What I see in practice for this case is both 802.1X and MAC authentication enabled on the switch port. The MAC authentication allows you to provide access to devices that don't do 802.1X, and also allows you to send clients in a staging VLAN/staging Role.
Some choose to offer PXE to all unknown clients, others register/mark the MAC addresses before in the Endpoint database (or Guest Device database to use the ClearPass Guest UI to allow specific user groups to add/register the client MAC). It would be the same service that you could use to profile IP Phones, printers etc. You can also set the initial role to that restricted access VLAN and configure L2 Authentication Failthrough on your controller (for the tunneled-node clients).
I don't think many PXE clients support 802.1X.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Aug 18, 2022 10:16 AM
From: guido schmid
Subject: Setup/ staging Vlan via 802.1x
Hello
We use Clearpass Service 802.1X with EAP-TLS. Clients get authenticated with a Certficate from our PKI.
So if we Install a new Client over PxE-Boot we need a static port to install the Client.
Is it possible to do this also over a 802.1X Port ?
Tbh im not sure if this makes any sense, but my goal is to have as much NAC-Ports as possible.
Some information about the Environment:
Aruba Switche 2930F with tunneled-node-Server.
Aruba Mobility Controller7205
Aruba Clearpass V 6.9.10 - Authentication by Clientcertificate and Active Directory Department.
In the Future we will use MS Intune to deploy new Clients
A Setup-Vlan should be use for this, where only restriced Access is available
Thanks for your Help!