Security

Reply
Super Contributor I
Posts: 294
Registered: ‎02-07-2013

Access Tracker search for EAP-TLS traffic

ok. having just got eap-tld and eap-peap authenticating from 1 service, I've rolled out the config to our eduroam service on our production box and again I've got peap and tls work together from one service.

 

 

However, we've got about 15K peap users on this ssid and currently 1 tls user. Under Live Monitoring/Acess Tracker, how can I search for TLS auth types? I would have thought the filter attribute Auth-type would have done it, but when I select it, there's nothing in the field ( cppm 6.5.2)

 

On my dev serverthere's nothing but dev traffic so the logs don't get swamped.

 

A

Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: Access Tracker search for EAP-TLS traffic

[ Edited ]

Unfortunately you can't filter access tracker by EAP method.

 

You could however try to use a data filter, but you'd have to flip back and forth.

EDIT: That data filter won't work


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor I
Posts: 294
Registered: ‎02-07-2013

Re: Access Tracker search for EAP-TLS traffic

So I guess the options are to search for mac address of device or have an eap-tls only service and look at that ..... which I was trying to do before :-)))

 

 

A

Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: Access Tracker search for EAP-TLS traffic

If you need this functionality long-term, you could do a role map and use the TIPS role as a search filter.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor I
Posts: 294
Registered: ‎02-07-2013

Re: Access Tracker search for EAP-TLS traffic

Good idea, already generate a batch of roles based upon user/machine os,service used for our eap and macauth services, just haven'tt done it yet for TLS.

 

I suspect that TLS is going to  be one of those things that sneaks  up on us and ends up being important. We've got Apple TVs, wireless  VOIP phones, (possible) Android based information systems and airwatch managed mobile devices that need network connectivity with multi-user support.

 

Given that clearpass lets you generate your own CA and also provides you with an OCSP service, saves doing things from the CLI with a standalone OCSP server and openssl so its going to be easy to meet TLS requriements than it was before.

 

A

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: