Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

EAP-TLS Service Rule

This thread has been viewed 12 times

  • 1.  EAP-TLS Service Rule

    Posted Mar 21, 2017 02:23 PM

    I'm trying to create two service rules for the same SSID: one for EAP-TLS and one for EAP-PEAP (or anything other than EAP-TLS). I have for the service rule for the EAP-TLS service:

     

    Type: Authentication

    Name: OuterMethod

    Operator: EQUALS

    Value: EAP-TLS

     

    I cannot get clients to hit this service with this rule. Trying to find out if the type should be different or if I'm messing something up in my logic. I have the same service rule for EAP-PEAP, but with a "NOTEQUALS" for the operator. 

     

    Any ideas?



  • 2.  RE: EAP-TLS Service Rule
    Best Answer

    EMPLOYEE
    Posted Mar 21, 2017 02:30 PM
    EAP method is negotiated after service categorization and thus cannot be used to categorize a service.


  • 3.  RE: EAP-TLS Service Rule

    Posted Mar 21, 2017 02:32 PM

    Ah man! That stinks....but good to know. I guess I have to come up with better logic to get EAP-TLS and EAP-PEAP on one SSID. 


    Thanks Tim! That helps me save time trying to figure this out.



  • 4.  RE: EAP-TLS Service Rule

    EMPLOYEE
    Posted Mar 21, 2017 02:38 PM
    You can use OuterMethod in your enforcement policy. This is a pretty standard practice.


  • 5.  RE: EAP-TLS Service Rule

    Posted Mar 21, 2017 05:03 PM

    Thanks Tim,

     

    To make sure I understand, instead of splitting the Services up, keep one service but split the roles based on the enforcment policy?



  • 6.  RE: EAP-TLS Service Rule

    Posted Mar 21, 2017 05:18 PM

    Think I got this down...thanks to you Tim.


    *Created one service

    *Used all types of authentications I will use on this SSID

    *Split the different roles/traffic via the enforcement policies, which are based on the OuterMethod

     

    You rock man! Thanks again!



  • 7.  RE: EAP-TLS Service Rule

    EMPLOYEE
    Posted Mar 21, 2017 05:21 PM
    Awesome, glad you got it working!