CLEARPASS ACCESS MANAGEMENT SOLUTION

SALES GUIDE

A fully integrated and complete solution for access security

policy management, enabling organizations to centrally enforce
and refine policy to meet the requirements of the business.

ClearPass Access Management Solution Sales Guide – Confidential – Aruba Networks and Partners only
CLEARPASS ACCESS MANAGEMENT SOLUTION
SALES GUIDE

ContentsPage

OPPORTUNITY OVERVIEW
Why sell ClearPass Access Management? 1

SOLUTION OVERVIEW 
Solution description  2
Using ClearPass to benefit the business 3

THE MARKET
Target markets 4
Market needs 5

THE SOLUTION
How ClearPass meets customer needs 6
The competitive landscape 8
How to beat the competition 9
Success stories 10
The financial business case 12

THE SALES PROCESS

Qualification 13
Dealing with objections 14
Typical deals 15
Sales tactics  15
A typical sales cycle 16
Contacts and resources 17

Confidential – Internal and partner use only

OPPORTUNITY OVERVIEW

WHY SELL CLEARPASS ACCESS MANAGEMENT?

Why this opportunity is worth your time

Value of a Small deal: $15-35k (to gain entry into a new account)
typical sale Medium deal: $50-75k
Large deal: $100k+
Very large deal: $250k up to $1M+

Time to For a small deal, can be as short as 8-10 weeks

close More typical (e.g. where budget is needed): 3-12 months

Other • Consultancy business: Professional Services can be up to 20% of the deal

benefits • Support revenues: generate 12-15% in annual spend
• Enables you to talk wider within your customer’s organization (e.g. to the CMO’s team)
• Unlock a single vendor stronghold; create opportunity to talk about other (Aruba WLAN) solutions
• ClearPass upsell: sell additional capacity and module licences as users and devices increase
• As a partner, you can cross-sell other Aruba products, and other vendors’ products and applications (via
integration), such as MDM, Security Information and Event Management (SIEM), Palo Alto firewall

Why it is worth your customers’ time
Many customers want to open up their networks to
access from mobile devices (smartphones, laptops,
tablets etc.), owned by the organization or by the end
user. They are responding to a growing expectation by
employees and visitors that they should be able to use
mobile devices for work and for interacting with the
organization.
#GenMobile, people that have a preference for all
things mobile, are an increasing proportion of the
workforce. Organizations need to attract this talent
pool to remain competitive.
ClearPass offers organizations the opportunity to
centrally develop, automate, enforce and audit an
access security policy that will enable them to meet
business requirements and comply with regulations
and legislation, while enhancing the user experience.
What are ClearPass’ key advantages?
ClearPass is the only access management solution that:
• Works efficiently and cost-effectively across multi-
vendor wired and wireless networks
• Is highly scalable, managing access security in
very large deployments, across multiple sites, and
handling high density authentication requests
• Delivers policy management, policy enforcement,
guest functionality, device profiling and onboarding
from a single platform
• Has workflow and interoperability to provide
automation and self-service which improves user
experience and reduces IT costs
• Enables contextual policy management to a location,
device and user level

THE OPPORTUNITY IN BRIEF

ClearPass Access Management Solution:
• Provides a centralized point of policy management
• Allows mobile devices to be used easily and securely within an organization
• Creates an attractive working environment for employees and contractors
• Helps organizations enhance the user experience and interact more effectively with guests
• Enables customers to contain the costs of managing network access

Confidential – Internal and partner use only 1

 SOLUTION OVERVIEW

SOLUTION DESCRIPTION

ClearPass Access Management Solution

ClearPass enables customers to control access to
wired, wireless and remote (VPN) networks. The
solution provides capability for an organization to:

• Develop, automate, enforce and audit access security

policy
• Manage and refine policy from a centralized location
With ClearPass the customer has a single point of policy
implementation at a device and individual level which
better protects the network against threats, and the
organization’s information assets against improper use.
For example, accessing accounts data from a laptop at
HQ can be allowed, but not via a wired port in a branch
office, unless it is by the CFO.

ClearPass Policy Manager

The core of the solution is an enterprise RADIUS/
TACACS+ hardware appliance or virtual machine (VM)
server with advanced policy control. It includes:
• Profiler – identifies and classifies devices on the
network
• Insight – reporting, analytics, alerts, compliance
verification
• ClearPass Exchange – RESTful based APIs for
integration with other systems, including but not
limited to third-party MDM, firewalls and SIEM
• AirGroup Registration portal – makes plug-and-play
network services for media management (e.g. Apple
AirPrint/AirPlay, DLNA, UPnP) controllable and secure
within an enterprise network
Advanced features
Additional features, enabled through purchase of
perpetual or subscription licences, are delivered in
three modules:
• ClearPass Guest – providing secure wired and
wireless access for guests and contractors, with self-
registration, social login and linkage to credit card
billing, plus an optional advertising module
• ClearPass Onboard – automates device configuration
and enables customizable self-provisioning of target
devices with unique credentials for secure access
• ClearPass OnGuard – assesses the health of
connecting devices, and provides automatic
remediation workflows and device compliance
reporting

Aruba and partner services

• Customization – Aruba Professional Services deliver
support for customizing the look and feel of guest
and employee portals
• Design and deployment – delivered by Aruba or
specialist partners
• Support – delivered via the partner or direct to Aruba
• Security policy development
• End user training

2 Confidential – Internal and partner use only

 CLEARPASS ACCESS MANAGEMENT SOLUTION SALES GUIDE > SOLUTION OVERVIEW

USING CLEARPASS TO BENEFIT THE BUSINESS

ClearPass enables the business requirements for resource access and security policy to be implemented directly
using a complete end-to-end process

1
What network
access policy do we
need for the
business?
2 DEVELOP
• Profile users
and device
types

Y
OLIC • Build/Improve Access
3 AUTOMATE
P Security Policy
E
N

6 MANAGE
FI
RE

AND REFINE

• Easily enrol
guests and
• Simulate policy onboard devices
change – relieve
• Enhance user IT burden
experience

Do we need to
modify the
policy?
4 ENFORCE

5 AUDIT
• Re-profile • Apply policy
• Check compliance • Control access
• Analyse usage • Check device health

MAIN CUSTOMER BENEFITS

• Visibility: the ClearPass platform provides centralized visibility of and control over access to all IT
networks, ensuring that security policy is applied consistently across the whole organization
• Security: enforcement, auditing and reporting features enable customers to comply with relevant
regulations and legislation, demonstrate compliance, and mitigate the risk of a breach of access security
• Workflow: users are able to connect securely and easily from tablets, smartphones etc., delivering an
improved mobility experience across both corporate-owned and user-owned devices (e.g. BYOD)
• Mobility: employees given the flexibility to work from their preferred locations and devices are more
productive
• Cost: the reduced number of appliances required, automated enrolment and device onboarding, and a
reduction in IT help tickets through workflow enabled self-service make the ClearPass solution efficient
and cost-effective

Confidential – Internal and partner use only 3

 THE MARKET

TARGET MARKETS

Why customers need ClearPass

Across all verticals and sizes of organization, there is
a growing requirement to allow access to corporate
networks from mobile devices. These devices may be
corporate-owned, or owned by the end user (e.g. BYOD,
or for guest access).
Until recently, the Network Access Control (NAC)
function has largely been targeted at enforcing access
security policies for Windows PCs. Now control is
being extended to mobile devices running a variety of
operating systems, across wired and wireless networks,
and for remote access via VPNs.
ClearPass meets this extended NAC requirement, but
can also do a lot more for the customer’s business. So,
although many opportunities might arise from a need
for improved network access control, it is important to
explain to your customer what else can be achieved
with ClearPass, because it is this complete capability
that sets ClearPass apart.
WHY THE MARKET IS ATTRACTIVE
NOW
• There has been rapid and widespread
growth in types and models of mobile
devices, which people find convenient and
want to use
• The availability of apps and services
(including cloud) has made mobile devices
indispensable, so owners expect to be able
to use them for work and for interacting with
organizations, from any location
• The ‘consumerization of IT’ is now a reality:
giving employees a choice about how
they work has become essential for staff
recruitment and retention
• Competitive pressures continue to drive
organizations to look for ways to enhance
customer experience while containing costs
• IT departments are being outpaced by user
demand: they need tools that accelerate
the onboarding of new devices and reduce
workload through self-service, while
enforcing security and providing visibility

Which of my customers shall I target?

A ‘YES’ answer to some of the following questions mean they are a good prospect.

YES NO
1 Has the prospect or another organization in the same industry sector recently suffered a security breach?

2 Is a large proportion of the prospect’s workforce using mobile devices?

3 Do they hire contractors, or work collaboratively with partners/agencies?

4 Do they have frequent and large numbers of guests?

5 Do they have distributed offices?

6 Are they moving into a new building, or consolidating sites?

7 Have they recently been or are they about to be involved in a merger or acquisition?

8 Are they a public sector organization that is being encouraged by government to share resources?
Are they in an industry where new regulations or legislation have recently been or are about to be
9
introduced, which relate to information security or operational risk?
10 Do they have a heterogeneous (multi-vendor) network?

4 Confidential – Internal and partner use only

 CLEARPASS ACCESS MANAGEMENT SOLUTION SALES GUIDE > THE MARKET
MARKET NEEDS
General market needs
Visibility and control: customers in all verticals want
visibility of how their network is being accessed – from
where, by whom and using what device. They need to
be sure that only authorized users are allowed access,
and that unsecure or compromised devices are either
denied access or removed from the network.
Compliance: organizations must comply with
mandatory security requirements, regulations and
legislation, and protect networks against data loss and
cyber-attacks.
Productivity: many organizations are looking to
improve employee productivity by providing staff with
secure access from any device, so that users have a
wider range of options to get work done.
User engagement: this is of growing importance,
especially in Finance (retail banking), Retail and
Hospitality. Being able to deliver targeted information
to users based on context (user profile, location etc.) is
a major driver for fostering customer loyalty.
Cost containment: reduce the burden on already
overstretched IT resources and avoid/lower the costs of
owning and replacing devices.
Mobility: many organizations are frustrated by the
difficulties of using mobile devices for business and
enforcing an appropriate access security policy. They
wish to improve the mobility experience for their
customers, staff, contractors and partners.
MARKET TRENDS
Analysts like Frost & Sullivan and Gartner
are forecasting that organizations worldwide
will spend a growing amount on network
access management solutions over the five
years to 2018. From a worldwide market
worth $US 350 million in 2014, the forecast
is for demand to steadily increase at a rate
of almost 31% per year to break $1 billion by
2018. This is a major opportunity for partners
to work with Aruba to establish ClearPass as
a primary source of revenue generation.
Confidential – Internal and partner use only
Business drivers in selected verticals
Healthcare
• Enable patient and hospital visitor guest access
• Allow doctors, nurses and admin staff to self-
configure their own devices
• Enable clinicians to securely access patient data,
regardless of location
• Securely transfer patient data based on user
privileges and/or device profile
Finance
• Use mobile devices for enhanced customer
interaction (e.g. electronic signatures)
• Implement sponsored visitor guest access for
regulators, auditors, consultants
• Phase out corporate-owned devices by allowing staff
to purchase and use their own replacements
• Deploy improved access security to comply with the
latest industry regulations (Basel III)
Retail and Hospitality
• Attract customers by offering guest Wi-Fi
• Engage with customers (including advertising and
loyalty marketing) using contextual information
• Improve customers’ experience with Wi-Fi that
remembers them on their next visit
• Enforce PCI requirements with secure access
Education
• Enable students to use personal devices for
interactive learning
• Allow non-IT specialists to securely grant guest access
to students, parents and authorized visitors
• In schools, save money by allowing pupils to purchase
and use their own devices
ClearPass worldwide addressable market size
$M
1200
1000
800
600
400
200
0
2014 2015 2016 2017 2018
Source: Aruba view, based on reports from Frost & Sullivan
and Gartner
5
 THE SOLUTION
HOW CLEARPASS MEETS CUSTOMER NEEDS
What are the business needs of key people in your customer’s organization? Here’s how ClearPass addresses
each need.
CIO: ACCESS MANAGEMENT NEEDS
Need
Provide a good service
− executives wanting to use own
devices
− employees using multiple
devices
− employees bringing their own
devices (i.e. BYOD)
− simple guest access
Reduce the risk of a security breach
− guard against malicious attacks
− maintain the trust of customers
and partners
CFO: FINANCIAL NEEDS
Need
Contain the costs of network access
security management
− implementation
− network equipment upgrades
− hardware
− licence fees
− administration costs
− multiple device support
− dealing with visitors
Predictability of costs over lifetime
of solution
− scalability and linear growth
− availability of perpetual licences
− licensing flexibility
6 Confidential – Internal and partner use only
How the business need is addressed
• ClearPass OnGuard protects against unsecure and compromised devices, enabling
organizations to allow use of employee-owned devices without putting the business
at undue risk
• ClearPass Onboard enables employees and contractors to easily and securely
onboard their newly-supplied or own devices – by provisioning 802.1X settings and
issuing certificates
• Onboard provides the ability to customize the portal and workflow for each user
group and device
• ClearPass Guest provides customizable portals, plus support for guest sponsors and
IT-controlled guest privileges, to make self-registration by guests straightforward
• With ClearPass, network access security policy can be defined centrally, then
implemented consistently across all wired and wireless network access points,
minimizing the risk of leaving a vulnerability that can be exploited
• User authentication, context and role-based profiling guard against unauthorized
users gaining access to sensitive areas of the network and data
How the business need is addressed
• Automated device configuration and provisioning reduce the cost of access security,
especially when introducing 802.1X into a wired network or moving to a new site
• A single ClearPass Policy Manager appliance can handle up to 25,000 unique
endpoints across multiple networks, so even with a redundant architecture the
amount of server hardware required is relatively small
• Optional advanced feature modules mean customers pay only for the functionality
they actually need
• ClearPass Exchange ensures functionality of other investments is exploited to
increase security, reduce support costs, and improve customer experience
• IT staff no longer need be involved in onboarding new devices, or registering and
assisting contractors and guests, significantly reducing ongoing administration costs
• Users can use their own devices, reducing the cost of provision and replacement
• ClearPass provides a single integrated system that can adapt as the organization
grows and changes; it can scale to very large deployments and provide centralized
control for new sites, without the need to rip and replace hardware or software
• A
 ruba operates a licence overrun scheme to lessen the cost impact when usage
grows, and to allow organizations to meet short-term higher demand for access
(e.g. during special events or unexpected peaks in user activity)
• Organizations have the option of a perpetual or subscription licensing format,
whichever better suits their business model
• Enterprise licences can be shared across the Guest, Onboard and OnGuard modules
 CLEARPASS ACCESS MANAGEMENT SOLUTION SALES GUIDE > THE SOLUTION

CSO: SECURITY NEEDS

Need How the business need is addressed

Secure network access • ClearPass provides granular access security management which enables
− user identification contextual access control to a location, device and user level
− role-based profiling • ClearPass Policy Manager (CPPM) supports advanced user and device
− certificate of authority authentication based on 802.1X, non-802.1X and web portal access methods
− accreditation • Guest access workflow can require confirmation by a trusted sponsor
• Embedded Certificate Authority (CA) support allows ClearPass to interwork with
existing Public Key Infrastructure (PKI) or act as its own CA
• CPPM is accredited as compliant to FIPS 140-2 for cryptographic modules

Protection against malware • ClearPass OnGuard performs advanced endpoint posture assessments before
− device health checks devices connect
− remediation • Automatic remediation workflows can be applied to non-compliant devices
− post-access removal • Certificates and profiles can be issued to devices to allow for easy removal from
the network if required (e.g. if devices are compromised, lost or stolen)

Compliance to regulations and relevant • ClearPass provides the ability to develop, automate and enforce an access
legislation security policy that meets the organization’s business requirements, then refine
− appropriate level of security that policy as new regulations come into force or business needs change
− reports and audit trails • Audit and reporting allow customers to check and demonstrate compliance

CMO: USER ENGAGEMENT NEEDS

Need How the business need is addressed

Improve the mobility experience of users
− attract and retain staff
− allow network access from and
manage mobile devices
− wide choice of devices
− simple registration
• ClearPass allows customers to modernize their infrastructure to cater for and
attract the #GenMobile employee
• ClearPass works with a wide range of mobile platforms, including iOS, Android,
Windows Mobile, Windows Phone 8, Mac and Symbian OS
• ClearPass Exchange makes it easy to integrate with third-party solutions such
as MDM, so organizations can manage mobile and other devices
• Self-registration speeds network access, while MAC caching makes sign-on
straightforward for returning users
• Single sign-on to the network and applications makes mobile working quicker
and easier

Enhance the experience of guest users • Portals can be customized with a wide range of options, including localized
− customized portals language support and location-specific information
− social login • If desired, guests can use social networking identities to gain access, and
− text messaging receive login instructions and other information via SMS
− relevant communication • Using the optional advertising module, context-based messages can be sent to
the user (e.g. special offers in stores)

IT/NETWORK DIRECTOR: INFRASTRUCTURE NEEDS

Need How the business need is addressed

Simple implementation
− minimal new hardware
− no change to existing infrastructure
− automated assistance to reduce IT
effort involved
• ClearPass requires fewer physical appliances than other solutions, and can be
run as a virtual machine on existing hardware
• There is no need to change out or upgrade existing network infrastructure
• Automatic device profiling and self-registration relieve the IT burden of
onboarding
• Detailed diagnostic information assists network administrators (e.g. in
troubleshooting failed 802.1X authentications)

System performance • ClearPass solutions have proven reliability in ‘live’ customer networks
− reliability • Solutions scale easily to manage up to a million endpoints from a single cluster,
− scalability and can handle a high density of authentication requests
− effect on the network • Unlike other offerings, CPPM does not operate ‘in line’, and so has minimal
effect on network performance and no consequent scaling issues

Confidential – Internal and partner use only 7

 CLEARPASS ACCESS MANAGEMENT SOLUTION SALES GUIDE > THE SOLUTION

THE COMPETITIVE LANDSCAPE

How does the competition rate and who are they?

Use this table to identify Aruba’s strengths and for guidance on how to beat the competition.

Scoring: 0 = No capability 1 = Very weak 5 = Exceptionally strong ? = No information

CLEARPASS COMPETITORS

Bradford Networks

Smaller niche Wi-Fi

Aerohive, Extreme)
players (e.g. Meru,
Aruba ClearPass

Juniper Networks
Cisco (ISE/ACS)

ForeScout

HP
Capabilities
Solution for multi-vendor networks 5 2 4 3 2 ? 2
Interoperability 4 3 3 ? 2 1 2-4
Vendor’s Wi-Fi knowledge 5 5 0 0 3 2 4
Proven, stable solution 4 4 3 2 3 1-2 1-2
Scalability 5 3 2 3 3 3 2-4
Completeness of solution 5 4 3 3 3-4 3 2
Ease of deployment 3 2 4 2 3 ? 2-4

Capabilities: refer to the next page for a detailed explanation.

OUR MAJOR STRENGTHS ARE ...

• Solution for multi-vendor networks
• Interoperability
• Proven, stable solution
• Scalability
• Completeness of solution

 … EMPHASIZE THESE POINTS!

HOW TO WIN
We win if … We lose if …
• We tie down the scope of the requirements early • The prospect has too few users/devices or has too
in the sales cycle simple a business model to benefit from access
• The customer has an Aruba WLAN, and is security policy management
implementing a refresh • We try to compete with smaller niche vendors by
• The network is wholly Aruba or multi-vendor offering only a subset of ClearPass

• The requirements are biased towards access for • There is a strong ‘Cisco only’ attitude, across both
contractors/guests wired and wireless

