Security

Hi,

I've got a simple clearpass service that allows a client to authenticate using eap-peap against our AD system. Simple thing and it just works. I now want to also allow eap-tls authentication on the same ssid.

I can't just add the eap tls with ocsp authentication method to my working service so I need to create another service only for eap-tls.

On my dev server I've set up the following service configured with only the eap-tls method. A clearpass generated client cert then allows an android device to connet to SSID alexs-test.Looking at the summary, it says authentication method EAP-TLS

Here is the successful auth.

Given that the Authentication method says its EAP-TLS, I then added an extra line to this service selection criteria to try and only select eap-tls authentications.

but the service doesn't get selected. How can I only select this service for eap-tls requests?

Rgds

A

You need to use the same service as EAP-PEAP and add EAP-TLS to the authentication tab and service it from there.  

Tried that initally and it failed hence the question about having a second service. However, fixed it as my local copy of the eap-tls method had authorization required enabled which meant the clearpass was trying to query AD, which failed.

Here's the authorization section of my service

And this is the Auth method that works

So I've got 1 service which auth's peap and tls, which is qwhat I wanted in the first place!

Thanks

A