Wireless Access

I wanted to ask how this is typically deployed. Do you have to configured the RAP as a supplicant and if so, where is that done. I don't see that as an option under the provisioning screens. I configured one of the ETH ports to use the same AAA profile as my Corp WLAN which is 802.1X auth. Set the port to trusted and set the access vlan. 

Anything else I am missing or other recommendations? What if we want to do full NAC where Clear Pass pushes the role and VLAN? Do I just enable downloadable roles from CPPM or is there more than that? Not sure if the CPPM side will need a new service or enforcement profiles or not.

------------------------------
Chris Watson
------------------------------

here is the way I have done with .1x with RAP.   Since RAP is connected to  controller/gateway and not switches, so the clearPass DUR is not supported.  However, controller does support "user-role",  so the clearPass will authenticate and profile devices, then  send back the "user-role".  The controllers will enforce those roles.  Hope that give clues on how to do it.   I have some success with computer devices (windows, mac and linux),  having issues with printers (won't send over the x509 cert for eap-tls authentication)

------------------------------
Peter Huang
------------------------------

Original Message:
Sent: Apr 19, 2021 02:57 PM
From: Chris Watson
Subject: 802.1X/NAC on a RAP wired interface

I wanted to ask how this is typically deployed. Do you have to configured the RAP as a supplicant and if so, where is that done. I don't see that as an option under the provisioning screens. I configured one of the ETH ports to use the same AAA profile as my Corp WLAN which is 802.1X auth. Set the port to trusted and set the access vlan. 

Anything else I am missing or other recommendations? What if we want to do full NAC where Clear Pass pushes the role and VLAN? Do I just enable downloadable roles from CPPM or is there more than that? Not sure if the CPPM side will need a new service or enforcement profiles or not.

------------------------------
Chris Watson
------------------------------

Actually ClearPass DOES support DUR on Mobility Controllers.  I am studying to renew my ACCP and the training class actually has us implement this.
There need to be proper certificate trusts set up but is can be done.
From the Lab:




------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer
------------------------------

Original Message:
Sent: Apr 21, 2021 02:09 PM
From: Peter Huang
Subject: 802.1X/NAC on a RAP wired interface

here is the way I have done with .1x with RAP.   Since RAP is connected to  controller/gateway and not switches, so the clearPass DUR is not supported.  However, controller does support "user-role",  so the clearPass will authenticate and profile devices, then  send back the "user-role".  The controllers will enforce those roles.  Hope that give clues on how to do it.   I have some success with computer devices (windows, mac and linux),  having issues with printers (won't send over the x509 cert for eap-tls authentication)

------------------------------
Peter Huang

Original Message:
Sent: Apr 19, 2021 02:57 PM
From: Chris Watson
Subject: 802.1X/NAC on a RAP wired interface

I wanted to ask how this is typically deployed. Do you have to configured the RAP as a supplicant and if so, where is that done. I don't see that as an option under the provisioning screens. I configured one of the ETH ports to use the same AAA profile as my Corp WLAN which is 802.1X auth. Set the port to trusted and set the access vlan. 

Anything else I am missing or other recommendations? What if we want to do full NAC where Clear Pass pushes the role and VLAN? Do I just enable downloadable roles from CPPM or is there more than that? Not sure if the CPPM side will need a new service or enforcement profiles or not.

------------------------------
Chris Watson
------------------------------

ClearPass will send the user-role and content down (if one marks the controller to download the role).   However, I could not get acl content honored by the controller,  let me try again and see if I miss something here.

------------------------------
Peter Huang
------------------------------

Original Message:
Sent: Apr 22, 2021 09:48 AM
From: Bruce Osborne
Subject: 802.1X/NAC on a RAP wired interface

Actually ClearPass DOES support DUR on Mobility Controllers.  I am studying to renew my ACCP and the training class actually has us implement this.
There need to be proper certificate trusts set up but is can be done.
From the Lab:




------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 21, 2021 02:09 PM
From: Peter Huang
Subject: 802.1X/NAC on a RAP wired interface

here is the way I have done with .1x with RAP.   Since RAP is connected to  controller/gateway and not switches, so the clearPass DUR is not supported.  However, controller does support "user-role",  so the clearPass will authenticate and profile devices, then  send back the "user-role".  The controllers will enforce those roles.  Hope that give clues on how to do it.   I have some success with computer devices (windows, mac and linux),  having issues with printers (won't send over the x509 cert for eap-tls authentication)

------------------------------
Peter Huang

Original Message:
Sent: Apr 19, 2021 02:57 PM
From: Chris Watson
Subject: 802.1X/NAC on a RAP wired interface

I wanted to ask how this is typically deployed. Do you have to configured the RAP as a supplicant and if so, where is that done. I don't see that as an option under the provisioning screens. I configured one of the ETH ports to use the same AAA profile as my Corp WLAN which is 802.1X auth. Set the port to trusted and set the access vlan. 

Anything else I am missing or other recommendations? What if we want to do full NAC where Clear Pass pushes the role and VLAN? Do I just enable downloadable roles from CPPM or is there more than that? Not sure if the CPPM side will need a new service or enforcement profiles or not.

------------------------------
Chris Watson
------------------------------

You need to define a CPPM Admin user with the DUR Role,
Configure DUR Enforcement Profile & Policy
CPPM needs to have a publicly signed HTTPS certificate

Configure Authentication Server for DUR on the controller.
Configure AAA Profile for DUR on the controller

Did you complete all those steps?

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer
------------------------------

Original Message:
Sent: Apr 22, 2021 10:59 AM
From: Peter Huang
Subject: 802.1X/NAC on a RAP wired interface

ClearPass will send the user-role and content down (if one marks the controller to download the role).   However, I could not get acl content honored by the controller,  let me try again and see if I miss something here.

------------------------------
Peter Huang

Original Message:
Sent: Apr 22, 2021 09:48 AM
From: Bruce Osborne
Subject: 802.1X/NAC on a RAP wired interface

Actually ClearPass DOES support DUR on Mobility Controllers.  I am studying to renew my ACCP and the training class actually has us implement this.
There need to be proper certificate trusts set up but is can be done.
From the Lab:




------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 21, 2021 02:09 PM
From: Peter Huang
Subject: 802.1X/NAC on a RAP wired interface

here is the way I have done with .1x with RAP.   Since RAP is connected to  controller/gateway and not switches, so the clearPass DUR is not supported.  However, controller does support "user-role",  so the clearPass will authenticate and profile devices, then  send back the "user-role".  The controllers will enforce those roles.  Hope that give clues on how to do it.   I have some success with computer devices (windows, mac and linux),  having issues with printers (won't send over the x509 cert for eap-tls authentication)

------------------------------
Peter Huang

Original Message:
Sent: Apr 19, 2021 02:57 PM
From: Chris Watson
Subject: 802.1X/NAC on a RAP wired interface

I wanted to ask how this is typically deployed. Do you have to configured the RAP as a supplicant and if so, where is that done. I don't see that as an option under the provisioning screens. I configured one of the ETH ports to use the same AAA profile as my Corp WLAN which is 802.1X auth. Set the port to trusted and set the access vlan. 

Anything else I am missing or other recommendations? What if we want to do full NAC where Clear Pass pushes the role and VLAN? Do I just enable downloadable roles from CPPM or is there more than that? Not sure if the CPPM side will need a new service or enforcement profiles or not.

------------------------------
Chris Watson
------------------------------

yes, I used to setup PKI service, so the certificate setup is not an issue.  my CPPM cert is signed by DigiCert

------------------------------
Peter Huang
------------------------------

Original Message:
Sent: Apr 22, 2021 11:13 AM
From: Bruce Osborne
Subject: 802.1X/NAC on a RAP wired interface

You need to define a CPPM Admin user with the DUR Role,
Configure DUR Enforcement Profile & Policy
CPPM needs to have a publicly signed HTTPS certificate

Configure Authentication Server for DUR on the controller.
Configure AAA Profile for DUR on the controller

Did you complete all those steps?

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 22, 2021 10:59 AM
From: Peter Huang
Subject: 802.1X/NAC on a RAP wired interface

ClearPass will send the user-role and content down (if one marks the controller to download the role).   However, I could not get acl content honored by the controller,  let me try again and see if I miss something here.

------------------------------
Peter Huang

Original Message:
Sent: Apr 22, 2021 09:48 AM
From: Bruce Osborne
Subject: 802.1X/NAC on a RAP wired interface

Actually ClearPass DOES support DUR on Mobility Controllers.  I am studying to renew my ACCP and the training class actually has us implement this.
There need to be proper certificate trusts set up but is can be done.
From the Lab:




------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 21, 2021 02:09 PM
From: Peter Huang
Subject: 802.1X/NAC on a RAP wired interface

here is the way I have done with .1x with RAP.   Since RAP is connected to  controller/gateway and not switches, so the clearPass DUR is not supported.  However, controller does support "user-role",  so the clearPass will authenticate and profile devices, then  send back the "user-role".  The controllers will enforce those roles.  Hope that give clues on how to do it.   I have some success with computer devices (windows, mac and linux),  having issues with printers (won't send over the x509 cert for eap-tls authentication)

------------------------------
Peter Huang

Original Message:
Sent: Apr 19, 2021 02:57 PM
From: Chris Watson
Subject: 802.1X/NAC on a RAP wired interface

I wanted to ask how this is typically deployed. Do you have to configured the RAP as a supplicant and if so, where is that done. I don't see that as an option under the provisioning screens. I configured one of the ETH ports to use the same AAA profile as my Corp WLAN which is 802.1X auth. Set the port to trusted and set the access vlan. 

Anything else I am missing or other recommendations? What if we want to do full NAC where Clear Pass pushes the role and VLAN? Do I just enable downloadable roles from CPPM or is there more than that? Not sure if the CPPM side will need a new service or enforcement profiles or not.

------------------------------
Chris Watson
------------------------------

I pulled that information from the training lab that works.

Perhaps  @westcott has some troubleshooting hints.​

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer
------------------------------

Original Message:
Sent: Apr 22, 2021 11:30 AM
From: Peter Huang
Subject: 802.1X/NAC on a RAP wired interface

yes, I used to setup PKI service, so the certificate setup is not an issue.  my CPPM cert is signed by DigiCert

------------------------------
Peter Huang

Original Message:
Sent: Apr 22, 2021 11:13 AM
From: Bruce Osborne
Subject: 802.1X/NAC on a RAP wired interface

You need to define a CPPM Admin user with the DUR Role,
Configure DUR Enforcement Profile & Policy
CPPM needs to have a publicly signed HTTPS certificate

Configure Authentication Server for DUR on the controller.
Configure AAA Profile for DUR on the controller

Did you complete all those steps?

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 22, 2021 10:59 AM
From: Peter Huang
Subject: 802.1X/NAC on a RAP wired interface

ClearPass will send the user-role and content down (if one marks the controller to download the role).   However, I could not get acl content honored by the controller,  let me try again and see if I miss something here.

------------------------------
Peter Huang

Original Message:
Sent: Apr 22, 2021 09:48 AM
From: Bruce Osborne
Subject: 802.1X/NAC on a RAP wired interface

Actually ClearPass DOES support DUR on Mobility Controllers.  I am studying to renew my ACCP and the training class actually has us implement this.
There need to be proper certificate trusts set up but is can be done.
From the Lab:




------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 21, 2021 02:09 PM
From: Peter Huang
Subject: 802.1X/NAC on a RAP wired interface

here is the way I have done with .1x with RAP.   Since RAP is connected to  controller/gateway and not switches, so the clearPass DUR is not supported.  However, controller does support "user-role",  so the clearPass will authenticate and profile devices, then  send back the "user-role".  The controllers will enforce those roles.  Hope that give clues on how to do it.   I have some success with computer devices (windows, mac and linux),  having issues with printers (won't send over the x509 cert for eap-tls authentication)

------------------------------
Peter Huang

Original Message:
Sent: Apr 19, 2021 02:57 PM
From: Chris Watson
Subject: 802.1X/NAC on a RAP wired interface

I wanted to ask how this is typically deployed. Do you have to configured the RAP as a supplicant and if so, where is that done. I don't see that as an option under the provisioning screens. I configured one of the ETH ports to use the same AAA profile as my Corp WLAN which is 802.1X auth. Set the port to trusted and set the access vlan. 

Anything else I am missing or other recommendations? What if we want to do full NAC where Clear Pass pushes the role and VLAN? Do I just enable downloadable roles from CPPM or is there more than that? Not sure if the CPPM side will need a new service or enforcement profiles or not.

------------------------------
Chris Watson
------------------------------

yes and yes.  I have operated clearPass for a few years both in lab and production.   I have DUR working with switches in production.  this particular part is on RAP wired NAC.

------------------------------
Peter Huang
------------------------------

Original Message:
Sent: Apr 22, 2021 11:38 AM
From: Bruce Osborne
Subject: 802.1X/NAC on a RAP wired interface

I pulled that information from the training lab that works.

Perhaps  @westcott has some troubleshooting hints.​

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 22, 2021 11:30 AM
From: Peter Huang
Subject: 802.1X/NAC on a RAP wired interface

yes, I used to setup PKI service, so the certificate setup is not an issue.  my CPPM cert is signed by DigiCert

------------------------------
Peter Huang

Original Message:
Sent: Apr 22, 2021 11:13 AM
From: Bruce Osborne
Subject: 802.1X/NAC on a RAP wired interface

You need to define a CPPM Admin user with the DUR Role,
Configure DUR Enforcement Profile & Policy
CPPM needs to have a publicly signed HTTPS certificate

Configure Authentication Server for DUR on the controller.
Configure AAA Profile for DUR on the controller

Did you complete all those steps?

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 22, 2021 10:59 AM
From: Peter Huang
Subject: 802.1X/NAC on a RAP wired interface

ClearPass will send the user-role and content down (if one marks the controller to download the role).   However, I could not get acl content honored by the controller,  let me try again and see if I miss something here.

------------------------------
Peter Huang

Original Message:
Sent: Apr 22, 2021 09:48 AM
From: Bruce Osborne
Subject: 802.1X/NAC on a RAP wired interface

Actually ClearPass DOES support DUR on Mobility Controllers.  I am studying to renew my ACCP and the training class actually has us implement this.
There need to be proper certificate trusts set up but is can be done.
From the Lab:




------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 21, 2021 02:09 PM
From: Peter Huang
Subject: 802.1X/NAC on a RAP wired interface

here is the way I have done with .1x with RAP.   Since RAP is connected to  controller/gateway and not switches, so the clearPass DUR is not supported.  However, controller does support "user-role",  so the clearPass will authenticate and profile devices, then  send back the "user-role".  The controllers will enforce those roles.  Hope that give clues on how to do it.   I have some success with computer devices (windows, mac and linux),  having issues with printers (won't send over the x509 cert for eap-tls authentication)

------------------------------
Peter Huang

Original Message:
Sent: Apr 19, 2021 02:57 PM
From: Chris Watson
Subject: 802.1X/NAC on a RAP wired interface

I wanted to ask how this is typically deployed. Do you have to configured the RAP as a supplicant and if so, where is that done. I don't see that as an option under the provisioning screens. I configured one of the ETH ports to use the same AAA profile as my Corp WLAN which is 802.1X auth. Set the port to trusted and set the access vlan. 

Anything else I am missing or other recommendations? What if we want to do full NAC where Clear Pass pushes the role and VLAN? Do I just enable downloadable roles from CPPM or is there more than that? Not sure if the CPPM side will need a new service or enforcement profiles or not.

------------------------------
Chris Watson
------------------------------

It the RAP in full tunnel mode? I think you would need full tunnel for that.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer
------------------------------

Original Message:
Sent: Apr 22, 2021 01:37 PM
From: Peter Huang
Subject: 802.1X/NAC on a RAP wired interface

yes and yes.  I have operated clearPass for a few years both in lab and production.   I have DUR working with switches in production.  this particular part is on RAP wired NAC.

------------------------------
Peter Huang

Original Message:
Sent: Apr 22, 2021 11:38 AM
From: Bruce Osborne
Subject: 802.1X/NAC on a RAP wired interface

I pulled that information from the training lab that works.

Perhaps  @westcott has some troubleshooting hints.​

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 22, 2021 11:30 AM
From: Peter Huang
Subject: 802.1X/NAC on a RAP wired interface

yes, I used to setup PKI service, so the certificate setup is not an issue.  my CPPM cert is signed by DigiCert

------------------------------
Peter Huang

Original Message:
Sent: Apr 22, 2021 11:13 AM
From: Bruce Osborne
Subject: 802.1X/NAC on a RAP wired interface

You need to define a CPPM Admin user with the DUR Role,
Configure DUR Enforcement Profile & Policy
CPPM needs to have a publicly signed HTTPS certificate

Configure Authentication Server for DUR on the controller.
Configure AAA Profile for DUR on the controller

Did you complete all those steps?

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 22, 2021 10:59 AM
From: Peter Huang
Subject: 802.1X/NAC on a RAP wired interface

ClearPass will send the user-role and content down (if one marks the controller to download the role).   However, I could not get acl content honored by the controller,  let me try again and see if I miss something here.

------------------------------
Peter Huang

Original Message:
Sent: Apr 22, 2021 09:48 AM
From: Bruce Osborne
Subject: 802.1X/NAC on a RAP wired interface

Actually ClearPass DOES support DUR on Mobility Controllers.  I am studying to renew my ACCP and the training class actually has us implement this.
There need to be proper certificate trusts set up but is can be done.
From the Lab:




------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 21, 2021 02:09 PM
From: Peter Huang
Subject: 802.1X/NAC on a RAP wired interface

here is the way I have done with .1x with RAP.   Since RAP is connected to  controller/gateway and not switches, so the clearPass DUR is not supported.  However, controller does support "user-role",  so the clearPass will authenticate and profile devices, then  send back the "user-role".  The controllers will enforce those roles.  Hope that give clues on how to do it.   I have some success with computer devices (windows, mac and linux),  having issues with printers (won't send over the x509 cert for eap-tls authentication)

------------------------------
Peter Huang

Original Message:
Sent: Apr 19, 2021 02:57 PM
From: Chris Watson
Subject: 802.1X/NAC on a RAP wired interface

I wanted to ask how this is typically deployed. Do you have to configured the RAP as a supplicant and if so, where is that done. I don't see that as an option under the provisioning screens. I configured one of the ETH ports to use the same AAA profile as my Corp WLAN which is 802.1X auth. Set the port to trusted and set the access vlan. 

Anything else I am missing or other recommendations? What if we want to do full NAC where Clear Pass pushes the role and VLAN? Do I just enable downloadable roles from CPPM or is there more than that? Not sure if the CPPM side will need a new service or enforcement profiles or not.

------------------------------
Chris Watson
------------------------------

You entered the CPPM username & password in the mobility controller auth server entry?


In the AAA proflie you checked the box?




------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer
------------------------------

Original Message:
Sent: Apr 22, 2021 11:30 AM
From: Peter Huang
Subject: 802.1X/NAC on a RAP wired interface

yes, I used to setup PKI service, so the certificate setup is not an issue.  my CPPM cert is signed by DigiCert

------------------------------
Peter Huang

Original Message:
Sent: Apr 22, 2021 11:13 AM
From: Bruce Osborne
Subject: 802.1X/NAC on a RAP wired interface

You need to define a CPPM Admin user with the DUR Role,
Configure DUR Enforcement Profile & Policy
CPPM needs to have a publicly signed HTTPS certificate

Configure Authentication Server for DUR on the controller.
Configure AAA Profile for DUR on the controller

Did you complete all those steps?

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 22, 2021 10:59 AM
From: Peter Huang
Subject: 802.1X/NAC on a RAP wired interface

ClearPass will send the user-role and content down (if one marks the controller to download the role).   However, I could not get acl content honored by the controller,  let me try again and see if I miss something here.

------------------------------
Peter Huang

Original Message:
Sent: Apr 22, 2021 09:48 AM
From: Bruce Osborne
Subject: 802.1X/NAC on a RAP wired interface

Actually ClearPass DOES support DUR on Mobility Controllers.  I am studying to renew my ACCP and the training class actually has us implement this.
There need to be proper certificate trusts set up but is can be done.
From the Lab:




------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 21, 2021 02:09 PM
From: Peter Huang
Subject: 802.1X/NAC on a RAP wired interface

here is the way I have done with .1x with RAP.   Since RAP is connected to  controller/gateway and not switches, so the clearPass DUR is not supported.  However, controller does support "user-role",  so the clearPass will authenticate and profile devices, then  send back the "user-role".  The controllers will enforce those roles.  Hope that give clues on how to do it.   I have some success with computer devices (windows, mac and linux),  having issues with printers (won't send over the x509 cert for eap-tls authentication)

------------------------------
Peter Huang

Original Message:
Sent: Apr 19, 2021 02:57 PM
From: Chris Watson
Subject: 802.1X/NAC on a RAP wired interface

I wanted to ask how this is typically deployed. Do you have to configured the RAP as a supplicant and if so, where is that done. I don't see that as an option under the provisioning screens. I configured one of the ETH ports to use the same AAA profile as my Corp WLAN which is 802.1X auth. Set the port to trusted and set the access vlan. 

Anything else I am missing or other recommendations? What if we want to do full NAC where Clear Pass pushes the role and VLAN? Do I just enable downloadable roles from CPPM or is there more than that? Not sure if the CPPM side will need a new service or enforcement profiles or not.

------------------------------
Chris Watson
------------------------------

Can I check whether the clearpass https cert HAS to be a publicly signed one?

I’ve always used them in the past but now am in a position where a private cert issued by s local CA authority is probably mandatory

When using DUR on a switch, the switch downloads the CA from clearpass. If youve got the pki CA on the controller won’t that server just as well ?

Rgds
Alex


Original Message:
Sent: 4/19/2021 2:58:00 PM
From: satx1971
Subject: 802.1X/NAC on a RAP wired interface

I wanted to ask how this is typically deployed. Do you have to configured the RAP as a supplicant and if so, where is that done. I don't see that as an option under the provisioning screens. I configured one of the ETH ports to use the same AAA profile as my Corp WLAN which is 802.1X auth. Set the port to trusted and set the access vlan. 

Anything else I am missing or other recommendations? What if we want to do full NAC where Clear Pass pushes the role and VLAN? Do I just enable downloadable roles from CPPM or is there more than that? Not sure if the CPPM side will need a new service or enforcement profiles or not.

------------------------------
Chris Watson
------------------------------

The training said for DUR it needed to be a publicly trusted certificate I wonder if you can import the certificate chain onto the controllers so they trust.
Currently here, our RADIUS certificate is a totally private CA. Our HTTPS certificate is a GlobalSign Non-public certificate chain that allows us to do a 5 year certificate for internal use.

We do not use DUR and do not plan on using them. In my opinion managing role configuration in the AOS8 configuration hierarchy is more suitable for a larger, complex enterprise.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer
------------------------------

Original Message:
Sent: Apr 22, 2021 02:03 PM
From: Alex Sharaz
Subject: 802.1X/NAC on a RAP wired interface

Can I check whether the clearpass https cert HAS to be a publicly signed one?

I've always used them in the past but now am in a position where a private cert issued by s local CA authority is probably mandatory

When using DUR on a switch, the switch downloads the CA from clearpass. If youve got the pki CA on the controller won't that server just as well ?

Rgds
Alex


Original Message:
Sent: 4/19/2021 2:58:00 PM
From: satx1971
Subject: 802.1X/NAC on a RAP wired interface

I wanted to ask how this is typically deployed. Do you have to configured the RAP as a supplicant and if so, where is that done. I don't see that as an option under the provisioning screens. I configured one of the ETH ports to use the same AAA profile as my Corp WLAN which is 802.1X auth. Set the port to trusted and set the access vlan. 

Anything else I am missing or other recommendations? What if we want to do full NAC where Clear Pass pushes the role and VLAN? Do I just enable downloadable roles from CPPM or is there more than that? Not sure if the CPPM side will need a new service or enforcement profiles or not.

------------------------------
Chris Watson
------------------------------

One other piece I took for granted. The servers need to both have accurate date/time. Time skew can break DUR.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer
------------------------------

Original Message:
Sent: Apr 22, 2021 02:28 PM
From: Bruce Osborne
Subject: 802.1X/NAC on a RAP wired interface

The training said for DUR it needed to be a publicly trusted certificate I wonder if you can import the certificate chain onto the controllers so they trust.
Currently here, our RADIUS certificate is a totally private CA. Our HTTPS certificate is a GlobalSign Non-public certificate chain that allows us to do a 5 year certificate for internal use.

We do not use DUR and do not plan on using them. In my opinion managing role configuration in the AOS8 configuration hierarchy is more suitable for a larger, complex enterprise.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 22, 2021 02:03 PM
From: Alex Sharaz
Subject: 802.1X/NAC on a RAP wired interface

Can I check whether the clearpass https cert HAS to be a publicly signed one?

I've always used them in the past but now am in a position where a private cert issued by s local CA authority is probably mandatory

When using DUR on a switch, the switch downloads the CA from clearpass. If youve got the pki CA on the controller won't that server just as well ?

Rgds
Alex


Original Message:
Sent: 4/19/2021 2:58:00 PM
From: satx1971
Subject: 802.1X/NAC on a RAP wired interface

I wanted to ask how this is typically deployed. Do you have to configured the RAP as a supplicant and if so, where is that done. I don't see that as an option under the provisioning screens. I configured one of the ETH ports to use the same AAA profile as my Corp WLAN which is 802.1X auth. Set the port to trusted and set the access vlan. 

Anything else I am missing or other recommendations? What if we want to do full NAC where Clear Pass pushes the role and VLAN? Do I just enable downloadable roles from CPPM or is there more than that? Not sure if the CPPM side will need a new service or enforcement profiles or not.

------------------------------
Chris Watson
------------------------------

I just passed my re-certification exam for ACCP so i decided to test DUR with a non-public certificate for HTTPs on ClearPass.

I entered the root & intermediate CAs into the controller at trusted CAs and DUR works,






------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer
------------------------------

Original Message:
Sent: Apr 22, 2021 02:03 PM
From: Alex Sharaz
Subject: 802.1X/NAC on a RAP wired interface

Can I check whether the clearpass https cert HAS to be a publicly signed one?

I've always used them in the past but now am in a position where a private cert issued by s local CA authority is probably mandatory

When using DUR on a switch, the switch downloads the CA from clearpass. If youve got the pki CA on the controller won't that server just as well ?

Rgds
Alex


Original Message:
Sent: 4/19/2021 2:58:00 PM
From: satx1971
Subject: 802.1X/NAC on a RAP wired interface

I wanted to ask how this is typically deployed. Do you have to configured the RAP as a supplicant and if so, where is that done. I don't see that as an option under the provisioning screens. I configured one of the ETH ports to use the same AAA profile as my Corp WLAN which is 802.1X auth. Set the port to trusted and set the access vlan. 

Anything else I am missing or other recommendations? What if we want to do full NAC where Clear Pass pushes the role and VLAN? Do I just enable downloadable roles from CPPM or is there more than that? Not sure if the CPPM side will need a new service or enforcement profiles or not.

------------------------------
Chris Watson
------------------------------

Thanks for the confirmation
Rgds
Aalex


Original Message:
Sent: 4/23/2021 4:22:00 PM
From: bosborne
Subject: RE: 802.1X/NAC on a RAP wired interface

I just passed my re-certification exam for ACCP so i decided to test DUR with a non-public certificate for HTTPs on ClearPass.

I entered the root & intermediate CAs into the controller at trusted CAs and DUR works,






------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer
------------------------------

Original Message:
Sent: Apr 22, 2021 02:03 PM
From: Alex Sharaz
Subject: 802.1X/NAC on a RAP wired interface

Can I check whether the clearpass https cert HAS to be a publicly signed one?

I've always used them in the past but now am in a position where a private cert issued by s local CA authority is probably mandatory

When using DUR on a switch, the switch downloads the CA from clearpass. If youve got the pki CA on the controller won't that server just as well ?

Rgds
Alex


Original Message:
Sent: 4/19/2021 2:58:00 PM
From: satx1971
Subject: 802.1X/NAC on a RAP wired interface

I wanted to ask how this is typically deployed. Do you have to configured the RAP as a supplicant and if so, where is that done. I don't see that as an option under the provisioning screens. I configured one of the ETH ports to use the same AAA profile as my Corp WLAN which is 802.1X auth. Set the port to trusted and set the access vlan. 

