AAA, NAC, Guest Access & BYOD

 View Only
last person joined: one year ago 

Solutions for legacy and existing products and solutions, including Clearpass, CPPM, OnBoard, OnGuard, Guest, QuickConnect, AirGroup, and Introspect
Expand all | Collapse all

Setup/ staging Vlan via 802.1x

This thread has been viewed 4 times
  • 1.  Setup/ staging Vlan via 802.1x

    Posted Aug 18, 2022 10:17 AM


    We use Clearpass Service 802.1X with EAP-TLS. Clients get authenticated with a Certficate from our PKI.
    So if we Install a new Client over PxE-Boot we need a static port to install the Client.

    Is it possible to do this also over a 802.1X Port ?

    Tbh im not sure if this makes any sense, but my goal is to have as much NAC-Ports as possible.

    Some information about the Environment:

    Aruba Switche 2930F with tunneled-node-Server.
    Aruba Mobility Controller7205 
    Aruba Clearpass V 6.9.10 - Authentication by Clientcertificate and Active Directory Department.
    In the Future we will use MS Intune to deploy new Clients
    A Setup-Vlan should be use for this, where only restriced Access is available

    Thanks for your Help!

  • 2.  RE: Setup/ staging Vlan via 802.1x

    Posted Aug 18, 2022 11:50 AM
    What I see in practice for this case is both 802.1X and MAC authentication enabled on the switch port. The MAC authentication allows you to provide access to devices that don't do 802.1X, and also allows you to send clients in a staging VLAN/staging Role.

    Some choose to offer PXE to all unknown clients, others register/mark the MAC addresses before in the Endpoint database (or Guest Device database to use the ClearPass Guest UI to allow specific user groups to add/register the client MAC). It would be the same service that you could use to profile IP Phones, printers etc. You can also set the initial role to that restricted access VLAN and configure L2 Authentication Failthrough on your controller (for the tunneled-node clients).

    I don't think many PXE clients support 802.1X.

    Herman Robers
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.