If you have disabled Authorization (and no other authentication methods that require authentication), you can even leave the authentication sources empty (in recent ClearPass versions).
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Aug 02, 2024 09:06 AM
From: harutyun.hakobyan
Subject: ClearPass certificate-based authentications
So for Authentication methods put modified EAP-TLS with unchecked "Authorization Required" option.
What do put for Authentication Sources ?
Original Message:
Sent: Aug 01, 2024 07:53 AM
From: Herman Robers
Subject: ClearPass certificate-based authentications
Yes. What 'Authorization' in the EAP-TLS method does, is verify if the user that authenticates exist in the Authentication Source.
If you disable Authorization, any valid certificate (against the trust list) is accepted. In your role mapping and enforcement, you can further limit down like with a lookup to Intune or Entra ID, or limit to specific certificate authorities only.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Aug 01, 2024 03:57 AM
From: harutyun.hakobyan
Subject: ClearPass certificate-based authentications
Thanks for reply.
For authorization Microsoft Entra ID will be used, but that can't be used for authentication.
From EAP-TLS method if "Authorization Required" is unchecked and we want authentication only via certificates without local Active Directory, is it possible?
ClearPass version is the latest: 6.12.2.
Original Message:
Sent: Jul 31, 2024 01:01 PM
From: chulcher
Subject: ClearPass certificate-based authentications
Look at the EAP-TLS auth method, one of the checkboxes is "Authorization Required". Copy the auth method, uncheck that box, no lookup of the certificate subject is then required for the authentication to succeed. Later authorization checks can further determine validity of the auth request and enforcement.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Jul 31, 2024 09:31 AM
From: harutyun.hakobyan
Subject: ClearPass certificate-based authentications
Hi All,
Is certificate-based authentication in ClearPass possible without against any LDAP-compliant directory, i.e. client certificate is validated with the Trusted CA cert chain installed in ClearPass.
Thanks