New Contributor

EAP-TLS client certificate checking with cppm

We are rolling out a new SSID that is using EAP-TLS for authentication. We have our own MPKI and have rolled out user certs and installed the needed certs on our Clearpass servers. We also have a SSID that uses PEAP for authentication. Everything was working fine in our test group until the auto renewal failed on our MPKI solution (symantec) and user certificates started expiring. Now users attempt to join the EAP-TLS SSID and fail to authenticate because of the expired cert. While we are working with symantec on the cert auto renewal issue, as a fall back plan, we would like to configure Clearpass so that users who fail to authenticate to the EAP-TLS SSID because their cert is expired, to then automatically roll over to the PEAP SSID and join it instead. Is there a way to do this?

Guru Elite

Re: EAP-TLS client certificate checking with cppm

There's nothing that can be done from the ClearPass perspective. SSID association is a client decision.

| Tim Cappalli | Aruba Security | @timcappalli | |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
Showing results for 
Search instead for 
Did you mean: