05-16-2014 04:07 AM
We currently authenticate Windows laptops against an NPS server using PEAP, with an internal windows CA.
We have purchased Clearpass and I wish to migrate radius authentication from NPS to CPPM. I would like to carry on using PEAP for our Windows laptops and continue to use our internal root CA. We are also going to be using OnBoard, we'd like to use ClearPass as the CA for OnBoard devices (IOS/Android).
Is it possible use the existing internal CA for PEAP for the windows laptops and ClearPass CA for Onboard?
Solved! Go to Solution.
05-16-2014 05:35 AM - edited 05-16-2014 05:37 AM
You can absolutely use both EAP methods on the same ClearPass server and even the same SSID.
What you'd want to do is create a service just for EAP-PEAP to handle the username/password authentication. This will require uploading a new (or if you have the private key, the old from NPS) RADIUS server certificate to ClearPass. This will serve as the server's identity in the PEAP process.
In your PEAP service, you can check for Machine Authenticationm, FQDN, etc and then let everything else fall through to OnBoard registration.
Here's an example of the service rules to separate the two methods:
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
06-29-2014 02:20 PM
You can configure separate radius and web certs which should also make things easier for your use case