EAP-TLS - Reject
I am sure this has been asked before, I just cannot find it. I am fairly certain I know the answer...
There is no way to adjust policy to issue enforcement for remediation if Clearpass issues REJECT on the auth. Correct?
Working through a remediation policy with a customer and they would like to place a computer into Quarantined VLAN with restrictive ACL if they are rejected due to bad password, certificate, etc. I am pretty sure this cannot be done dynamically with Policy.
Aruba Partner Ambassador
Re: EAP-TLS - Reject
For Wireless: Only after a successful EAP-TLS authentication the client and server negotiate the encryption keys for the session. And only with these keys negotiated, the 'link' will come up. So, no. There is no way for 'fallback' as there is no negotiated link.
For wired, you can have a fallback scenario (most times combined with MAC Authentication) if client and infrastructure are configured to do so. In the most secure situation, the client would not allow access if there was no successful authentication, but that also means there is no (wired) access when you take your laptop home or to a customer. That also is a security decision.
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).