Security

Hi,

we would like to up our security by implementing 802.1X Wired Authentication using CX-Switches and Clearpass 6.12.

Is there an option to add the Device Inventory of Greenlake as an Authentication Source in Clearpass to use the database to recognize the added APs and Switches and realize a rolemapping based on that?

I really don't want to authenticate 1300 APs via MacAuth :-D 

Thanks in advance

I don't think this is possible.  Why do you need this though?  Why not use profiling?  Are your APs not connected to trunk ports?

Hi,

we would like to up our security by implementing 802.1X Wired Authentication using CX-Switches and Clearpass 6.12.

Is there an option to add the Device Inventory of Greenlake as an Authentication Source in Clearpass to use the database to recognize the added APs and Switches and realize a rolemapping based on that?

I really don't want to authenticate 1300 APs via MacAuth :-D 

Thanks in advance

Currently they are connected via trunk ports yes. 

Profiling would work but it would also work for any Aruba AP that joins the network and not only the ones under our administration.

I don't think this is possible.  Why do you need this though?  Why not use profiling?  Are your APs not connected to trunk ports?

Hi,

we would like to up our security by implementing 802.1X Wired Authentication using CX-Switches and Clearpass 6.12.

Is there an option to add the Device Inventory of Greenlake as an Authentication Source in Clearpass to use the database to recognize the added APs and Switches and realize a rolemapping based on that?

I really don't want to authenticate 1300 APs via MacAuth :-D 

Thanks in advance

Currently they are connected via trunk ports yes. 

Profiling would work but it would also work for any Aruba AP that joins the network and not only the ones under our administration.

I don't think this is possible.  Why do you need this though?  Why not use profiling?  Are your APs not connected to trunk ports?

Hi,

we would like to up our security by implementing 802.1X Wired Authentication using CX-Switches and Clearpass 6.12.

Is there an option to add the Device Inventory of Greenlake as an Authentication Source in Clearpass to use the database to recognize the added APs and Switches and realize a rolemapping based on that?

I really don't want to authenticate 1300 APs via MacAuth :-D 

Thanks in advance

I had it working on AOS-S Switches. Not role-based because AOS-S couldn't handle more than one tagged vlan per role but it worked.

Just as a proof-of-concept I added an AP as a Guest-Device and let Clearpass give back the one untagged and three tagged vlans.

So an option would be to export the AP-list from central and add it into Clearpass as Guest-devices. But that would lead to manual work everytime we add a new AP.

Currently they are connected via trunk ports yes. 

Profiling would work but it would also work for any Aruba AP that joins the network and not only the ones under our administration.

I don't think this is possible.  Why do you need this though?  Why not use profiling?  Are your APs not connected to trunk ports?

Hi,

we would like to up our security by implementing 802.1X Wired Authentication using CX-Switches and Clearpass 6.12.

Is there an option to add the Device Inventory of Greenlake as an Authentication Source in Clearpass to use the database to recognize the added APs and Switches and realize a rolemapping based on that?

I really don't want to authenticate 1300 APs via MacAuth :-D 

Thanks in advance

I had it working on AOS-S Switches. Not role-based because AOS-S couldn't handle more than one tagged vlan per role but it worked.

Just as a proof-of-concept I added an AP as a Guest-Device and let Clearpass give back the one untagged and three tagged vlans.

So an option would be to export the AP-list from central and add it into Clearpass as Guest-devices. But that would lead to manual work everytime we add a new AP.

Currently they are connected via trunk ports yes. 

Profiling would work but it would also work for any Aruba AP that joins the network and not only the ones under our administration.

I don't think this is possible.  Why do you need this though?  Why not use profiling?  Are your APs not connected to trunk ports?

Hi,

we would like to up our security by implementing 802.1X Wired Authentication using CX-Switches and Clearpass 6.12.

Is there an option to add the Device Inventory of Greenlake as an Authentication Source in Clearpass to use the database to recognize the added APs and Switches and realize a rolemapping based on that?

I really don't want to authenticate 1300 APs via MacAuth :-D 

Thanks in advance

Yes that's true but that needs more involvement than buying an AP. 

I'll have a look at the API on Aruba Central. Maybe I can use a script to pull the information and store it in a local database which I then use as authentication source in Clearpass

I had it working on AOS-S Switches. Not role-based because AOS-S couldn't handle more than one tagged vlan per role but it worked.

Just as a proof-of-concept I added an AP as a Guest-Device and let Clearpass give back the one untagged and three tagged vlans.

So an option would be to export the AP-list from central and add it into Clearpass as Guest-devices. But that would lead to manual work everytime we add a new AP.

Currently they are connected via trunk ports yes. 

Profiling would work but it would also work for any Aruba AP that joins the network and not only the ones under our administration.

I don't think this is possible.  Why do you need this though?  Why not use profiling?  Are your APs not connected to trunk ports?

