Wired Intelligent Edge

Hi airheads,

 

I'm trying to use device profiling for APs so that I don't have to authenticate them using clearpass. I have the following in my config on a 2930F.

 

device-profile name "cowaruba-ap"
   untagged-vlan 236
   poe-priority high
   exit
device-profile type "aruba-ap"
   associate "cowaruba-ap"
   enable
   exit

I'm also using MAC auth and 802.1x on edge ports for auth. The problem is that when I plug in an AP, with debugging on I see the following:

W 11/01/18 09:36:20 05142 profile-manager: ST1-CMDR: Profile manager application failed on port 1/6 as it conflicts with RADIUS configuration.

 

Can I really not use both 802.1x and profile-manager together?

You really should be using EAP-TLS with your Aruba APs to ClearPass.

Using device profiles opens a potential security hole and you have conflicting authoritative access control at the edge of the network.

I've never thought of using EAP-TLS for AP auth. Is there a technote or write-up on that?

Are you running ArubaOS 8.2 or higher?

AOS 8.2.1

Since you haven't yet deployed this, I would recommend waiting until 8.4 is released to make these changes if at all possible.

In the mean time, how should I auth my APs at the switch? I would rather not import all 1500 MAC addresses into clearpass.

You can just write rules based on the profile data. Combination of profile + MAC vendor and assign an “ap” role that only lets them talk to controllers.

Understood. When 8.4 is released, will there be (or is there now) documentation for the TLS auth?