Regular Contributor II

EAP-TLS - Reject

I am sure this has been asked before, I just cannot find it. I am fairly certain I know the answer...


There is no way to adjust policy to issue enforcement for remediation if Clearpass issues  REJECT on the auth. Correct? 


Working through a remediation policy with a customer and they would like to place a computer into Quarantined VLAN with restrictive ACL if they are rejected due to bad password, certificate, etc. I am pretty sure this cannot be done dynamically with Policy. 

Aruba Partner Ambassador
MVP Guru

Re: EAP-TLS - Reject

For Wireless: Only after a successful EAP-TLS authentication the client and server negotiate the encryption keys for the session. And only with these keys negotiated, the 'link' will come up. So, no. There is no way for 'fallback' as there is no negotiated link.


For wired, you can have a fallback scenario (most times combined with MAC Authentication) if client and infrastructure are configured to do so. In the most secure situation, the client would not allow access if there was no successful authentication, but that also means there is no (wired) access when you take your laptop home or to a customer. That also is a security decision.

If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
Showing results for 
Search instead for 
Did you mean: