I am enabling Campus AP's for EAP-TLS and using Factory TPM cert. For the Authentication to pass in Clearpass, we need to disable "Authorization Required" in the EAP-TLS Authentication Method.
I am afraid this will reduce security for other EAP-TLS clients using the same service. Like Windows AD Users for instance. If we disable Authorization and a Users Account is intentionally locked out in AD, the User will still be able to gain access to the network.
Thoughts on other solutions here?
Looking at the Cert presented by the AP, the Username is the name of the AP. As a test, we created that Username in the Local User rep in CPPM and added Local rep to the service. This worked. We could then enable Authorization in EAP-TLS. HOwever, we cant possibly created 100's of accounts for this.
Maybe EST Cert enrollment - This may have same issue, the name in the cert still needs to exist somewhere for Authorization.
Thanks!
------------------------------
Philip Wightman, ACEX (AMFX) #69. Aruba Partner Ambassador
------------------------------