Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Eduroam with Clearpass

This thread has been viewed 50 times
  • 1.  Eduroam with Clearpass

    Posted May 09, 2024 05:40 AM

    Hello Everyone, 

    I just want to ask if anyone of you already setup a Eduroam with Clearpass ? it seems that there is no valid documentation for clearpass integration . I just read the documentation from Giant https://archive.geant.org/projects/gn3/geant/services/cbp/Documents/cbp-79_guide_to_configuring_eduroam_using_the_aruba_wireless_controller_and_clearpass.pdf but it seems not updated. if anyone already implement it and you have a step by step guide , may I ask for your guidance. as of now im having trouble in communicating between the FLR server still figuring out why it wont able to reach the FLR (Federal Level Radius server )server and it gives me a radius authentication failed error.



  • 2.  RE: Eduroam with Clearpass

    MVP
    Posted May 10, 2024 11:44 AM

    Where are you located? We are in the US. Last July, we moved our users from a PEAP-MSCHAPv2 SSID to eduroam & TLS. We use ClearPass & AOS 8 wireless, but we use a third-party cloud provider for personal device onboarding & EAP-TLS certificate PKI.

    We started with CPPM 6.9.x and are moving to 6.12.x. We currently use AD for authorization but will be moving to Entra ID. Have you joined the Eduroam Admins mailing list?

    If you send me a PM we can exchange email addresses & we can likely help you through the details as best we know.



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 3.  RE: Eduroam with Clearpass

    Posted 20 days ago

    Here is my concern also :

    1. Is clearpass local database supported by eduroam as identity store or do I need an microsoft AD, LDAP Server etc. ?
    2. Do I need to have clearpass both end from the school FLR so the server will communicate properly ?



  • 4.  RE: Eduroam with Clearpass

    EMPLOYEE
    Posted 18 days ago

    Response here.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: Eduroam with Clearpass

    EMPLOYEE
    Posted 29 days ago

    I know there are many customers using ClearPass for eduroam (or govroam, or publicroam which are similar mechanisms). For RADIUS proxy, I would not rely too much on policy simulation. Do you see in Access Tracker the correct service matched? Do you see the same with an actual request through a wireless SSID eduroam?

    Did you register/authorized your ClearPass with the public IP (or NAT) with your federation partner/national eduroam? If the source IP or shared secret doesn't match, the FLR may just drop your incoming requests.

    Access Tracker may provide more information (Alert tab, show logs). Also, you could run a packet capture on ClearPass (via Server Manager, Collect Logs) or an upstream device to see if there is a RADIUS packet going out (and maybe coming back).

    Your authentication seems that the RADIUS service does not respond, which may be service classification, RADIUS shared secrets, firewall, routing, etc.

    Working with your Aruba partner or Aruba TAC may be useful as well, to step by step find where in the process the issue may be and from there troubleshoot more specifically. Eduroam proxy is quite common and should just work if you 'follow the rules' (in ClearPass, routing, firewalls, with your national provider).



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: Eduroam with Clearpass

    Posted 29 days ago
    I would add to contact the Eduroam admin's list for help at eduroam-admins@internet2.edu or Eduroam's support at eduroam-support@internet2.edu

    And note that there've been some issues with the TLRs a week ago so not sure if this is related.

    --
    °(((=((===°°°(((================================================





  • 7.  RE: Eduroam with Clearpass

    MVP
    Posted 18 days ago

    They reached out to that US list but are based in the Philippines.



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 8.  RE: Eduroam with Clearpass

    MVP EXPERT
    Posted 29 days ago

    Eduroam or Govroam works the same and you can easily use the eduroam service template to deploy in both cases.

    Note: Eduroam en Govroam works the same and is based a radius server like ClearPass and with a radius proxy to the eduroam/govroam cloud.

    Publicroam works different and don't need a private owned radius server or radiusproxy. You just entered the public radius-server and key of publicroam in your wpa2-enterprise settings.



    ------------------------------
    Marcel Koedijk | MVP Expert 2024 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
    ------------------------------



  • 9.  RE: Eduroam with Clearpass

    Posted 17 days ago

    I'm confused how a non-corporate owned device would get the EAP-TLS certificate.  Would the user have to do something manually to load it or can this be an automated process?  We're a university so we have a combination of corporate and non-corporate devices connecting to our Eduroam network.




  • 10.  RE: Eduroam with Clearpass

    MVP
    Posted 16 days ago

    Aruba's solution is to use ClearPass Onboard. We use a different web based cloud provider for onboarding and TLS certificate PKI.



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 11.  RE: Eduroam with Clearpass

    EMPLOYEE
    Posted 12 days ago

    For eduroam, you may have a look at 'geteduroam', which is used in parts of Europe, but may be open to other parts of the world as well. It has facilities for onboarding end-user devices with EAP-TLS and issueing client certificates as part of that process. It's similar to ClearPass Onboard, or the tool Bruce is referring to, but specific for (and by) eduroam/higher education. 



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 12.  RE: Eduroam with Clearpass

    MVP
    Posted 11 days ago

    i believe some organizations use eduroam CAT  https://cat.eduroam.org/



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------