Security

Reply
Occasional Contributor I
Posts: 8
Registered: ‎07-01-2016

ClearPass Configuration for 802.1x Uplink AP Authentication

Hello, 

I'm beginning an 8.0.1 deployment and want to have our access points use 802.1x on their uplinks. I have a working 802.1x configuration for our access switches, but I'm having trouble finding guidance on configuring a ClearPass authentication service to do this. 

Thanks in advance for your useful advice!

Guru Elite
Posts: 8,322
Registered: ‎09-08-2010

Re: ClearPass Configuration for 802.1x Uplink AP Authentication

Are you already doing 802.1X on your wired network?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 8
Registered: ‎07-01-2016

Re: ClearPass Configuration for 802.1x Uplink AP Authentication

Hi Tim, Yes, we are doing dot1x for some wired ports, but the authentication is pointed at stand-alone RADIUS systems. We will eventually point these ports at ClearPass, but that is out-of-scope for now. At some point I was told that the APs should use a different service than any other dot1x auth because of the certs involved. Was I given correct information?

Thanks,

Guru Elite
Posts: 8,322
Registered: ‎09-08-2010

Re: ClearPass Configuration for 802.1x Uplink AP Authentication

You can take different enforcement action on them, but it would be part of your existing wired 1X service. The only way I can think of that you can isolate the requests is to use a predictable username pattern and then key off that.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 32
Registered: ‎10-11-2012

Re: ClearPass Configuration for 802.1x Uplink AP Authentication

I don't think you can use the AP cert for 802.1X as I ask my instructor on recent SWDI training at ATM17 and he said no it's not possible. I guess it's because we cannot have access or extract to the root-ca used by the controller to generate cert to the AP and import it to ClearPass. (I might be wrong here and missing some info about the process).

 

The only possible way I think is using PEAP. You can setup a username/password (could be a local account in ClearPass) and have the local database in your service. When you provision your AP there is an option for 802.1X using PEAP. (I never tried it but I would be intested to try it once my home lab is setup). You will probably need a fallback VLAN with MAC auth or something like that for new AP that are not provisionned yet or that need to be reprovisionned with PEAP where you can fingerprint that the device is an Aruba AP.

Guru Elite
Posts: 8,322
Registered: ‎09-08-2010

Re: ClearPass Configuration for 802.1x Uplink AP Authentication

Yes, you're correct. Sorry, read the original post too fast. The only option available today is to use PEAPv0/EAP-MSCHAPv2 with controller-based APs.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 8
Registered: ‎07-01-2016

Re: ClearPass Configuration for 802.1x Uplink AP Authentication

[ Edited ]

If that's what we have to do, we will, but would it would be ideal to have a cert in the AP that we could use for this purpose. 

 

Thank you for all of your repsonses!

Guru Elite
Posts: 8,322
Registered: ‎09-08-2010

Re: ClearPass Configuration for 802.1x Uplink AP Authentication

Aruba controller-based APs (CAPs) do not currently support EAP-TLS for uplink authentication to the upstream network.

 

You can use PEAPv0/EAP-MSCHAPv2. Not a huge difference for this use case.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: