New Contributor

ClearPass and non domain joined macbooks.

Hi All


We are bringing macbooks onto our corporate network so they need to conform to 802.1x. We have certificate trust in place now with device profiles and the cert is based on computer DN. Currently we have a windows setup with ios devices (these use user dn certs with airwatch).

Next step is reviewing the Clearpass services and wondering how to achieve this using EAP-TLS. This is work on wired/wireless networks.

The macbooks wont be domain joined to AD so cant use that as an authentication source.

Can i not use an authentication source and just have it validate the certificate? Other thought was using a SHL with regex mac expression for apple macbooks.


Anyone built this before?

MVP Guru

Re: ClearPass and non domain joined macbooks.

Where will you get your client certificates for EAP-TLS from for the Macbooks? In many cases these are pulled from Active Directory Certificate services and linked to a user account (either the actual user of the device or a manually created 'computer account', so you can do the validation to an account. Nice 'side effect' of that is that you can revoke access by removing or disabling the corresponding account.


Alternative is to uncheck the Authorization checkbox in the Authentication Method uses. That will, for authentication, allow any valid trusted client certificate and during role-mapping or enforcement you can (should) do additional checks if that certificate (DN, issuer, account valid for certificates that have a valid account etc.) is actually authorized.

If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
Showing results for 
Search instead for 
Did you mean: