See attached images.
Assuming you. Have enabled city based auth for your AP on the controller with the default domain of Aruba.ap ….
So assuming you’ve set the Aruba cert up to be used for EAP in the trust list and you’ve got other check of whether the enforcement client device is an AP ( do some role mapping and assign a role)
The enforcement policy shown uses either fact that client using Aruba cert or I’ve checked that its an AP and assigned a role
Then set up your enforcement policy as appropriate.
Original Message:
Sent: 9/26/2024 8:18:00 PM
From: ariyap
Subject: RE: Campus AP DUR - CleaPass Service Build
you can refer to these two technote that covers LUR and DUR with IAPs that are configured for dot1x supplicant.
check part 3 and part 6.
https://solutiontechlab.com/?s=wired+enforcement
------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------
Original Message:
Sent: Sep 26, 2024 08:03 PM
From: cochranes
Subject: Campus AP DUR - CleaPass Service Build
Hey @oden74
So, I have the AP provisioned just fine, however, I am not sure how to configure the auth source given the cert is factory. I have enabled the Aruba CA root cert in the Trust store on ClearPass but not sure if there is some built in mechanism I am missing or what. Any thoughts or docs on how to proceed?
Thanks in advance!
Original Message:
Sent: Sep 25, 2024 03:23 AM
From: Anders Skalme
Subject: Campus AP DUR - CleaPass Service Build
All APs have a factory certificate in the TPM chip that can be used for 802.1X authentication against your access switch. You can use that in combo with fetching authorization data like the serial number of the AP.
802.1x Supplicant Support on an AP
Arubanetworks |
remove preview |
|
802.1x Supplicant Support on an AP |
Provides an overview about how to provision an AP as an 802.1X supplicant in the Managed Network node hierarchy. The 802.1X supplicant support on an AP can be enabled only after an AP is configured with the credentials for 802.1X authentication. |
View this on Arubanetworks > |
|
|
You can also issue unique certificates via EST and ClearPass Onboard to the APs, there is a tech note on that on the HPE Aruba Network support portal.
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00132816en_us
Original Message:
Sent: Sep 24, 2024 06:11 PM
From: cochranes
Subject: Campus AP DUR - CleaPass Service Build
Hello all, and forgive me if there is a related discussion already out there that I could not find.
I am looking to port-access, access point controller uplinks to dynmically assign VLAN using a DUR. We are currently using the LLDP system info to port-access locally on the switch, but there is som sort of bug causing LLDP to continuously age out dropping the dynamic vlan form the port resulting in degraded user experience and the AP rebooting. We have worked aorund this for now by statically assigning VLANs to some AP ports, but this is not secure.
I do not want to use the OIU to auth the AP, Does anyone have something working that is effective across all Aruba APs?
I am going to proceed with testing using some of the, seemingly useful, computed attributes that showed up in access tracker.
I appreciate any recomendations!!