Wireless Access

 View Only
  • 1.  Clearpass EAP-PEAP after EAP-TLS

    Posted Aug 28, 2018 09:11 PM

    Hi All,

     

    We have Aruba Instant and Clearpass. I would like to know if the following scenario is possible:

     

    1. User is authenticated via EAP-TLS

    2. On a successful authentication, users are redirected to a captive portal.

    3. Users enter the AD credential to complete the authentication process.

     

    Any response will be appreciated.

     

    Thanks

    Nathan



  • 2.  RE: Clearpass EAP-PEAP after EAP-TLS

    Posted Aug 28, 2018 09:29 PM

    Yes.  The defaut 802.1x role on the controller would have to be some sort of logon role so that successful 802,1x authentication leads to a captive portal when the user opens a browser.  It can be clumsy from a user experience perspective, but it can be done.



  • 3.  RE: Clearpass EAP-PEAP after EAP-TLS

    Posted Aug 28, 2018 09:38 PM

    Hi Joseph,

     

    Thanks for that.  Actually this is for particular users, normal users would use TLS.

     

    Do I need to create another service within Clearpass for captive portal authentication? And it should be above the TLS service?



  • 4.  RE: Clearpass EAP-PEAP after EAP-TLS

    Posted Aug 28, 2018 10:01 PM
    The EAP method is configured on the device. It’s not determined by who a user is.


  • 5.  RE: Clearpass EAP-PEAP after EAP-TLS

    Posted Aug 28, 2018 10:07 PM

    I think he wants to do Captive Portal (PAP - not EAP-PEAP), after EAP-TLS.

     

    Again, the scenario of Captive Portal after EAP-TLS  is possible, but presents a bad user experience.  To authenticate captive portal, you would need a separate service that only authenticates via PAP.



  • 6.  RE: Clearpass EAP-PEAP after EAP-TLS

    Posted Aug 28, 2018 10:41 PM
      |   view attached

    Thanks. One more question, how can I set the service rule to match the captive portal authentication? Based on Application name?

     



  • 7.  RE: Clearpass EAP-PEAP after EAP-TLS
    Best Answer

    Posted Aug 29, 2018 05:38 AM

    Typically you would filter by ESSID, but in this case the SSID is the same, so you cannot.  You would have to combine it all into one sevice by adding PAP as an authentication method. Once again, I do not advise layering Captive Portal on top of encryption, because it is clumsy and becomes more difficult to troubleshoot in the end.



  • 8.  RE: Clearpass EAP-PEAP after EAP-TLS

    Posted Aug 29, 2018 07:24 PM

    Thanks for the advise. I will try that.

     

    This is a special need from the customer, the SSID is for non-employee however needs access to the internal network.