Anything else I am missing or other recommendations? What if we want to do full NAC where Clear Pass pushes the role and VLAN? Do I just enable downloadable roles from CPPM or is there more than that? Not sure if the CPPM side will need a new service or enforcement profiles or not.

------------------------------
Chris Watson
------------------------------

Looks like the discussion moved to a DUR discussion without answering the initial quesiton.

Do you have controller APs or Instant APs?
Do you want to have 802.1X enabled on the RAP uplink port? Or on a (R)AP wired port where you connect a wired device?

For a device connected to eth1/2/3 etc, that needs to be authenticated, you need to set an ethernet port profile with the proper AAA configured. Then you need to make the port UNtrusted to enable the 802.1X authenticator on the port (where the device connecting would have the supplicant). Making a port trusted disables all authentication, an untrusted port will perform authentication.

If you want your AP to be a supplicant and authenticate to a wired switch port that has 802.1X enabled, then you need to configure uplink authentication.

Please let us know what it is exactly that you want to configure, and what are the open answers?

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Apr 19, 2021 02:57 PM
From: Chris Watson
Subject: 802.1X/NAC on a RAP wired interface

I wanted to ask how this is typically deployed. Do you have to configured the RAP as a supplicant and if so, where is that done. I don't see that as an option under the provisioning screens. I configured one of the ETH ports to use the same AAA profile as my Corp WLAN which is 802.1X auth. Set the port to trusted and set the access vlan. 

Anything else I am missing or other recommendations? What if we want to do full NAC where Clear Pass pushes the role and VLAN? Do I just enable downloadable roles from CPPM or is there more than that? Not sure if the CPPM side will need a new service or enforcement profiles or not.

------------------------------
Chris Watson
------------------------------

Thanks everyone for the input. It was all very helpful. Herman to answer your question, my goal is to use the RAP's wired port to authenticate devices via 802.1X. Our network security team would prefer if we can do a NAC type deployment where it will assign a role/VLAN assignment to the device based on the device type. So like a laptop or similar device that connects to the wired port would get put in VLAN 100, a phone in VLAN 101 or a printer in VLAN 102 etc. All would authenticate via Clear Pass on the back end.

I have it working now with just basic 802.1X authentication. If the client device has a trusted domain cert then it can get on and works just fine, but there is no custom VLAN assignments, just goes into the corp user VLAN.

------------------------------
Chris Watson
------------------------------

Original Message:
Sent: Apr 26, 2021 07:26 AM
From: Herman Robers
Subject: 802.1X/NAC on a RAP wired interface

Looks like the discussion moved to a DUR discussion without answering the initial quesiton.

Do you have controller APs or Instant APs?
Do you want to have 802.1X enabled on the RAP uplink port? Or on a (R)AP wired port where you connect a wired device?

For a device connected to eth1/2/3 etc, that needs to be authenticated, you need to set an ethernet port profile with the proper AAA configured. Then you need to make the port UNtrusted to enable the 802.1X authenticator on the port (where the device connecting would have the supplicant). Making a port trusted disables all authentication, an untrusted port will perform authentication.

If you want your AP to be a supplicant and authenticate to a wired switch port that has 802.1X enabled, then you need to configure uplink authentication.

Please let us know what it is exactly that you want to configure, and what are the open answers?

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Apr 19, 2021 02:57 PM
From: Chris Watson
Subject: 802.1X/NAC on a RAP wired interface

I wanted to ask how this is typically deployed. Do you have to configured the RAP as a supplicant and if so, where is that done. I don't see that as an option under the provisioning screens. I configured one of the ETH ports to use the same AAA profile as my Corp WLAN which is 802.1X auth. Set the port to trusted and set the access vlan. 

Anything else I am missing or other recommendations? What if we want to do full NAC where Clear Pass pushes the role and VLAN? Do I just enable downloadable roles from CPPM or is there more than that? Not sure if the CPPM side will need a new service or enforcement profiles or not.

------------------------------
Chris Watson
------------------------------