Aruba ClearPass

Aruba’s ClearPass is a way for you to easily provide Wi-Fi network access to your visitors and employees.

Updated over a week ago


How does this application work?

Envoy sends visitor information to ClearPass, which then provisions temporary Wi-Fi access credentials to your network. Upon sign-in, the visitor will receive an email (if you collect visitor email addresses) or text message (if you collect visitor phone numbers) with username and password information for Wi-Fi access.

For this app to work, you must collect visitor email addresses at sign-in. Learn more about how to configure your Envoy sign-in fields.

Envoy does not send emails with this app. In order to send emails to visitors, this must be configured in the ClearPass gateway. Envoy will send an SMS so long this option is selected in the app configuration and phone number is collected in the sign-in flow.

For this app to work, you must collect visitor email addresses at sign-in. Learn more about how to configure your Envoy sign-in fields.

Enabling the Envoy + Aruba ClearPass application

To get started with this app, please head to this Application Guide which will provide you with everything you need to set things up within both Aruba ClearPass and Envoy. The key steps from the Envoy side are:

  1. Under Wi-Fi, find Aruba ClearPass, and click “Install.”

Step 1: Setup Instructions

Complete the ClearPass Extension setup in Aruba ClearPass. You will receive a ClearPass tenantName. Please see the Aruba ClearPass + Envoy Integration Guide for more information.

The Skyhook tenant ID is only valid for 1 year. After that year you will need to get a new one following these same steps.

  1. Note your Envoy app Install Token to be input in the Clearpass Envoy extension configuration JSON.

  2. Click Next Step

Step 2: ClearPass tenantName

  1. In Envoy settings, paste your skyhookTenant into the ClearPass tenantName field.

    1. Envoy Locations to Tenant Names(Optional): If you have multiple ClearPass accounts, you can add a second tenantName in the Secondary ClearPass tenantName field.

      If you add a secondary tenantName, you must also select the locations to associate with the secondary tenantName.

      All locations not selected in the Secondary location mapping field will be associated with your primary tenantName.

    2. Block by Location (OPTIONAL): Selected Locations will not be provisioned credentials for visitors

    3. Block by Visitor Type (OPTIONAL): Selected Visitor types will not be provisioned credentials.

    4. Only invited guests will receive credentials: check this box to require an invite in order for credentials to be provisioned.

  2. SKYHOOK API HOST (OPTIONAL): Only enter this if Aruba has provided it.


Step 3: ClearPass SMS Config

  1. Select an SMS Gateway

    1. ClearPass SMS Gateway: SMS will come from ClearPass

    2. Envoy SMS Gateway: SMS will com from Envoy's SMS service (Twilio)

  2. If Envoy has been chosen, you can input an SMS template to be sent to Visitors.

    1. "Deliver a branded message to your visitors. Use %USERNAME% and %PASSWORD% as placeholders for the delivered credentials."

  3. Click Next Step

Step 4: Status Report

  1. Once the Envoy ClearPass Extension is activated, it will automatically begin provisioning Wi-Fi credentials for visitors. You can see the status of the application and any failures that have occurred on your Installed apps page under Aruba ClearPass.


  2. We suggest signing in a test visitor and ensuring that you get the credentials to via Email and SMS (if applicable). You can also view the credentials from the dashboard by clicking into a visitor entry.

Aruba Clearpass + Envoy Workplace

Envoy now allows the ability to auto-check in employees when they connect to your company's wifi network.

This functionality is in BETA and there may be limited availability.

Step 1: Setup Envoy as an Endpoint Context Server

  1. In the the Envoy App-Store, find Aruba ClearPass (Workplace) and install.

  2. On Step 1, use the values populated here to configure an Endpoint Context Server in the Aruba ClearPass Policy Manager.

Endpoint Context Server Configuration

  1. In the Aruba ClearPass Policy Manager, navigate to AdministrationExternal Servers → Endpoint Context Servers

  2. Click the “Add” button on the top-right to add an Endpoint Context Server.


  3. On the “Add Endpoint Context Server” modal, fill in the values from the Envoy App-Store setup step #1, and click update.

Step 2: Clearpass Configuration

  1. On the App-Store, Click “Next Step” to continue to “Clearpass Configuration” step.

  2. Fill in the fields according to your configuration.

These fields will require you to locate the corresponding field labels from a Wifi Connection request on an Aruba ClearPass Policy Manager account. Aruba ClearPass Policy Manager > Monitoring > Live Monitoring > Access Tracker

Description of each field:

  • Location Filtering:

    • Name of the Wifi Network(s) that you wish to apply auto check-in functionality.

  • Username Attribute:

    • The attribute that holds the employee’s email on the connection event.

  • MAC address attribute:

    • The attribute that holds the employee device’s MAC address.

  • Location attribute:

    • The attribute used to determine where the Wifi connection request happened.

  • Timestamp attribute:

    • The attribute that holds when the Wifi connection request happened


Step 3: Setup Context Server Action

The values in this step will be used to create a context server action in the Aruba ClearPass Policy Manager.

Note: the Content-Type field is generated based on the information entered into Step 2.


How to create a Context Server Action:

  1. In Aruba ClearPass Policy Manager, navigate to: AdministrationDictionariesContext Servers Actions

  2. Click the “Add” button on the top-right to add an Context Server Action

  3. Use the values from the App-Store setup step 3 to create a Context Server Action.

Step 4: Setup Enforcement Policies

Create an enforcement profile in Aruba ClearPass Policy Manager using the values populated here.

How to create the Enforcement Profiles

  1. In Aruba ClearPass Policy Manager, go to Configuration > Enforcement > Profiles and click the "Add" button in the top right corner.

  2. On the "Profile" tab, fill in the values from Step 4 of the integration installation from the Envoy dashboard.

    Template: "Session Notification Enforcement"

  3. Go to the "Attribute" tab and add the attributes with the values from Step 4 as well.

  4. Save the Profile

  5. Add another Profile

  6. On the “Profile” tab of the Enforcement profile creation form, use the values under the Envoy Default Profile “Profile Details” section of setup step 4 to complete the form.

    Template: "Aruba RADIUS Enforcement"

  7. Go to the the “Attributes” tab and use the values under the Envoy Default Profile “Attributes Details” section of setup step 4 to complete the form.

  8. Save the Profile

Step 5: Setup Enforcement Policies

The values shown on this step will be used to create an enforcement policy in Aruba ClearPass Policy Manager.

How to create the Enforcement Policy

  1. In Aruba ClearPass Policy Manager, go to Configuration > Enforcement > Policies and click the "Add" button in the top right corner.

  2. Go the the Enforcement tab and using the values from Step 5, fill out the the form.

  3. Go the Rules tab, and add the values from Step 5.

  4. Click Save.

  5. On the integration configuration in the Envoy App-Store, click "Complete Setup"

Did this answer your question?