Search the Community
- ClearPass Recipe Review
- ClearPass Recipe Submission
- Admin Tool - Assign Role in Bulk
- Admin Tool - User Search
- CWNP Conf 2015
- Airheads Conference Vegas 2015
- Wlan Pro Conference 2015
- Airheads Conference Shanghai 2014
- WLAN Pro Conf EU 2014
- CWNP Conference 2014 (Sep 22 - 24)
- Airheads Local 2014
- Wireless Field Day 7 (Aug 6-8, 2014)
- Black Hat 2014 Contest
- Airheads EMEA Italy 2014 (June 9 - 13)
- Americas Airheads Conference 2014
- WLAN Professionals Summit 2014
- Airheads Roadshow 2013
- EMEA Airheads Conference 2013
- APJ Airheads Conference 2013
- Americas Airheads Conference 2013
- Americas Airheads Conference 2012
- APJ Airheads Conference 2012
- EMEA Airheads Conference 2012
- Airheads EMEA 2012 Contest: How to Enter - Contest Terms & Conditions
- Airheads EMEA 2012 Contest: Create your Entry to Win Here!
- Airheads Conferences Prior to 2012
- Americas Airheads Local Events 2012
- EMEA Airheads Local Events 2012
- Wireless Field Day 3 @ Aruba Networks
- Wireless Tech Field Day 2- Silicon Valley
- Wi-Fi Mobility Symposium- San Jose, CA USA
- SDN Apps
- Connector Translation Testing area
I'm having an issue where some of my self registration receipts are getting kicked back, being rejected because of an extra "from" address.
This does not happen when I test from Policy Manager Messaging setup, but does when I test from ClearPass Guest.
It looks like this in the Email Header:
Any idea what may be causing this?
Recently I have integrate HP Unified 850 controller with Clearpass. I have configured dot1x service for Mobile users and authentication is working fine as well.
Problem : I can see continous authentication "Accept" logs in Access Tracker for most users, users also reconnecting automatically even they are online.
Someusers are getting Time-out,
Finally found the solution It's because of the VRRP, I have two controllers acting Master ...
Finally found the solution
It's because of the VRRP, I have two controllers acting Master and Standby. previuosly i have added only VIP as Radius client, after adding both Physical IP's as a Radius Client to the NPS/Clearpass its working fine
Might be a silly quesstion..
I've configured our router endpoints to forward dhcp requests not not only to our UoY dhcp server but also the master publisher for each of our two clearpass clusters.
quesiton, do I have to point dhcp requsts at the aster publisher or can I point them at a secondary node as well ? Just thinking of how a cluster might provess inbound dhcp requests if the publisher os offline for some reason
Hi Guys, could you help me with the below question?
How to create a wireless 802.1x policy for the following - authenticate user AD, a whitelist of profiled devices and deny everything else ?
IS this possible ?
If so How to do it ?
Hi, The endpoint repository has 300 seconds (5 mins) cache timeout for the authorization d...
The endpoint repository has 300 seconds (5 mins) cache timeout for the authorization data. If you reconnect the devices within 5 mins after changing the status to Unknown, it will not reflect during the policy evaluation as the policy server takes the data from cache.
You can reduce the cache timeout further or set it to 0 and disable the cache. Disabling the cache will make query to the endpoint table for every authentication and the Status = Unknown can be read immediately after the change.
We're wanting to have only certain people be able to onboard our enterprise owned devices.(our PC techs) I have this pretty much setup and seems to be working, however when one of our techs onboards a device the certificate issued in Onboard is issued to thier username. I'm wanting machine authentication only as all our devices will be domain joined laptops and I don't care about which user is logged in. The issue is that when managing the certificates in Onboard we can't tell easily what device the certificates belong to, as it only shows the username. Anyway to get this to be the windows computer name or a custom field on the login page that the tech can enter the computer name manually, instead of assigning it directly to the Onboard username?
Hi All, was wondering if anyone had any idea of the exact IAP settings for authenticating users via LDAP to a windows Server 2008 Active Directy Server.
I have numerous examples but none seem to work. I have configured an openldap server and authentication works immedietly with LDAP, but NOT with windows domain controller. I have asuccessful bind established but no authentication is happening.
I have the following formats for the filter string:
key atrribute: sAMAccountName
I also have tried the following filter attributes also.
(&(objectcategory=user)(memberof=CN=Group,OU=Users,DC=Domain,DC=com)) to no avail.
Does anyone have a working example of the settings for this to function against an AD server?
To be clear, the proper way to deploy 802.1x is to install and configure a Radius Server and just point the IAP to it, by configuring a radius server. EAP-Offload with LDAP is just a workaround from the distant past when people did not have a radius server. Everyone who has a Windows Server can configure a radius server with a server certificate, and should NOT be using EAP Offload with LDAP.
- EAP Offload has limitations like not being able to do machine authentication.
- It forces you to configure an LDAP server which does not have alot of diagnostic information in a failure situation.
- Depending on how the passwords are stored in the LDAP server, you cannot do EAP-PEAP and that limits the type of clients you can connect when you configure EAP-OFFLOAD.
I repeat, configure a Windows Radius Server and DO NOT configure Termination or EAP OFFLOAD on an IAP or an Aruba Controller.
A detailed article on how to configure and deploy Windows NPS is here: https://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/m-p/14392/highlight/true#M6113
After reviewing the software updates page on our ClearPass deployment, I noticed the following:
Does this mean that we need to restart our server for the patches to take affect, or has it already been done and this is just noting the patches had required a restart?
I've generated a CSR and private key file from my ClearPass.
I've used that CSR to get a certificate from my provider - InCommon.
When trying to import that certificate and the private key, I get the message:
Private Key File does not match the Certificate
Either I am doing something wrong, or there is something wrong with this certificate I am being issued (I've tried more than once)
Thanks for any help.
I focus a strange problem when i use a [ArubaOS Switching - Terminate Session] enforcement profile, the radius response is vissible in accesstracker but never sends by clearpass to de NAS device. The radius response packets are not vissible in Wireshark and never sends to the NAS.
I Solved the problem by making a clone of the [ArubaOS Wireless - Terminate Session] template and change the attributes to be equal to the [ArubaOS Switching - Terminate Session] template.
It seems like i bug to me in Clearpass 220.127.116.11008.
The switch a 2920 with fw16.04 isnt the problem here, the problem is clearpass never sends de radius response that access tracker showns.
One thing i notice is that when i do a manualy COA in a accepted radius request in accesstracker only the wireless COA enforcement profiles are visible here.
Are other people seen the same issue here? Or do i missed something?
See also attechment with some screenshots of the issue in my test enviornment ;)
I am reading through the Clearpass wired Enforcement 2018 document, and I am seeing cisco, HPE and Aruba Switching, but I wanted to see if there were any specific items to be aware of with an 802.1x, MAC Auth and Captive portal service chain.