Wireless Access

Reply
New Contributor

Clearpass EAP-PEAP after EAP-TLS

Hi All,

 

We have Aruba Instant and Clearpass. I would like to know if the following scenario is possible:

 

1. User is authenticated via EAP-TLS

2. On a successful authentication, users are redirected to a captive portal.

3. Users enter the AD credential to complete the authentication process.

 

Any response will be appreciated.

 

Thanks

Nathan

Guru Elite

Re: Clearpass EAP-PEAP after EAP-TLS

Yes.  The defaut 802.1x role on the controller would have to be some sort of logon role so that successful 802,1x authentication leads to a captive portal when the user opens a browser.  It can be clumsy from a user experience perspective, but it can be done.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
New Contributor

Re: Clearpass EAP-PEAP after EAP-TLS

Hi Joseph,

 

Thanks for that.  Actually this is for particular users, normal users would use TLS.

 

Do I need to create another service within Clearpass for captive portal authentication? And it should be above the TLS service?

Guru Elite

Re: Clearpass EAP-PEAP after EAP-TLS

The EAP method is configured on the device. It’s not determined by who a user is.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Guru Elite

Re: Clearpass EAP-PEAP after EAP-TLS

I think he wants to do Captive Portal (PAP - not EAP-PEAP), after EAP-TLS.

 

Again, the scenario of Captive Portal after EAP-TLS  is possible, but presents a bad user experience.  To authenticate captive portal, you would need a separate service that only authenticates via PAP.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
New Contributor

Re: Clearpass EAP-PEAP after EAP-TLS

Thanks. One more question, how can I set the service rule to match the captive portal authentication? Based on Application name?

 

Guru Elite

Re: Clearpass EAP-PEAP after EAP-TLS

Typically you would filter by ESSID, but in this case the SSID is the same, so you cannot.  You would have to combine it all into one sevice by adding PAP as an authentication method. Once again, I do not advise layering Captive Portal on top of encryption, because it is clumsy and becomes more difficult to troubleshoot in the end.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
New Contributor

Re: Clearpass EAP-PEAP after EAP-TLS

Thanks for the advise. I will try that.

 

This is a special need from the customer, the SSID is for non-employee however needs access to the internal network.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: