Higher Education

This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Frequent Contributor I

Clearpass Integration



Currently at the Universtiy i work they are using mac auth for wireless users. We are moving into EAP using ClearPass. Any suggetion on how to roll out this properly?


1. Did you create a secondary SSID with a different name and asked the staff, students, etc to start using that one for a period of time and then remove the one with MAC auth?

2. Did you run into any unexpected issues in the dot1x deployment?

3. Did you have to keep the mac auth ssid for devices that dont support dot1x in the dorm area? If not, did you created a mac auth service befoe the dot1x in clearpass, so the wireless users will hit that service first. 

4. Did you roll out one building at a time? or per controller or globally at once? 


Thank you



Guru Elite

Re: Clearpass Integration

1) You will have to because it will be a different authentication method. If you use the same SSID, users that have it saved in their device will have issues.


2) If you're using PEAP with username/password and not doing any type of Onboarding, just be prepared that users don't read will click terminte or cancel when they get the prompt asking them if they trust the RADIUS server. 


3) The new idea is one 802.1X network and one open with MAC-auth that can service both "dumb" devices and guest users. There are different attributes you key off of for the open service so ordering doesn't matter.


4) Since it will have to be a new SSID, you can roll it out globally so you don't have roaming issues.




| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor I

Re: Clearpass Integration



Do you control how many devices the students or staff can mac register? Do you allow staff members that should be doing dot1x connect to the MAC open ssid? 


Yes i will be using PEAP with AD user/pwd. 

Guru Elite

Re: Clearpass Integration

In the deployments I've done for universities, most just limit the type of device (media player, printer, game console), not counts.


You can limit access to internal resources when users connect their regular devices to the open network or you can completely block them (see here: http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Guide-Using-ClearPass-to-steer-users-to-secure-networks-mhc/m-p/144823 )

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor I

Re: Clearpass Integration

Thank you Tim for sharing! 

Contributor II

Re: Clearpass Integration

FWIW, we deployed three SSIDs - 1. a dot1x, 2. an open one with MAC registration, and 3. a guest one with web registration.  All faculty/staff/students use the dot1x unless they have gear that does not support it, then they can register their MAC and use #2.  We in IT manage and register some gear, such as TVs, thermostats, etc. that do not support dot1x, and put them on #2.  Guest registrations on #3 require certain IDs, have limited internal access, and are cached for a period of time.


We rolled out all of these simultaneously across our campus as we replaced an existing, open SSID / web registration wireless system.  For a short period of time, both systems were live while we transitioned.  We did some good work up front to communicate the changes to the campus community, and we provided some online help instructions to help them get connected.  For faculty/staff computers that are university owned, we pushed a domain policy to them in order to automatically create the wifi connection for the dot1x network.


We had a number of issues with dot1x, mostly with older hardware or older drivers that did not play nicely.  Windows 7 / 8 in particular is problematic for students, because there are a number of hoops for them to have to jump through to set up the connection properly.  We do not allow students to join their personal equipment to our domain, so we cannot easily push a policy to them.  And while we can provide them a batch file to automatically set the connection up, that is not always easy to explain how to do.  Aruba does of course have a solution for this (Quick Connect) but we do not have that.


Conversely, OSX machines simply prompt for credentials and move on.  However, we had a number of connectivity issues with OSX as a result of some (now well known) software updates that caused wifi connectivity issues.





Re: Clearpass Integration

We do something similar. We have a secure SSID and a Guest SSID.

We have an open SSID that serves 2 purposes

1. People can onboard personal machines to the secure network

2. Registered non-802.1X devices can use this network. the internal website & blackboard are blocked. Machines needing this access should be using the secure network.

Users register their own devives for the open network and they are associated with their username.

 We track Internet bandwidth by username.

Bruce Osborne - Wireless Engineer

All opinions written here are my own and do not necessarily reflect the views and opinions of my employer or Aruba Networks

Search Airheads
Showing results for 
Search instead for 
Did you mean: