10-26-2016 06:51 AM
I have an environment with Windows 7, 10, vista and XP.
My service has a EAP TLS as authentication mode, but my XP systems is not connecting in that service.
I would like to know, if can I insert a MS-CHAP V2 in the service as authentication mode and force the xp systems to use this method in roles?
10-26-2016 06:52 AM
Question: Is the Windows XP client configured for EAP-TLS?
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
10-26-2016 08:20 AM
- Edit your service and go to the Authentication tab.
- Under the "Authentication Methods" section click the "-- Select to Add--" dropdown box
- Add whatever other methods you need.
10-26-2016 08:38 AM
Hi my friend,
I don't want to user TLS for XP devices, I qant to configure for MSCHAP-V2 but if I put the EAP-MSCHAP-V2 in the authentication methods, other devices will can connect too.
I need a way that only XP can be connect by EAP-MSCHAP-V2.
10-26-2016 08:53 AM - edited 10-26-2016 08:55 AM
Not necessarily, it depends on how you configure the your clients and how you configure your service.
If you configure your other devices to use EAP-TLS, then they will only use EAP-TLS and not EAP-MSCHAPv2.
If you want to be really strict though, you could figure out of a way of identifing what OS the device is using (probably through the Endpoints database) and then use a roll mapping and enforcement to block the device if it is not using the EAP method you want.
So for instance, if you have a Windows 10 device and it tries connecting using EAP-MSCHAPv2, then it will be denied. You would then need to identify why the device is using EAP-MSCHAPv2 vs EAP-TLS.
On a side note, the authentication methods defined in the service do not dictate what method your client uses, it only indicates what authenticaiton methods the service will process or handle.