03-22-2017 01:30 PM
I'm beginning an 8.0.1 deployment and want to have our access points use 802.1x on their uplinks. I have a working 802.1x configuration for our access switches, but I'm having trouble finding guidance on configuring a ClearPass authentication service to do this.
Thanks in advance for your useful advice!
03-22-2017 02:53 PM
Hi Tim, Yes, we are doing dot1x for some wired ports, but the authentication is pointed at stand-alone RADIUS systems. We will eventually point these ports at ClearPass, but that is out-of-scope for now. At some point I was told that the APs should use a different service than any other dot1x auth because of the certs involved. Was I given correct information?
03-22-2017 02:57 PM
03-22-2017 03:31 PM
I don't think you can use the AP cert for 802.1X as I ask my instructor on recent SWDI training at ATM17 and he said no it's not possible. I guess it's because we cannot have access or extract to the root-ca used by the controller to generate cert to the AP and import it to ClearPass. (I might be wrong here and missing some info about the process).
The only possible way I think is using PEAP. You can setup a username/password (could be a local account in ClearPass) and have the local database in your service. When you provision your AP there is an option for 802.1X using PEAP. (I never tried it but I would be intested to try it once my home lab is setup). You will probably need a fallback VLAN with MAC auth or something like that for new AP that are not provisionned yet or that need to be reprovisionned with PEAP where you can fingerprint that the device is an Aruba AP.
03-22-2017 03:34 PM
03-23-2017 09:59 AM - edited 03-23-2017 10:04 AM
If that's what we have to do, we will, but would it would be ideal to have a cert in the AP that we could use for this purpose.
Thank you for all of your repsonses!
03-23-2017 10:33 AM