I'm not sure what is it used for when it comes to dot1x. Can someone help to summarize that for me please? see attached.
This shoudn't be needed in modern networks with a robust RADIUS server. Essentially, this terminated the EAP transaction from the client during authentication with the controller. By default, this termination eith regards to EAP is done between the client and the RADIUS server.
Is it required if I have clearpass?
Is it required if I do eap-tls without clearpass in the picture?
When exactley would I need to terminated the auth on the controller and not the Radius server or clearpass?
It is not required in either of those scenarios. We'd "like" you to have ClearPass :-) but any RADIUS server will do and most of the time, we would recommend that termination be disabled anyway. This feature was meant to offlead the RADIUS server in a sense but also allow customers to deploy without any RADIUS server and use LDAP for user/pass verification.
For TLS, termination isn't needed and if you do need to turn it on, that would entail adding trusted certs to the controller itself vs. the authentication server where IMO they should reside.
Historically, it was to avoid installing and putting a server certificate on a radius server, or if you have an LDAP server, you would avoid installing a radius server period. There are two ways you could do this:
1 - Setup a radius server with no server certificate. Setup a controller with a server certificate, enable termination and have the controller point to another radius server for authentication*. The drawback is that with Microsoft Windows Radius servers, you could not do machine authentication with this setup.
2 - Setup an LDAP server. Setup a controller with a server certificate, enable termination and have the controller point to the LDAP server for authentication**. The only problem with this setup is that you would have to install custom supplicants on all of your windows endpoints, because they do not support EAP-GTC, so you would end up installing software on all of your endpoints.
These days, everyone has gotten used to installing a radius server, whether it is the built-in Microsoft One or ClearPass, Cisco ACS, etc, so termination has too many drawbacks to use IMHO.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.