Security

 View Only
  • 1.  NAC on access points

    Posted Aug 03, 2023 09:55 AM

    We are planning to switch to full NAC , meaning the corporate laptops, printers, iot devices etc all should do some kind of (wired) authentication. 802.1x is preferred with MAC fallback. We also want to enable NAC on the switchport that connect to the Aruba AP (AP305 , AP505, AP515). Today the switch has a static config specifically for connecting an AP. 
    Is it possible to enable 802.1x authentication on the wired / uplink interface of an AP ? What about certificate management?

    This has nothing to do with the authentication methods used on wireless, this is about NAC where the AP itself is the client/supplicant 



    ------------------------------
    Danny Bosman
    KBC Group - Belgium
    ------------------------------


  • 2.  RE: NAC on access points

    Posted Aug 03, 2023 10:25 AM

    Hi Danny

    Yes, the access points can act as 802.1x supplicants and supports 802.1x with both EAP-TLS and EAP-PEAP. EAP-TLS is the preferred method as EAP-PEAP is depricated and will also introduce overhead in the management of the credentials. There are several options on how to solve this. Are you using ClearPass as your Radius server?

    The access points does have a factory certificate, if you accept this certificate and trust the Aruba CA you can utilize this as the certificate for authentication. Otherwise accesspoints support certificate distribution with EST. ClearPass can act as a CA and have EST support. EST support on other CA servers may differ, but Microsoft CA does not support EST.

    To be able to enroll certificates with EST you also need a MAC auth option where the AP can get access to request the certificate, or utilize the factory certificate in this phase.

    What architecture and AOS version do you have? Depending on your environemnt if it's AOS 10 or AOS 8 with managed controllers or IAP the settings are different. But should be supported in all different versions.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------