Security

Hello, 

I'm beginning an 8.0.1 deployment and want to have our access points use 802.1x on their uplinks. I have a working 802.1x configuration for our access switches, but I'm having trouble finding guidance on configuring a ClearPass authentication service to do this. 

Thanks in advance for your useful advice!

Are you already doing 802.1X on your wired network?

Hi Tim, Yes, we are doing dot1x for some wired ports, but the authentication is pointed at stand-alone RADIUS systems. We will eventually point these ports at ClearPass, but that is out-of-scope for now. At some point I was told that the APs should use a different service than any other dot1x auth because of the certs involved. Was I given correct information?

Thanks,

You can take different enforcement action on them, but it would be part of your existing wired 1X service. The only way I can think of that you can isolate the requests is to use a predictable username pattern and then key off that.

I don't think you can use the AP cert for 802.1X as I ask my instructor on recent SWDI training at ATM17 and he said no it's not possible. I guess it's because we cannot have access or extract to the root-ca used by the controller to generate cert to the AP and import it to ClearPass. (I might be wrong here and missing some info about the process).

 

The only possible way I think is using PEAP. You can setup a username/password (could be a local account in ClearPass) and have the local database in your service. When you provision your AP there is an option for 802.1X using PEAP. (I never tried it but I would be intested to try it once my home lab is setup). You will probably need a fallback VLAN with MAC auth or something like that for new AP that are not provisionned yet or that need to be reprovisionned with PEAP where you can fingerprint that the device is an Aruba AP.

Yes, you're correct. Sorry, read the original post too fast. The only option available today is to use PEAPv0/EAP-MSCHAPv2 with controller-based APs.

If that's what we have to do, we will, but would it would be ideal to have a cert in the AP that we could use for this purpose. 

 

Thank you for all of your repsonses!

Aruba controller-based APs (CAPs) do not currently support EAP-TLS for uplink authentication to the upstream network.

 

You can use PEAPv0/EAP-MSCHAPv2. Not a huge difference for this use case.

Will this be changing now that there are the 300 series of AP out?  Or is there a timeline for true 802.1x on the Aruba Access points using EAP-TLS?

EAP-TLS can be used in ArubaOS 8.2+