Wireless Access

 View Only
  • 1.  Aruba Clearpass with Certificate based Authentication

    Posted Mar 06, 2024 09:10 AM
    Hi I have a question since i've been confused how this certificate based authentication works in clearpass. 
     
    here's the setup what we want to achieve.
     
    we are now using ClearPass and AD in our network. as our setup, we dont want to integrate machine auth to our client by now, we only want a certificate based authentication were user dont have to join his device to the domain just to be able to connect to staff network which I believe this can be achieved with machine auth. want we want to achive is staff users are able to connect to the staff ssid using a certificate based only.
     
    for example billy joe want to connect to staff ssid, his laptop/device will be able to connect to the staff ssid if his laptop has its own computer and user certificate that has been issued with ADCS. if billy joe will try to login to the other device like BYOD he will not able to connect to staff device since his BYOD laptop dont have a computer and user certificate.
     
     
    is this possible to integrate with clearpass ?
     
    1. how to configure this on clearpass with 802.1x ?
    2. if users laptop dont have the required certificate is he will be able to join to the staff ssid ?
     
    by the way we are using ADCS for clearpass radius server certificate and ADCS ROOT CA and import it under Clearpass trust list


  • 2.  RE: Aruba Clearpass with Certificate based Authentication

    Posted Mar 06, 2024 11:10 AM

    There's a dedicated forum for NAC questions: Security.

    Machine auth is a function of a Windows device being a member of a domain.  User auth just needs to validate the user account against some credential store.

    Onboard is the ClearPass product for enabling BYOD.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: Aruba Clearpass with Certificate based Authentication

    Posted Mar 11, 2024 06:07 AM

    This exact scenario is covered in the ClearPass Workshop Series

    If you only support EAP-TLS (or TEAP with EAP-TLS), users/computers that don't have a certificate will not be able to authenticate to the network, so can't join the SSID.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------