 11.4) |
| - | Examples: 10.0.19044 (OS Version for Windows 10), 11.4 (OS Version for macOS 11.4) |
| - | (Windows only) Example: 21H2 |
| - | (Windows only) Examples: Professional, Enterprise. |
As part of this feature:
| - | A new update type, , is added to the area of the page. The row for this update type also links to a reference table that maps macOS version numbers to their corresponding version names. |
| - | Two new columns, and , are available for OnGuard reports in ClearPass Insight. |
| - | The view shows the input and output attributes returned for the health class. |
| * | Starting with the ClearPass 6.12.0 release, ClearPass Agentless OnGuard on Windows now runs as a Windows Service instead of as a process. With this change, the Agentless OnGuard service starts automatically after the client is restarted. It starts performing health checks as soon as the ClearPass server becomes reachable without waiting for the ClearPass server to launch it, and it continues to run until it is stopped. (CP‑48668) |
| * | Agentless OnGuard now supports IPv6 on all supported operating systems. As part of this feature: (CP‑48828) |
| - | A new area is added to the tab. This area includes an drop-down list specifically for Agentless OnGuard. |
| - | In the API Explorer a new API attribute, , is added to the REST API. |
| - | When using Agentless OnGuard, now only port 445 is required to be open or allowed on Windows clients. Port 139 is not required anymore. |
Policy Manager
The following new features are introduced in Policy Manager in the 6.12.0 release:
| * | ClearPass now supports TLS 1.3 for the EAP-TLS and PEAP methods (as per RFC 9190). To use this feature, go to the tab and configure the parameter as needed. If a user mistakenly tries to set parameters for all the TLS versions to disabled at the same time (1.0, 1.1, 1.2, and 1.3), the action is prevented and an error message is displayed. When TLS 1.3 is enabled for EAP‑TLS, the "RSA‑PSS signature suite in EAP‑TLS" RADIUS service parameter must also be enabled. This is a BETA feature in the 6.12.0 release, so TLS 1.3 is not enabled by default. The parameter includes the following options: (CP‑20259, CP‑39341, CP-50882, CP-51562) |
| - | Disables TLS 1.3 for EAP and enables HTTPS 1.3 on all servers in the cluster. On new ClearPass installations this is the default setting. When an existing ClearPass server is upgraded from an earlier version to 6.12.0, this is the default setting after upgrade. |
| - | Enables TLS 1.3 for EAP and the network, and disables TLS 1.3 for HTTP only, on all servers in the cluster. The setting must be used in cases where client certificate-based authentications with SSO, OnGuard, or downloadable user roles are configured, as those do not work with TLS 1.3. Having the setting as the default for upgraded servers ensures that if any of those configurations are present, the TLS setting will not interfere with them. |
| - | Disables TLS 1.3 for EAP on all servers in the cluster. To support CC mode, the option is required. |
| - | Enables TLS 1.3 for EAP on all servers in the cluster. When the option is enabled, TLS 1.3 is used as the preferred connection for systems that support it. |
|
|
If a Trusted Platform Module (TPM) certificate with version 1.16 firmware is used that does not properly support the RSA‑PSS algorithm, authentications fail, returning 0000 instead of the correct value. If you use TPM-based certificates, then to prevent such failures you should ensure that your TPM firmware is a version later than 1.16. |
| * | Support is added for AES-256 encryption on SNMPv3. The AES-256 privacy protocol is used to secure the content of trap messages or polling messages, and allows the ClearPass NMStrapagent to relay traps with the AES-256 privacy protocol. To use this feature: (CP-22429, CP-31712, CP‑31713, CP‑48341) |
| - | To configure the AES-256 encryption option for system monitoring (polling), go to the tab. Set the SNMP version to v3, enable the authentication and privacy options, and then select in the field. |
| - | To configure the AES-256 encryption option for traps and informs, go to . Set the SNMP version to v3, enable the authentication and privacy options, and then select in the field. |
| - | To send SNMPv3 traps with AES-256 privacy protocol secured messages, go to and click the host address of the trap receiver. In the window set the to one of the options for v3 authentication with privacy, and then change the to . After this is done, check the trap receiver to verify whether it is receiving trap and inform messages. |
|
|
In SNMPv3, using AES-256 with MD5 (authentication protocols with key lengths less than 256 bits) is not supported. This is due to a missing localized keys extension implementation in NET-SNMP. |
| * | A new service parameter, Use HTTP Proxy setting for OCSP Connection, is now added. This parameter can be used to configure the OCSP connection when EAP-TLS with OCSP Enabled is configured as the authentication method and an HTTP proxy is configured. To use this feature, go to the Administration > Server Manager > Server Configuration > Service Parameters tab and select RADIUS server as the service. In the OCSP area, change the value to TRUE for the Use HTTP Proxy setting for OCSP Connection parameter. When this value is set to TRUE, the HTTP proxy setting is applied to all OCSP lookups that are not localhost. The default value for this parameter is FALSE. (CP‑43682, CP‑50379) |
| * | A new RADIUS server service parameter, , can be used to configure the amount of time after which an authentication request should expire. To use this feature, go to the tab and select as the service. In the area of the table, change the value of the parameter to accommodate the expected time needed for the authentication. Allowed values are 30 -- 300 seconds . The default value is 45 seconds. Please also see known issue CP‑51676 in this release. (CP‑44526, CP‑50461) |
| * | ClearPass now includes a size limit on user role configurations for AOS Mobility Controllers. If the size limit is exceeded when the user role configuration is created or imported, a warning banner is displayed on the page. The warning shows the maximum allowed size. The size limit for the AOS Mobility Controller is 16K. (CP‑44811) |
| * | The ClearPass user interface now includes an option for users to export Async network service logs to an external syslog server. To use this feature, go to the tab and configure the new option. The default filter level for this service is . (CP‑45089, CP‑48965) |
| * | ClearPass now supports AOS-CX user access management via RADIUS. On the AOS-CX side, this is available in AOS-CX 10.11 and later. User access is granted by the vendor-specific attribute (VSA) values sent in the RADIUS ACCESS-ACCEPT packet from ClearPass. These may be manually entered in the field on the tab. The VSAs that must be configured in the profile in order to request user access are as follows: (CP‑46012) |
| - | Values supported by AOS-CX are: |
| - | SSH |
| - | CONSOLE |
| - | TELNET |
| - | HTTPS-SERVER |
| - | Privilege level to grant to the user. |
| * | ClearPass administrators can now configure the maximum HTTP header size as needed. This feature can be used to prevent running out of memory if the maximum number of threads would otherwise create a buffer size too high for the server. On a server that typically does not require a large header size, you can set a lower value in order to limit the buffer size. To use this feature, go to the tab and select as the service. The form includes the new area with the parameter. If TAC advises it for a system, the size of the parameter may be adjusted as needed for the server. The value for the parameter applies to both the request and response HTTP headers. The default value is 8192 bytes. Allowed values are between 8192 and 10,485,760 bytes. (CP‑46915) |
|
|
Do not change the size of the parameter unless advised to do so by TAC. |
| * | A new column, , is now added to . This column prevents scenarios where, when the sent accounting data, some start or stop events might otherwise have been missed due to a timing offset in accounting processes. The column is added to get the exact timestamp when the entry is made to the local database store, and to ensure that there is no delay and that we have the correct time interval to select the records. This column is now automatically included in all predefined group filters, and replaces in those filters. Both columns are also available in the list. As part of this fix, several other new columns are also added now. These additional columns are optional: (CP‑47592) |
| - |
| - |
| - |
| - |
| - |
| - |
| - |
| * | This release further enhances ClearPass support for Microsoft Entra ID (previously Azure Active Directory, or AAD) as an authorization source. The Microsoft Entra ID authorization capabilities are now extended to allow customers to use more than just user groups for authorization. This feature also supports certificate-based setups, so customers can choose to use either cleartext secrets or certificates to connect Microsoft Entra ID with ClearPass. As part of this feature, when Microsoft Entra ID is configured as an authorization source: (CP‑47920, CP‑48279, CP‑50884) |
| - | Administrators can choose to use certificates instead of API tokens. |
| - | Filtering can be done by group, assigned role, user, user type, MFA status, location, and more. |
| - | The includes alerts for expiring client secrets. |
| - | Additional default authorization attributes are available. The following attributes are not shown in the filter and must be manually entered in the filter query: |
| - |
| - |
| - |
For more details, see the Microsoft Entra ID topic in the ClearPass Policy Manager 6.12 User Guide.
| * | The Access Tracker now supports "negative filtering." Two new filter parameters, and , let administrators specify items to exclude from the results. (CP‑47922) |
| * | Starting with the ClearPass 6.12.0 release, when a ClearPass administrator stops the RadSec service on the tab, the service remains stopped until the administrator starts it again or until a system reboot (all services are restarted after reboot.) (CP‑47990) |
| * | A new column is available to add to the table. When the column is included, the ClearPass administrator can quickly see the tips-role computed attribute information that was returned to the device without having to open the window. To add the column in the table, click the button in the filter area and then move the option from the list to the list. (CP‑48129) |
| * | Now when a user disables or enables the option on the , , , or pages, the setting is retained during their session and after they log out and log in again. This can be helpful when troubleshooting or in other scenarios where a user wants to return to a previous search. The setting is specific to the user and does not affect other users. (CP‑48131) |
| * | Support is now added to send the PoE allocation type to an AOS-CX switch. As part of this feature a new vendor-specific attribute (VSA), , is added to the RADIUS dictionary and available in enforcement profiles. This attribute can be used by the AOS-CX switch to set the PoE power allocation method for onboarding a device after authentication. Supported values for the VSA are and . Power over Internet (PoE) technology allows IP telephones, wireless LAN access points, and other appliances to receive power and transfer data over existing ethernet LAN cabling. (CP‑48212) |
| * | Devices with valid RadSec client certificates can now be configured with the flexibility to connect from numerous access points anywhere in the world. With this configuration, public IP addresses assigned by Internet service providers are used to establish the RadSec connection with ClearPass, and ClearPass does not check the source IP address. To use this feature, on a device with RadSec enabled, go to the tab. In the field enter . In the field select . Enabling certificate validation ensures only authorized devices will be allowed. Otherwise, setting the source override IP address to 0.0.0.0./0 or ::/0 allows RadSec traffic from any device trying to establish a connection on the configured RadSec port. (CP‑48278) |
| * | Endpoint caching behavior in the policy server is now optimized by introducing a limit on the number of endpoints that are cached in the policy server's processing memory. Previously the entire list of endpoints were loaded from the database on each of the servers in the cluster every time the system was started or a reload was triggered. Now the endpoints are read from the database into the cache only when they are needed for processing at runtime. This significantly reduces memory use and allows other processes to run faster, improving performance across the cluster. Users will initially see some performance impact on CPU usage and load average while the cache is first being populated and when any new endpoint is authenticated. However, after the cache is populated the impact is minimal and memory usage is improved. As part of this feature, as the number of endpoints in the cache reaches the device limit for the appliance type, inactive endpoints are cleared from the cache to maintain that limit. This limit is applied on the individual servers in a cluster and does not apply to the ClearPass endpoint database. (CP‑48834, CP‑49313) |
| * | The option is now available for HTTP authentication sources on the tab. When Policy Manager caches attributes fetched from an authorization source, the option specifies the duration in number of seconds for which the attributes are cached. The default cache timeout value is 0 seconds. As part of this feature, the button is also available now for HTTP authentication sources. (CP‑48844) |
| * | In downloadable user role (DUR) enforcement profile configurations for ArubaOS switches, two new options are added to enforce client limits for port access methods. To use this feature, go to the tab. For the template, select configuration mode and as the product. On the tab, enable and configure the two new options as needed: (CP‑48847) |
| - | If a value is entered, it overrides the default client limit for the 802.1X port. Allowed values are 1-32. |
| - | If a value is entered, it overrides the default client limit for the MAC authentication port. Allowed values are from 1 to 256. |
| * | Axis Communications root and intermediate ECC and RSA certificates are now available in the list of trusted certificates at . These certificates allow ClearPass to validate the client certificate in EAP-TLS authentications during onboarding and deployment of Axis Communications IoT devices. With the complete Axis Communications trust chain available in the , users no longer need to log in to the Axis Communications support site to download and install the certificates. The Axis Communications certificates in the are disabled by default. Administrators who are setting up Axis Communications authentication services need to enable the Axis Communications root and intermediate certificates as part of that configuration. (CP‑48920) |
| * | A new RadSec service parameter, , is available for cleanup intervals and can be used to specify the amount of time after which an idle RadSec tunnel should be closed. This can be used to keep the tunnel open when the client doesn't send status server messages. To use this feature, go to . On the tab, enter a value for the parameter. The default value is 15 minutes. The maximum allowed value is 2880 minutes (48 hours). (CP‑50062, CP‑50165) |