This exact scenario is covered in the ClearPass Workshop Series.
If you only support EAP-TLS (or TEAP with EAP-TLS), users/computers that don't have a certificate will not be able to authenticate to the network, so can't join the SSID.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Mar 06, 2024 09:10 AM
From: ajorigenes17
Subject: Aruba Clearpass with Certificate based Authentication
Hi I have a question since i've been confused how this certificate based authentication works in clearpass.
here's the setup what we want to achieve.
we are now using ClearPass and AD in our network. as our setup, we dont want to integrate machine auth to our client by now, we only want a certificate based authentication were user dont have to join his device to the domain just to be able to connect to staff network which I believe this can be achieved with machine auth. want we want to achive is staff users are able to connect to the staff ssid using a certificate based only.
for example billy joe want to connect to staff ssid, his laptop/device will be able to connect to the staff ssid if his laptop has its own computer and user certificate that has been issued with ADCS. if billy joe will try to login to the other device like BYOD he will not able to connect to staff device since his BYOD laptop dont have a computer and user certificate.
is this possible to integrate with clearpass ?
1. how to configure this on clearpass with 802.1x ?
2. if users laptop dont have the required certificate is he will be able to join to the staff ssid ?
by the way we are using ADCS for clearpass radius server certificate and ADCS ROOT CA and import it under Clearpass trust list