Hi,

we would like to up our security by implementing 802.1X Wired Authentication using CX-Switches and Clearpass 6.12.

Is there an option to add the Device Inventory of Greenlake as an Authentication Source in Clearpass to use the database to recognize the added APs and Switches and realize a rolemapping based on that?

I really don't want to authenticate 1300 APs via MacAuth :-D 

Thanks in advance

If you have Activate enabled on your GreenLake workspace then you can still configure the integration between ClearPass and Activate, which will allow ClearPass to pull the devices in the Activate inventory into the ClearPass Endpoints Repository.

Don't use MAC auth, use EAP-TLS with the AP's device certificate.

Yes that's true but that needs more involvement than buying an AP. 

I'll have a look at the API on Aruba Central. Maybe I can use a script to pull the information and store it in a local database which I then use as authentication source in Clearpass

I had it working on AOS-S Switches. Not role-based because AOS-S couldn't handle more than one tagged vlan per role but it worked.

Just as a proof-of-concept I added an AP as a Guest-Device and let Clearpass give back the one untagged and three tagged vlans.

So an option would be to export the AP-list from central and add it into Clearpass as Guest-devices. But that would lead to manual work everytime we add a new AP.

Currently they are connected via trunk ports yes. 

Profiling would work but it would also work for any Aruba AP that joins the network and not only the ones under our administration.

I don't think this is possible.  Why do you need this though?  Why not use profiling?  Are your APs not connected to trunk ports?

Hi,

we would like to up our security by implementing 802.1X Wired Authentication using CX-Switches and Clearpass 6.12.

Is there an option to add the Device Inventory of Greenlake as an Authentication Source in Clearpass to use the database to recognize the added APs and Switches and realize a rolemapping based on that?

I really don't want to authenticate 1300 APs via MacAuth :-D 

Thanks in advance

We do not have Activate because we are using Aruba Networking Central. Pulling the devices into the Endpoint Repository is exactly what I want to do.

Sure another way would be to push a private certificate via Central and using EAP-TLS as authentication. Then I wouldn't need the devices in a repository.

Using the build-in certificate would make it possible to authenticate other Aruba APs.

If you have Activate enabled on your GreenLake workspace then you can still configure the integration between ClearPass and Activate, which will allow ClearPass to pull the devices in the Activate inventory into the ClearPass Endpoints Repository.

Don't use MAC auth, use EAP-TLS with the AP's device certificate.

Yes that's true but that needs more involvement than buying an AP. 

I'll have a look at the API on Aruba Central. Maybe I can use a script to pull the information and store it in a local database which I then use as authentication source in Clearpass

I had it working on AOS-S Switches. Not role-based because AOS-S couldn't handle more than one tagged vlan per role but it worked.

Just as a proof-of-concept I added an AP as a Guest-Device and let Clearpass give back the one untagged and three tagged vlans.

So an option would be to export the AP-list from central and add it into Clearpass as Guest-devices. But that would lead to manual work everytime we add a new AP.

Currently they are connected via trunk ports yes. 

Profiling would work but it would also work for any Aruba AP that joins the network and not only the ones under our administration.

I don't think this is possible.  Why do you need this though?  Why not use profiling?  Are your APs not connected to trunk ports?

Hi,

we would like to up our security by implementing 802.1X Wired Authentication using CX-Switches and Clearpass 6.12.

Is there an option to add the Device Inventory of Greenlake as an Authentication Source in Clearpass to use the database to recognize the added APs and Switches and realize a rolemapping based on that?

I really don't want to authenticate 1300 APs via MacAuth :-D 

Thanks in advance

Activate is still an option even with Central, but if you already have Central then you could use the API and a script or Postman collection to pull the inventory from Central and push the information to ClearPass.

The point was to use EAP-TLS in conjunction with your device import.  EAP-TLS provides the secure authentication method while the import provides authorization to filter on only your devices.

The "best" solution would be to have the devices enroll a custom certificate using EST which would allow you to authenticate only those devices you control.

We do not have Activate because we are using Aruba Networking Central. Pulling the devices into the Endpoint Repository is exactly what I want to do.

Sure another way would be to push a private certificate via Central and using EAP-TLS as authentication. Then I wouldn't need the devices in a repository.

Using the build-in certificate would make it possible to authenticate other Aruba APs.

If you have Activate enabled on your GreenLake workspace then you can still configure the integration between ClearPass and Activate, which will allow ClearPass to pull the devices in the Activate inventory into the ClearPass Endpoints Repository.

Don't use MAC auth, use EAP-TLS with the AP's device certificate.

Yes that's true but that needs more involvement than buying an AP. 

I'll have a look at the API on Aruba Central. Maybe I can use a script to pull the information and store it in a local database which I then use as authentication source in Clearpass

I had it working on AOS-S Switches. Not role-based because AOS-S couldn't handle more than one tagged vlan per role but it worked.

Just as a proof-of-concept I added an AP as a Guest-Device and let Clearpass give back the one untagged and three tagged vlans.

So an option would be to export the AP-list from central and add it into Clearpass as Guest-devices. But that would lead to manual work everytime we add a new AP.

Currently they are connected via trunk ports yes. 

Profiling would work but it would also work for any Aruba AP that joins the network and not only the ones under our administration.

I don't think this is possible.  Why do you need this though?  Why not use profiling?  Are your APs not connected to trunk ports?

Hi,

we would like to up our security by implementing 802.1X Wired Authentication using CX-Switches and Clearpass 6.12.

Is there an option to add the Device Inventory of Greenlake as an Authentication Source in Clearpass to use the database to recognize the added APs and Switches and realize a rolemapping based on that?

I really don't want to authenticate 1300 APs via MacAuth :-D 

Thanks in advance

I don't think we have access to Activate as we migrated from an AOS 8.6 deployment with VCs and Airwave straight to AOS 10 and Central.

But yes, what you are saying sounds like the the best option as there seems to be no native interaction possibility between the two. 

Activate is still an option even with Central, but if you already have Central then you could use the API and a script or Postman collection to pull the inventory from Central and push the information to ClearPass.

The point was to use EAP-TLS in conjunction with your device import.  EAP-TLS provides the secure authentication method while the import provides authorization to filter on only your devices.

The "best" solution would be to have the devices enroll a custom certificate using EST which would allow you to authenticate only those devices you control.

We do not have Activate because we are using Aruba Networking Central. Pulling the devices into the Endpoint Repository is exactly what I want to do.

Sure another way would be to push a private certificate via Central and using EAP-TLS as authentication. Then I wouldn't need the devices in a repository.

Using the build-in certificate would make it possible to authenticate other Aruba APs.

If you have Activate enabled on your GreenLake workspace then you can still configure the integration between ClearPass and Activate, which will allow ClearPass to pull the devices in the Activate inventory into the ClearPass Endpoints Repository.

Don't use MAC auth, use EAP-TLS with the AP's device certificate.

Yes that's true but that needs more involvement than buying an AP. 

I'll have a look at the API on Aruba Central. Maybe I can use a script to pull the information and store it in a local database which I then use as authentication source in Clearpass

I had it working on AOS-S Switches. Not role-based because AOS-S couldn't handle more than one tagged vlan per role but it worked.

Just as a proof-of-concept I added an AP as a Guest-Device and let Clearpass give back the one untagged and three tagged vlans.

So an option would be to export the AP-list from central and add it into Clearpass as Guest-devices. But that would lead to manual work everytime we add a new AP.

Currently they are connected via trunk ports yes. 

Profiling would work but it would also work for any Aruba AP that joins the network and not only the ones under our administration.

I don't think this is possible.  Why do you need this though?  Why not use profiling?  Are your APs not connected to trunk ports?

Hi,

we would like to up our security by implementing 802.1X Wired Authentication using CX-Switches and Clearpass 6.12.

Is there an option to add the Device Inventory of Greenlake as an Authentication Source in Clearpass to use the database to recognize the added APs and Switches and realize a rolemapping based on that?

I really don't want to authenticate 1300 APs via MacAuth :-D 

Thanks in advance

Hi,

we would like to up our security by implementing 802.1X Wired Authentication using CX-Switches and Clearpass 6.12.

Is there an option to add the Device Inventory of Greenlake as an Authentication Source in Clearpass to use the database to recognize the added APs and Switches and realize a rolemapping based on that?

I really don't want to authenticate 1300 APs via MacAuth :-D 

Thanks in advance

Hi !
If the APs are in Central, I suppose they are Aruba APs.

Do you not want to enable 802.1x authentication on the downlink of the APs?

Hi,

we would like to up our security by implementing 802.1X Wired Authentication using CX-Switches and Clearpass 6.12.

Is there an option to add the Device Inventory of Greenlake as an Authentication Source in Clearpass to use the database to recognize the added APs and Switches and realize a rolemapping based on that?

I really don't want to authenticate 1300 APs via MacAuth :-D 

Thanks in advance

We are not using the downlink of the APs. They are deactivated.

At the moment we are using eap-tls and MSChap to authenticate our wireless clients.

But in light of the NIS2-directive we need to up it a little bit.

Hi !
If the APs are in Central, I suppose they are Aruba APs.

Do you not want to enable 802.1x authentication on the downlink of the APs?

Hi,

we would like to up our security by implementing 802.1X Wired Authentication using CX-Switches and Clearpass 6.12.

Is there an option to add the Device Inventory of Greenlake as an Authentication Source in Clearpass to use the database to recognize the added APs and Switches and realize a rolemapping based on that?

I really don't want to authenticate 1300 APs via MacAuth :-D 

Thanks in advance