Security

Reply
Occasional Contributor II

EAP-TLS Service Rule

I'm trying to create two service rules for the same SSID: one for EAP-TLS and one for EAP-PEAP (or anything other than EAP-TLS). I have for the service rule for the EAP-TLS service:

 

Type: Authentication

Name: OuterMethod

Operator: EQUALS

Value: EAP-TLS

 

I cannot get clients to hit this service with this rule. Trying to find out if the type should be different or if I'm messing something up in my logic. I have the same service rule for EAP-PEAP, but with a "NOTEQUALS" for the operator. 

 

Any ideas?

Guru Elite

Re: EAP-TLS Service Rule

EAP method is negotiated after service categorization and thus cannot be used to categorize a service.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: EAP-TLS Service Rule

Ah man! That stinks....but good to know. I guess I have to come up with better logic to get EAP-TLS and EAP-PEAP on one SSID. 


Thanks Tim! That helps me save time trying to figure this out.

Guru Elite

Re: EAP-TLS Service Rule

You can use OuterMethod in your enforcement policy. This is a pretty standard practice.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: EAP-TLS Service Rule

Thanks Tim,

 

To make sure I understand, instead of splitting the Services up, keep one service but split the roles based on the enforcment policy?

Occasional Contributor II

Re: EAP-TLS Service Rule

Think I got this down...thanks to you Tim.


*Created one service

*Used all types of authentications I will use on this SSID

*Split the different roles/traffic via the enforcement policies, which are based on the OuterMethod

 

You rock man! Thanks again!

Guru Elite

Re: EAP-TLS Service Rule

Awesome, glad you got it working!

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: