Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

EAP-TLS - Reject

This thread has been viewed 12 times

  • 1.  EAP-TLS - Reject

    Posted Feb 11, 2020 03:23 PM

    I am sure this has been asked before, I just cannot find it. I am fairly certain I know the answer...

     

    There is no way to adjust policy to issue enforcement for remediation if Clearpass issues  REJECT on the auth. Correct? 

     

    Working through a remediation policy with a customer and they would like to place a computer into Quarantined VLAN with restrictive ACL if they are rejected due to bad password, certificate, etc. I am pretty sure this cannot be done dynamically with Policy. 



  • 2.  RE: EAP-TLS - Reject

    EMPLOYEE
    Posted Feb 12, 2020 05:42 AM

    For Wireless: Only after a successful EAP-TLS authentication the client and server negotiate the encryption keys for the session. And only with these keys negotiated, the 'link' will come up. So, no. There is no way for 'fallback' as there is no negotiated link.

     

    For wired, you can have a fallback scenario (most times combined with MAC Authentication) if client and infrastructure are configured to do so. In the most secure situation, the client would not allow access if there was no successful authentication, but that also means there is no (wired) access when you take your laptop home or to a customer. That also is a security decision.