First let me answer your question. Do you have an On-Premise AD? Then you can use the AD as Authorization Source and run (S)LDAP queries against your AD, you can then use AD attributes like "group membership" in your ClearPass enforcement policy to create a differentiator. You can also create a differentiator in the Inner EAP Methode where you different between TLS and PEAP.
Edit: Also Lord his recommendation below can be also good option
But dig a little deeper in this topic. The issue with EAP-PEAP MSCHAPv2 is that it's very easy to configure, has widely support on any type of device, and the end-user have a great experience because they can easily use there AD credentials to login. Drawnback is that MSCHAPv2 are vulnerable for easily leaking passwords for many year, and EAP-PEAP (for good reasons) is not supported when use cloud service like Azure AD.
So also Herman's video with a great explanation here: https://www.youtube.com/watch?v=50fO3j4NgyQ
The next thing is that a unmanaged devices like a GUEST or BYOD device "always" have unsecure authentication to the network, because it's a unmanaged device, you can't manage the endpoint setting. Unless you use a MDM solution like Microsoft Intune or ClearPass Onboard for BYOD provisioning. A different MDM solution is fine as-long you can deploy certificates and configure EAP-TLS with it.
A sidenote is that EAP-PEAP can be secure when right configured on the endpoint. In the 802.1x settings on the endpoint you can set the configuration that a user can't accept a different radius server certificate. The drawnback here is the you don't know if the client is a managend device or another devices that is not configured by you, and missing this setting in the client side.
Another thing that is important is to decide what network right you have with the endpoint after successfull authentication. A Corporate device could have access to corporate resources in the network. Where a Guest or BYOD devices normally only have a dedicated network with internet access only.
When you still want to use EAP-PEAP for unmanaged (BYOD) devices, don't use AD Credentials but create dedicated account in the local user repository of ClearPass for example. But it all depend on the size of your organization.
Aruba ClearPass Onboard it's purpose is to self-provising and Onboard BYOD devices when you don't have another MDM solution for your BYOD devices.
Another thing is to think about the network access the endpoint needed.
When your BYOD devices only need internet access and security rules are tightly set you can go for WPA-3 Personal for example.
When your BYOD devices need access to internal resources i would recommend to always go for WPA2 EnterPrise EAP-TLS.
------------------------------
Marcel Koedijk | MVP Expert 2023 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
------------------------------
Original Message:
Sent: Mar 11, 2023 08:50 PM
From: Halfeez92
Subject: ClearPass Machine Authentication without TLS/Certificate
I wanted to differentiate between the AD joined machine and BYOD machine. The only thing that I can think to separate them is by using the machine authentication. If BYOD machine can connect to the SSID using username password authentication, what is the difference with the AD joined machine, they also can use the username password to connect to the SSID.
Is there any other parameters that I can use to differentiate between those two machines?
Original Message:
Sent: Mar 11, 2023 06:01 PM
From: mkk
Subject: ClearPass Machine Authentication without TLS/Certificate
Note that EAP-PEAP isn't really a secure auth. method now days, it can easily leak your AD passwords to the public. Therefore EAP-TLS is the holy grail for network authentication. Good moment to install a ADCS in your environment, it's not that hard!
Good point of starting with ADCS you can find here: https://blog.naglis.no/?p=3121
Bonus: Also known that EAP-PEAP will only work with on-premise AD as authorization source in ClearPass. When moving to Azure AD you can only use EAP-TLS (what is a good this) when you want Azure AD as authorization source in ClearPass.
------------------------------
Marcel Koedijk | MVP Expert 2023 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
Original Message:
Sent: Mar 11, 2023 05:03 AM
From: lord
Subject: ClearPass Machine Authentication without TLS/Certificate
As everyone has already written, Computer Account Authentication works really well, you can also query AD group membership. You just need to configure Windows PCs correctly and join ClearPass to the domain. But note that Windows 11 update (22H2) will enable the "Credential Guard" feature. This will disable mschapv2, as a consequence peap will be disabled. Check beforehand if Credential Guard is already enabled or it is planned to enable it.
------------------------------
Regards,
Waldemar
ACCX # 1377, ACEP, ACA - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Mar 10, 2023 01:27 AM
From: Halfeez92
Subject: ClearPass Machine Authentication without TLS/Certificate
Hi,
Is it possible to do machine authentication without any certificate? Currently our AD environment does not use AD CS feature. I already watched Herman videos on YouTube, but all of the videos are showing machine authentication using TLS certificate.
Thank you.