Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Instant AP Sending either hostname OR username to ClearPass

This thread has been viewed 1 times

  • 1.  Instant AP Sending either hostname OR username to ClearPass

    Posted Jan 20, 2015 05:21 PM

    Instant AP Cluster is sending either username or hostname for AAA on ClearPass.  Can we restrict the IAP cluster to only send the username, and CPPM to only accept the username authentication?



  • 2.  RE: Instant AP Sending either hostname OR username to ClearPass

    EMPLOYEE
    Posted Jan 20, 2015 05:35 PM
    What type of authentication are you using?


  • 3.  RE: Instant AP Sending either hostname OR username to ClearPass

    Posted Jan 20, 2015 05:37 PM

    OnBoard, so first EAP-PEAP, then EAP-TLS.  Sometimes a user authenticates with one (machine or user), then it will send the other, failing and starting the process again.

     



  • 4.  RE: Instant AP Sending either hostname OR username to ClearPass

    EMPLOYEE
    Posted Jan 20, 2015 05:39 PM
    The reflected username will be dependent on how the device is
    authenticating.



    If it machine authenticates, it will show the FQHN. If the user
    authenticates, it will show the username.



    If you want the device to only machine authenticate, you need to configure
    the clients manually, use group policy, or use something like quickconnect.



    Are you Onboarding personal or corporate devices?


  • 5.  RE: Instant AP Sending either hostname OR username to ClearPass

    Posted Jan 20, 2015 05:46 PM

    OnBoard with both corporate and personal devices.

     

    I have also enabled MAC Fail-through as a possibility as well, both not "Enforce MAC Auth".

     

     



  • 6.  RE: Instant AP Sending either hostname OR username to ClearPass
    Best Answer

    EMPLOYEE
    Posted Jan 20, 2015 05:55 PM
    The clients would need to be configured for user authentication or you would
    have to use dual-SSID onboard.