• The customer agrees to a demo

• When an evaluation is needed, we sign off
targeted success criteria in advance

8 Confidential – Internal and partner use only

 CLEARPASS ACCESS MANAGEMENT SOLUTION SALES GUIDE > THE SOLUTION
HOW TO BEAT THE COMPETITION
CAPABILITY CAPABILITY EXPLAINED
Solution for • Across multi-vendor
multi-vendor networks, ability to develop,
networks automate, enforce and
audit an access security
policy
• Applicable to wired and
wireless networks
Interoperability • Standards based
• Integration with enterprise
applications
• Connectivity to other
management systems (e.g.
MDM)
• Provision of APIs
• Flexibility of vendor
Vendor’s Wi-Fi • Experience in Wi-Fi
knowledge • Business focus
• Market leadership
• Technical competence
• Skilled staff
Proven, stable • References
solution • In service solutions
• Number of licences
• User community
• Partner community
Scalability • Ability to add new users
easily
• Policy enforcement across
multiple sites
• High density authentication
Completeness of • Policy management
solution • Policy enforcement
• Guest functionality
• Device profiling and
onboarding
• Automation
• Trouble-shooting tools etc
Ease of • Automated tasks
deployment • Policy simulation
• Test deployment
• Accredited engineers
• Partners that can deploy
Confidential – Internal and partner use only
SUPPORTING FACTS AND PROOF POINTS
• In many deployments ClearPass manages access to Cisco, Avaya and HP
networks
• We have customers with both wired and wireless deployments (e.g. SAP)
• Other vendors’ offerings don’t provide centralized visibility and control
from a single, integrated system across heterogeneous networks: for
example, Cisco ISE is difficult to administer in non-Cisco (e.g. WLAN)
environments
• ClearPass employs standards-based protocols and interfaces (e.g. using
standard web APIs to receive context data from new sources)
• The solution is integrated with hundreds of commonly used enterprise
tools (e.g. Palo Alto Networks firewalls, McAfee anti-malware)
• Aruba works with 5+ MDM partners (including AirWatch, MobileIron and
Citrix)
• We can deploy ClearPass into any vendor environment, and support
most smart mobile devices
• Aruba has been delivering Wi-Fi networks for 13 years
• We are a Gartner magic quadrant leader in Wired and Wireless LAN
Access Infrastructure
• We have many SEs trained in wireless technology, and run the Airheads
community of engineers professionally engaged with wireless LANs etc.
• ClearPass is in service globally across many verticals, whereas Cisco’s
references are nearly all for ACS (not its replacement, ISE)
• ForeScout is locally strong (e.g. in ME) for small to mid-size deployments,
but weak elsewhere
• Juniper’s deployment numbers have plummeted since 2012
• ClearPass successfully manages network access security in very large
scale deployments (e.g. SAP with 66,000 users worldwide, Barclays, Los
Angeles Schools)
• ClearPass customers can enforce policy across multiple sites from
a centralized location. ForeScout works ‘in line’ and requires many
appliances
• The World Trade Center Exhibition in Dubai 2013 is a prime example of
the capability of ClearPass to handle high density authentication requests
• ClearPass uniquely delivers a complete set of functionality for managing
network access security in a single, integrated system
• Optional modules include guest self-registration and advertising, device
onboarding, and device posture validation
• Workflow and ClearPass Exchange enable complete automation of
processes such as quarantining devices
• ClearPass comes complete with tools for investigating problems (e.g.
diagnostics for trouble-shooting failed authentications)
• ClearPass automated device profiling and onboarding simplify setting up
devices and implementing policy
• With ClearPass, customers can trial changes to policy offline and test
their effects, prior to rolling them out
• We have Professional Services Partners with the accredited skills to assist
customers with design and deployment
9
 CLEARPASS ACCESS MANAGEMENT SOLUTION SALES GUIDE > THE SOLUTION
SUCCESS STORIES
Enterprise: SAP selects ClearPass over ISE to
replace Cisco ACS
• Multi-national SAP installation
• ClearPass preferred to Cisco ISE
The challenge
Headquartered in Walldorf, Germany, SAP AG is a
global leader in enterprise software, with locations in
more than 130 countries. Having experienced stability
issues with ACS, the company investigated Cisco ISE,
but found that administration was complex, the GUI
was not intuitive, and there were maintenance and
upgrade issues.
The response
SAP is a long-term major customer for Aruba WLAN.
The account team has a close relationship with key
decision makers, meeting on a regular basis, and so
was able to pick up on SAP’s concerns about ISE and
propose ClearPass as an alternative. An evaluation was
rapidly arranged, demonstrating to SAP that ClearPass
access management solution could address the issues
it was experiencing with Cisco. SAP’s infrastructure and
service teams were particularly impressed with the
solution’s ease of use and deployment, which had been
missing from Cisco ACS and ISE.
The result
ClearPass is now servicing SAP’s 66,000 employees
worldwide, with 8 ClearPass appliances in Germany,
4 in Singapore and 4 in Philadelphia in the US, all
managed from SAP HQ. The ClearPass Guest module,
which replaced an internally developed system, is also
regularly providing secure SAP-branded access to
15,000 visitors and consultants.
10
Healthcare: A hospital moves to a new site
and implements LAN security
• Hospital securing LAN and mobile devices
• ClearPass preferred for single platform and
interoperability
The challenge
Our WLAN customer, the University Hospital of
Toulouse in France, had plans to consolidate from
multiple sites to a new building of 600 beds. At the
same time, it wished to add 802.1X to its unsecured
Cisco LAN. With only three people in its network team,
the new wired network would have to automate the
configuration of the 18,000 ports.
The response
When the hospital approached Cisco, it discovered
that Cisco’s ISE proposition would make the network
complicated, with working across both fixed and
wireless being particularly difficult. Further, as well
as the high number of appliances required, Cisco did
not offer perpetual licences, which would make the
ISE solution costly. Our network integration partner,
Orange, proposed a dual lab trial, to compare ISE to
ClearPass.
The result
CHU Toulouse realized that the profiling available with
ClearPass would enable it to onboard all peripherals
on time. These included those within the control of
the Building Management System, and not well known
by the network team, such as IP cameras, alarms,
door-locking mechanisms etc. Two ClearPass 25,000
user appliances (one for redundancy), together with
300 licences each for Onboard and OnGuard, were
sufficient to ensure that the hospital could improve
network security, as well as move to its new site
promptly and cost-effectively.
Confidential – Internal and partner use only
 CLEARPASS ACCESS MANAGEMENT SOLUTION SALES GUIDE > THE SOLUTION
Finance: Upselling ClearPass capability to a
major bank
• Large bank needing flexibility
• ClearPass provided better guest/device functionality
and user experience
The challenge
Emirates NBD (ENBD) is one of the leading banks in the
United Arab Emirates (UAE). A Cisco-supplied NAC, first
deployed in 2007, was too rigid for the bank’s needs.
ENBD wanted more flexibility in the way it handled
network access requests. It also wanted users to be
able to work with their own devices, and to allow guest
access. Further, the bank had recently acquired some
Avaya equipment, so needed a solution that would
work across a multi-vendor network.
The response
After investigating Cisco ISE and finding it unable to
meet requirements, ENBD considered ForeScout and
Aruba ClearPass. ForeScout had a better cross-vendor
offering than Cisco, but required an appliance at every
node. There were also limitations in ForeScout’s ‘own
device/guest’ functionality. Hence the bank selected
ClearPass to replace the ailing Cisco NAC function.
The result
The Aruba account team took the opportunity to
explain the wider capability of ClearPass and secured
a meeting with the CMO and other key influencers.
ENBD’s marketing people recognized the potential of
the solution to help them engage more meaningfully
with customers and visitors. Additionally, after the NAC
project is completed, ENBD will migrate from Cisco ACS
to ClearPass, primarily to save costs. As a result of the
account team selling ‘high and wide’, what was originally
a NAC-replacement deal grew into a sale of CPPM
appliances and Guest and Onboard licences worth
$500k, to be rolled out over two years across the entire
ENBD network, with appliances to be based in UAE,
Saudi Arabia, Singapore, London and Egypt.
Confidential – Internal and partner use only
Retail: Sainsbury’s values the completeness
of the ClearPass solution
• Large retailer with 1000+ stores
• ClearPass’ single platform, superior features and
improved end customer experience won the deal
The challenge
Sainsbury’s is the UK’s third-largest supermarket chain.
The retailer has been an Aruba customer for over three
years and is currently rolling out Wi-Fi to all its 1,000+
stores and warehouses. Sainsbury’s decided to add
value to its wireless network by offering guest access
in stores. In addition, it wished to be able to onboard
and provide NAC capabilities to a number of corporate-
owned devices. A further business driver the company
is exploring is the possibility of offering location-based
services to shoppers in-store.
The response
Sainsbury’s considered NAC vendor NetScout, but
our main competitor was Cisco, supplier of the
Sainsbury’s wired infrastructure. We ran an evaluation
offline to demonstrate the full ClearPass capability.
The Sainsbury’s people were impressed by the way
ClearPass combined different areas of functionality
within one integrated platform, compared to Cisco ISE,
which required different units and systems. They also
preferred the richer feature set offered by ClearPass.
The result
ClearPass is now being deployed across the whole
of the Sainsbury’s estate, to occupy the same
footprint as the WLAN. The ClearPass sale gave us the
opportunity to talk to the Director of Digital Marketing
at Sainsbury’s, to explain how the functionality of
ClearPass and the data collected by the system could
be used to improve customer experience in stores.
It has positioned Aruba as a more strategic vendor
to Sainsbury’s, opening up new opportunities for us,
including a possible future sale of Meridian, Aruba’s
location-aware content management solution, for in-
store device location.
11
 CLEARPASS ACCESS MANAGEMENT SOLUTION SALES GUIDE > THE SOLUTION

THE FINANCIAL BUSINESS CASE

ClearPass IT off-load vs. Increase staff resources

Supporting network access from employees, contractors and guests can use up significant IT and administration
resources. This business case shows how labour costs can be saved through adopting ClearPass.

For this example business case we have used the scenario of an organization with a limited number of contractors
and a growing number of guests, and whose employees are to be enabled to use their own devices. Also, there are
wired ports that need to be secured and managed (for moves and changes). The areas of cost savings shown here
are applicable to many types of organization.

Main assumptions
Year1 Year 2 Year 3
Wired ports: 6 changes per year to 20% of the ports Wired ports 1,500 1,500 1,500
Employees: average of 2 devices each, replacing 1 every year Employees* 3,000 3,500 4,000
Contractors: connect 1 device for an average 2 months contract Contractors* 200 200 200
Guests: connect 1 device every visit for an average of 7 days Guests* 250 500 750
Staff costs assume typical Western Europe working conditions and salaries for IT and administration staff.
* - Maximum number of users of mobile devices in any 24 hour period

Year 1 Year 2 Year 3

Forecast costs without ClearPass $k $k $k
IT staff time
Wired ports (securing, adds, moves) 59.8 59.8 59.8
Employee devices (onboarding, audit, help etc.) 59.8 69.8 79.8
Contractors (onboarding, audit, help etc.), plus waiting time 24.9 24.9 24.9
Guests (resolving issues etc.) 4.3 8.6 13.0
Administration staff time
Contractors and guests (registration, issuing login details etc.) 10.4 20.7 31.1
Total costs 159.2 183.8 208.6
Forecast costs with ClearPass
Purchase, deployment and maintenance
ClearPass system, including redundancy and optional modules 140.8 71.3 9.2
Professional services cost (delivered by partner) 10.0 5.0 5.0
System maintenance 19.3 29.0 29.9
Internal IT deployment, training and management costs 25.0 25.0 25.0
IT staff time
Wired ports (securing, adds, moves) 10.0 10.0 10.0
Employee devices (onboarding, audit, help etc.) 8.1 9.5 10.9
Contractors (onboarding, audit, help etc.), plus waiting time 2.1 2.1 2.1
Guests (resolving issues etc.) 1.4 2.9 4.3
Administration staff time
Contractors and guests (registration, issuing login details etc.) 0.0 0.0 0.0
Total costs 216.7 154.8 96.4

THE
BOTTOM LINE Cost saving –57.5 29.0 112.2

• Total savings over three years $83.7k

• Net Present Value (NPV) at 10% $56.0k Over 3 years, ClearPass reduces IT
• Internal Rate of Return (IRR) 67% resource requirement by 2.7 man years.

ADDITIONAL CLEARPASS SOLUTION BENEFITS

• ClearPass server with RADIUS/TACACS+ and advanced policy control saves the cost of replacing or
upgrading existing appliances such as NAC
• Improved guest experience – generating repeat business and enhanced brand value
• Better guest management and employee/contractor removal reduces/eliminates unauthorized Wi-Fi use
• No need for multiple Wi-Fi networks (e.g. separate networks for employees and guests)
• Wired ports can be protected and an audit trail produced, reducing the risk of a security breach
• Future proof – growth in mobility and collaboration will not increase IT staff overhead

12 Confidential – Internal and partner use only

THE SALES PROCESS

QUALIFICATION
Use the questions on this page to help you capture information about the prospect and qualify the sale, before
committing more resources.

What business problem is the prospect trying to solve? [Tick all those that apply]

Gain visibility of how the network is being accessed . . . . Enhance user engagement . . . . . . . . . . . . . . . . . . .

Comply with mandatory security requirements . . . . . . . . . Contain the costs of access security . . . . . . . . . . .

Implement a BYOD policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Improve the mobility experience of users . . . .

Key qualification factors

The more questions you can answer ‘YES’ to, the better.

YES NO
1 Will the prospect be looking to control network access for more than 500 devices?

2 Do they want to open up their network to new types of devices, or have a need to improve security as a
result of a growing number of mobile devices?
3 Have they recently made a large investment in mobile devices (e.g. smartphones, tablets)?

4 Are they insourcing either IT or their network?

5 Are they looking to replace Cisco ACS?

6 Do they have a problem with limited IT support, in terms of number of people, locally at remote sites, or
skills (especially with regard to handling requests from devices connecting to the network)?

Deal discovery guidance

A prospect meeting should identify the following:

1 The number of devices currently connected to the network

2 The maximum number of guests per day
3 The number of devices requiring health checks (OnGuard)
4 The type of devices allowed onto the network
5 Total number of devices/endpoints to be authenticated
6 The identity stores that are employed for user and device authentication
7 Existing policies for guest access, remote access, certificates etc.
8 Alternative solutions that the prospect is considering

Confidential – Internal and partner use only 13

 CLEARPASS ACCESS MANAGEMENT SOLUTION SALES GUIDE > THE SALES PROCESS

DEALING WITH OBJECTIONS

OBJECTION We’re a Cisco house.

REAL CONCERN Your system might not be compatible. Why should I risk my reputation buying non-Cisco?

ANSWER The fact that you have heavily invested in Cisco is not a problem. Aruba has successfully
deployed ClearPass into many Cisco environments, including SAP worldwide, major bank
Emirates NBD in the Middle East, and Sainsbury’s retail in the UK. Our customers tell us that
ClearPass is much easier to deploy and manage than the equivalent Cisco offering, and it
also costs a lot less. May I organize a demo for you, so that you can see why others have
chosen ClearPass over Cisco?

OBJECTION You’re a Wi-Fi only company.

REAL CONCERN I don’t want to risk putting this into my wired network.

ANSWER It’s true that Aruba has built its reputation on providing enterprise-class Wi-Fi networks.
However, ClearPass was designed from the outset to work across both wired and wireless
multi-vendor networks. We have successfully deployed ClearPass into many wired
environments, including enterprises, hospitals, retail outlets and schools, and have been
recognized by Gartner as a magic quadrant leader in the provision of Network Access
Control, as well as for Wired and Wireless LAN Access Infrastructure.

OBJECTION We don’t need a complete solution.

REAL CONCERN I don’t want to spend money on functionality I don’t need.

ANSWER The great thing about ClearPass is that it is a modular solution, so you only have to buy
what you actually need. Built-in is all the functionality you require to be able to deploy a
consistent access security policy across both wired and wireless networks, extended to
mobile devices. If you decide later that you want additional functionality, such as guest
access, or more capacity, then this is easily added. Let me organize a demo for you, so that
you can decide which modules you would require to support your business.

OBJECTION We’re happy with what we’ve got.

REAL CONCERN I don’t want to buy extra security I don’t need.

ANSWER The primary reason that organizations like yours are investing in improving their network
access control is to allow secure access from mobile devices. Many customers tell us that
their employees, contractors, partners and guests all now expect to be able to use mobile
devices for work, and for interacting with the organization. ClearPass offers you a way to
meet this demand from a single integrated platform, while delivering many other benefits,
such as providing visibility, enabling compliance, improving employee productivity and
containing costs. Can I run through an example business case with you, to show you how
ClearPass could actually save you money?

14 Confidential – Internal and partner use only

 CLEARPASS ACCESS MANAGEMENT SOLUTION SALES GUIDE > THE SALES PROCESS

TYPICAL DEALS

Examples of customer pricing and product mix for deals of different size and complexity.
The table below shows figures for the first year. Upselling will generate revenues in the second year that can be
50-100% of first year revenues.

SOLUTION SIZING SMALL MEDIUM LARGE VERY LARGE

Endpoints 100-500 500-2,000 5,000+ 25,000
Guest licences 100 500 2,000+ 5,000+
Onboard or OnGuard licences 100 2,000 5,000+ 25,000+
SALES REVENUE $k $k $k $k
Hardware/VM appliances 8.0 25.0 50.0 75.0
Software licences 5.0 20.0 45.0 100.0
Integration and customization 5.5 9.5 17.5 27.5
Other services 1.0 2.0 6.0 12.0
Maintenance and support 2.5 10.0 19.0 35.0
First Year Gross Sales Value 22.0 66.5 137.5 249.5

SALES TACTICS
Use these tactics to start a conversation, differentiating ClearPass from the competition.
If you already have a lead, or a customer has come to you with a specific problem, use these tactics to upsell the
complete ClearPass solution. If your prospect’s primary concern is not in the table, use the information in this Sales
Guide to create your own questions and ideal outcome.

IF THE PROSPECT IS THEN ASK YOUR HELP THEM TO… EMPHASIZE…

CONCERNED ABOUT…
NAC or AAA/RADIUS
upgrades
CONTACTS ABOUT…
• Any issues or limitations?
• Future upgrades
• How users authenticate
• The number of devices connecting
Understand the Scalability and workflows
importance of linking
policy management to
security solutions

Securing employees and
guests connecting to the
network with their own
devices
• Critical areas of network security
• Any recent breaches or attacks?
• Types of devices connecting
• Number and type of guests per day
Describe the ideal access
management solution,
providing robust security
across all devices and
users
Completeness of security
solution covering all
scenarios

How to manage guests
and onboard employee
devices with limited IT
resources
• Number and type of guests
• The registration process
• How devices are onboarded
• The time IT spends today
See how onboarding and Employees are not
policy management can guests, and have different
be automated with self- needs
service and visibility

How to implement a
single Mobile Device/
Application Management
framework
• Which departments want this?
• Who has concerns?
• Is there demand from users?
• Has MDM been deployed?
• Any privacy or compliance issues?
Appreciate how they can MDM needs network
manage a mix of devices security
without compromising
security, privacy or
compliance

Confidential – Internal and partner use only 15

 CLEARPASS ACCESS MANAGEMENT SOLUTION SALES GUIDE > THE SALES PROCESS

A TYPICAL SALES CYCLE

The diagram below shows the steps and key sales activities for identifying an opportunity and taking it through to a
won deal.

PROSPECTING (2-8 WEEKS)

Lead
Generation

RFP
Lead
Generation Sales Presentation
Business level
How Aruba addresses the pain
Qualification Discovery User experience
Sector • Size • Need Assessment survey Deployment strategy
Security policy Professional Services

SOLUTION DEVELOPMENT (6-16 WEEKS)

Demonstration Proposal
Sales demo Reference Call Design • Sizing • Licences
Technical demo Redundancy

Evaluation or Proof Of Concept*

Success criteria

CLOSE (2-6 WEEKS)

Implementation Upsell
Guest
Sale UI Customization
Professional Services Onboard
Terms
Aruba advice OnGuard

Case Study
Win Flash Report

*By exception. Only offer a POC after approval from Aruba

Partner Partner with Aruba support Aruba Aruba with Partner support

KEY FACTORS FOR A SUCCESSFUL SALES CYCLE

• Evaluation (or exceptionally, POC) must be preceded by signed success criteria
• All sales cycles must involve a ClearPass Professional Services Partner
• All sales cycles must include a Professional Services offer for design and deployment

16 Confidential – Internal and partner use only

 CLEARPASS ACCESS MANAGEMENT SOLUTION SALES GUIDE > THE SALES PROCESS

CONTACTS AND RESOURCES

Key Aruba contacts

RESPONSIBILITY NAME EMAIL TELEPHONE

EMEA Sales and Marketing
Vice President EMEA Wolfram Fischer wfischer@arubanetworks.com +49 151 40712477
Director EMEA Channel Frederic Saint-Joigny fsaint-joigny@arubanetworks.com +33 64 275 8621
Senior Director EMEA Marketing Chris Kozup ckozup@arubanetworks.com +44 750 005 8848
Channel Marketing EMEA Bart Hulst bhulst@arubanetworks.com +31 6 13589223
Regional Channel Sales – Channel Account Managers (CAMs)
Benelux Thierry van Haverbeke thaverbeke@arubanetworks.com +32 479817282
Eastern Europe, Russia Zbigniew Skurczynski zskurczynski@arubanetworks.com +49 176 31499711
France, Northern Africa Mathieu Richard mrichard@arubanetworks.com +33 635 128 291
Germany, Switzerland, Austria Peter Buhmann pbuhmann@arubanetworks.com +49 174 346916
Italy Marco Olivieri molivieri@arubanetworks.com +39 3474675956
Middle East Osama AlHaj-Issa osama@arubanetworks.com +966 55 449 9516
Middle East – UAE Ahmed Elsayed aelsayed@arubanetworks.com +971 563702027
Nordics Neil Bronsdon nbronsdon@arubanetworks.com +46 70 936 74 25
South Africa, Sub Sahara Africa Mark Esslemont messlemont@arubanetworks.com +27 83452 4873
Spain, Portugal Pablo Collantes Palomino ppalomino@arubanetworks.com +34 661 848 756
Turkey Bora Yuksel byuksel@arubanetworks.com +90 5309773806
UK, Ireland Andrew Clark aclark@arubanetworks.com +44 7767205548

Demos and evaluations

To arrange a demo or evaluation for your customer, contact your CAM (see list above), who will organize SE support.
In very exceptional cases a Proof Of Concept may be authorized. Again, contact your CAM in the first instance to
request further information.

Partners with ClearPass Certification can obtain a free NFR licence of ClearPass from Channel Marketing EMEA at
channelmktg-emea@arubanetworks.com.

Other enquiries
Send an email with your detailed question(s) to channelmktg-emea@arubanetworks.com.

Online resources
Aruba Networks PartnerEdge http://www.arubanetworks.com/assets/channel/Aruba_PartnerEdge_EMEA_Brochure.pdf
Program
How to Become an Aruba http://partners.arubanetworks.com
Networks Channel Partner in
EMEA
ClearPass Certification and https://aruba.app.box.com/files/0/f/2438649095/ClearPass_Sales_Assets
Specialization (Login required)
ClearPass Access Management http://www.arubanetworks.com/solutions/adaptive-trust-security/
Solution Overview
System Engineering Enablement https://afp.arubanetworks.com/afp/index.php/SEEL_Live_Demo_Program
Lab (SEEL)

Partner training
Training in ClearPass is available for partners, including free-of-charge online sales training.

Confidential. All rights reserved. Document structure © Expertek Consultants Ltd, 2014.
The information contained herein is confidential and the property of Aruba Networks, Inc.
No liability is accepted for errors or omissions. www.expertek.co.uk. EMEA version: V1.1

Confidential – Internal and partner use only 17

 www.arubanetworks.com
Aruba Networks International Limited, Building 1000, City Gate, Mahon, Cork, Ireland

©2014 Aruba Networks, Inc. Aruba Networks®, Aruba The Mobile Edge Company® (stylized), Aruba Mobility Management System®, People Move.
Networks Must Follow.®, Mobile Edge Architecture®, RFProtect®, Green Island®, ETIPS®, ClientMatch®, Bluescanner™ and The All Wireless Workspace
Is Open For Business™ are all marks of Aruba Networks, Inc. in the United States and certain other countries. The preceding list may not necessarily
be complete and the absence of any mark from this list does not mean that it is not an Aruba Networks, Inc. mark. All rights reserved. Aruba
Networks, Inc. reserves the right to change, modify, transfer, or otherwise revise this publication and the product specifications without notice. While
Aruba Networks, Inc. uses commercially reasonable efforts to ensure the accuracy of the specifications contained in this document, Aruba Networks,
Inc. will assume no responsibility for any errors or omissions. No material may be reproduced for any purpose, private or commercial, without prior
permission from Aruba Networks.