The thing is that the EAP method is negotiated after the service is selected. So you can't select the service based on EAP-TLS for that reason. I never used token server for 802.1X (also I missed that you configured that), also because it suggests a changing password, which is quite cumbersome in end-user experience.
Best would be if you can filter based on the username, as that is available in the first RADIUS packet. If your PEAP uses the SAMAccountName (Windows username) and EAP-TLS uses the e-mail or UPN (user@domain.name), then you could use that to select the service. If you really can't filter on the username, it's hard to find something that works under all circumstances. It may help to arrange some interactive brainstorm while checking the logs to find differences in the initial RADIUS request to see if there is a possibility to separate the requests out to different services.
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Feb 16, 2024 12:08 PM
From: Antoine Pernon
Subject: [Wi-Fi] [EAP-TLS] [ClearPass] Select Services by Checking Name of SSID + Outer Identity
I did regroup services together, but It's impossible to do EAP-TLS + EAP TTLS and still have a token server configured in authentication sources. Maybe I missed a point here ?
ATM I still have one service for TLS and another for PEAP+TTLS. I tried to add a check on Authentication:Outer-Method EQUALS "EAP-TLS" but it didn't worked. Logs only show "EAP" in outer-Method.
Also, I made some testing and I always have the same value in Authentication:Username ; Authentication:Full-Username and IETF:Username. Even if I misconfigure my terminal to do EAP-PEAP MSCHAPv2 instead of GTC as intended. (I did that to be sure to have only outer-identity on clearpass side)
PS : I will try to disable PEAP, but it's maybe too early for some devices.
Best Regards,
------------------------------
Best Regards,
Antoine PERNON
----------------------------------------------
Aruba Certified Edge Professional
ACP - ACMP - ACCA
Original Message:
Sent: Feb 12, 2024 11:33 AM
From: Herman Robers
Subject: [Wi-Fi] [EAP-TLS] [ClearPass] Select Services by Checking Name of SSID + Outer Identity
I think you should test on IETF:User-Name, not on Authentication:Full-Username. During the service categorization is the Authentication:Full-Username not available as it is only after authentication. Somewhere below there is a screenshot with IETF:User-Name in the service condition.
Hopefully you can test on the client supplied identity for your service categorization. Another option, as you mention a combination of EAP-TLS, EAP-PEAP (Deprecated!) and EAP-TTLS (also not always secure), you could put all three methods in the same service. Then do role mapping or enforcement based on the authentication method and/or authorization attributes.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jan 30, 2024 09:44 AM
From: Antoine Pernon
Subject: [Wi-Fi] [EAP-TLS] [ClearPass] Select Services by Checking Name of SSID + Outer Identity
Hello,
Thank you for your response.
We are not trying to do role mapping rules but service categorization conditions. (Sorry if I make it unclear at first post).
We have 2 different services in ClearPass to address clients using EAP-TLS and clients using EAP-PEAP or EAP-TTLS on the same SSID. Maybe this is our problem and I need to regroup them.
But I am looking for a way to do something like this :
I do think it's the right way to do it, but with the lack of documentation around these attributes, I'm not 100% sure.
We already RUN in production a configuration looking like the screenshot. I investigate service categorization failure for clients' requests configured by a new MDM.
It's possible that we have an issue with the MDM : The string expected as inner-identity is shown in ClearPass Access logs in the Authentication:Full-Username ; Authentication:Full-Username-Normalized and RADIUS:IETF:Username computed attributes. All with the same value. We never see in ClearPass Access logs the string expected for outer-identity.
------------------------------
Best Regards,
Antoine PERNON
----------------------------------------------
Aruba Certified Edge Professional
ACP - ACMP - ACCA
Original Message:
Sent: Jan 30, 2024 04:51 AM
From: Jonas Hammarback
Subject: [Wi-Fi] [EAP-TLS] [ClearPass] Select Services by Checking Name of SSID + Outer Identity
Hi
I don't know if it's a good idea to utilize the outer identity as this field have started to become mandatory set to Anonymous on some client types, like newer versions of Windows 11. A better way to distinguis the clients is to look at the issuing CA. Someting like this:

------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Jan 29, 2024 10:30 AM
From: Antoine Pernon
Subject: [Wi-Fi] [EAP-TLS] [ClearPass] Select Services by Checking Name of SSID + Outer Identity
Hello,
We want to use outer-identity (aka Anonymous identity, in Android OS, for example) in the clearpass service conditions to address the RADIUS request of Wi-Fi clients certified by our private PKI.
We use the same SSID for different types of mobile devices. Some of these use EAP-TLS to authenticate based on private PKI. Other clients can access to the same SSID using EAP/GTC or EAP/TTLS methods. All of these clients are profiled and get access to different VLANs.
We planned to deploy others' private PKI, so we can't just filter it by checking if "Authentication:InnerMethod EQUALS EAP-TLS".
I have seen in another post that "Authentication:Full-Username" does the job, but without any precision, so I'm not sure. Clearpass 802.1X outer identity | Security (arubanetworks.com)
I also looked at Policy Manager User Guide (arubanetworks.com) but didn't find sufficient information there.
Does there is a documentation that describes in details what is :
- Authentication: Full-Username
- Authentication: Full-Username-Normalized
- Authentication: Username
or maybe it can be :
I'm planning to try it on IQ environment, and I'm mostly looking for documentation that can help me better target the settings that I need.
PS : First post here. I will be glad to get any advice for the future ones.
------------------------------
Antoine PERNON
------------------------------