Frequent Contributor I

PSK and ClearPass



A customer need a SSID to have WPA2-PSK as authentication method to be able to connect devices that do not support 802.1x och Captive Portal.

But they would like to be able to grand only specific devices access to this SSID by letting ClearPass verify if the device is approved or not.


Is it possible to combine WPA2-PSK authentication with an additional check sent to ClearPass? Maybe a auhtorization request?


Best Regards

Jonas Erlund Hammarbäck



Guru Elite

Re: PSK and ClearPass

You would need to find the AAA profile for the WPA2-PSK WLAN and add a mac authentication profile to it.


You would then setup mac-based authentication in ClearPass (I don't have a web link for that, but it should be in the help).

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Frequent Contributor I

Re: PSK and ClearPass

Thank you!

We will test this approach.




Re: PSK and ClearPass

Keep in mind as well that Clearpass offers a unique authentication source called "Allow All MACAUTH"  WIth this, we can leverage other context outside of maintaining a MAC address database for these users.


Essentially, Clearpass will allow any MAC address as valid for mac auth purposes.  Then, with policy, you can assign roles or deny access based on other variables such as:


MAC OUI (Connection:Client-MAC-Address BEGINS WITH <value>)

MAC Vendor (Connection:Client-MAC-Vendor CONTAINS <value>)

Profile Info (Authorization:[Endpoints Repository]:Category OR OS Family CONTAINS <value>)

Hostname (Authorization:[Endpoints Repository]:Hostname CONTAINS <value>)


Or even a Custom Attribute YOU add to the Endpoint DB record for the device


All in all, you can write a very secure/granular policy without having to maintain specific MAC addresses

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
If you found my post helpful, please give kudos
Frequent Contributor I

Re: PSK and ClearPass

The method  "Allow All MACAUTH" combined with custom attributes in the Endpoints Repository will be the best solution for our porposes as I can see now.


Thanks for the tip!


Jonas Erlund Hammarbäck


Re: PSK and ClearPass

I love when a "Search Airheads" hit gives me exactly what I need to solve today's (current) problem!

Thanks everyone!


if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Search Airheads
Showing results for 
Search instead for 
Did you mean: