Security

Reply
Frequent Contributor I

Aruba VIA ClearPass integration EAP-TLS

Hello Everyone!

 

I am trying to make a full ClearPass, ArubaOS8.4 and Aruba VIA integration. I have included a picture of the concept.

 

The main idea is to have a 802.1x Wi-Fi with EAP-TLS authentication. Users get their certificates by onboarding with Clearpass. They would also use these certificates for VPN through VIA.

 

We want to have location aware VPN. So when we are in reach of corporate Wi-Fi, clients authenticate to Wi-fi with EAP-TLS, and when they are in public, VIA connects with EAP-TLS. We also want to pass all authentication functions to Clearpass.

 

When I enable IKE v2 with EAP-TLS, then I run into a problem, that I can see the access tracker coming in to Clearpass with PAP for the connection profile download. Then VIA asks me which certificate I want to use. Then when I select it, it gives me an authentication failed and I cannot see any access tracker on Clearpass.

 

Is there a VRD for this scenario? We want a full certificate based Aruba configuration.

 

Thank you in advance!

 

Daniel

Guru Elite

Re: Aruba VIA ClearPass integration EAP-TLS

Please check out the post here: https://community.arubanetworks.com/t5/Aruba-Apps/EAP-TLS-for-VIA/td-p/64190 for some tips and for the URL of the origina VIA VRD

 

The "location aware" aspect is managed in  "via servers" portion of

the VIA connection profile.  The VIA client will see if it can connect to the internal_IP first and if it cannot, it will attempt to connect to "addr" URL:

Screenshot 2019-05-27 at 10.35.39.png


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Frequent Contributor I

Re: Aruba VIA ClearPass integration EAP-TLS

Hello Cjoseph!

 

I have no problem with configuring location awareness.

 

I got the whole setup working like I wanted to, but with username/password authentication. But when I enable IKEv2 so that I could use certs, VIA askes me which certificate I want to use, then just goes around trying to authenticate, then gives me an error code of 8949. I can only see the user on controller, but there is no access tracker on ClearPass.

 

I already tried enabling EAP-TLS passthrough in Services-> VPN->IKEv2, but still cannot see the request going through to ClearPass, just when I try to download the profile. The moment I take out the tick from "Enable IKEv2" in VIA Connection profile, I can see the access tracker accept for profile download, then after a few seconds, the access tracker accept for VPN establishment.

 

I have user cert un client with public and private key and I have Trusted CA installed on controller. But I beleave, I should still see the request going through to ClearPass regardless of certificates.

 

I checked the VRD, but didn't find anything that could help me. Correct me if I am wrong, but I should be seeing 2 access tracker messages in CleaPass. 1 for PAP to download VIA profile, and 1 for EAP-TLS for VPN establishment.

 

Br.

Daniel

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: