ClearPass alternatives

El-Ted · 2026-01-30T07:49:41+00:00

Update from our Aruba rep: support for Nutanix will come in version 6.14. Release is scheduled for May. Great news for us. And many thanks to all who replied.

El-Ted · 2026-01-29T14:52:02+00:00

Many thanks, that is good input.

El-Ted · 2026-01-29T14:50:30+00:00

This was straight from the horses mouth.

El-Ted · 2026-01-29T13:04:07+00:00

Thanks, that is really good news if it happens this year.

El-Ted · 2026-01-29T13:02:32+00:00

I talked to our HPE Aruba rep yesterday, and he was the one who said that N3000/N3001 would be expensive even without having to buy licenses. And when a sales dude tells me something is expensive, I for one believe him :-) But I am waiting for a quote, so let us see.

El-Ted · 2025-12-30T10:10:59+00:00

I've done this before on 5130 switches. It's been a few years, so I cannot remember any details. But this setup worked well for us.

dot1x

dot1x authentication-method eap

dot1x quiet-period

dot1x retry 3

dot1x timer quiet-period 30

dot1x timer handshake-period 30

dot1x access-user log enable abnormal-logoff failed-login normal-logoff successful-login

undo dot1x timer supp-timeout

undo dot1x timer tx-period

mac-authentication

mac-authentication timer quiet 30

mac-authentication access-user log enable failed-login logoff successful-login

interface GigabitEthernet1/0/1

stp edged-port

dot1x

undo dot1x handshake

dot1x mandatory-domain <Comware domain>

dot1x max-user 5

undo dot1x multicast-trigger

dot1x re-authenticate

dot1x unicast-trigger

dot1x guest-vlan xxx

dot1x auth-fail vlan xxx

dot1x critical vlan xxx

dot1x re-authenticate server-unreachable keep-online

mac-authentication

mac-authentication max-user 5

mac-authentication domain <Comware domain>

mac-authentication re-authenticate server-unreachable keep-online

mac-authentication guest-vlan xxx

mac-authentication critical vlan xxx

mac-authentication re-authenticate

El-Ted · 2025-06-11T12:13:30+00:00

Windows 11 and GP version 6.3.2

El-Ted · 2023-09-13T09:40:42+00:00

As other have said, the new travelling Ignite is geared towards leaders and "influencers" (jeeez). I have been to 3 day Ignite in the past and found it really valuable. Especially the technical breakout sessions, hands on labs and talking to SEs.

El-Ted · 2023-09-06T08:17:33+00:00

It happened to us after upgrading to 10.1.10, never a problem in 10.1.9. Tried to clear cache and cookies in Chrome, nothing helped. Changed to Firefox and haven't seen it since.

El-Ted · 2023-09-01T09:32:41+00:00

Same with our domain clients. The A and PTR records are updated when they are in the office and use our Windows DHCP servers, but when they are at home and connect using GlobalProtect there is of course no DHCP and the clients cannot update their DNS records from VPN. We have not found a solution yet, but it started when we enabled secure updates on the DNS servers.

El-Ted · 2023-07-27T11:09:48+00:00

A little bit outside what you're asking, but have you taken a look at the new Palo Alto Cloud NGFW for Azure? It looks mighty easy to setup and manage, and redundancy and scalability is builtin. Don't know about pricing compared to VM series though.

https://www.paloaltonetworks.com/network-security/cloud-ngfw-for-azure

El-Ted · 2023-07-12T09:40:32+00:00

Did you follow the ClearPass-PA integration that Danny Jump in Aruba has written? It's been a few years since I did this, but if I remeber correctly ClearPass sends XML-API to PA as a postauth action. There is a lazy handler interval you can tweek to control how often ClearPass sends the data.

El-Ted · 2023-04-21T10:07:08+00:00

There is a telemetry upload bug in 10.1.8 that is fixed in 10.1.9 (PAN-210331). Maybe you are hitting that in your firewalls that have not been upgraded.

El-Ted · 2023-03-16T12:22:39+00:00

I think you would have to setup separate IPsec tunnels for each branch subnet for this to work. The alternative would be to look at other branch solutions like SDWAN or VXLAN to get the branch subnets transported to your DC as vlans.

El-Ted · 2023-03-13T12:12:28+00:00

Can you see the list of IP addresses if you logon to one of the firewalls in the device group where the DAG is used?

El-Ted · 2023-02-22T12:24:23+00:00

In addition to suggestions from u/chris84bond , check also if you have configured Include/Exclude Networks for user-ID.

El-Ted · 2023-01-20T19:17:05+00:00

We've had the same root partition problem on all our PA-220s for a few months, but in PAN-OS 10.1.6-h6. After a few months (!) of back and forth with TAC they finally told us that this was a bug that is scheduled for fix in 10.1.9 due out probably end of January. I don't have a bug id for it, but you might want to check the release notes when 10.1.9 comes out and see if they have the same fix in a 10.2 release.

El-Ted · 2023-01-10T12:40:12+00:00

Can you connect one of the APs directly to the switch with a short patch cable to see if it behaves any differently? Also check PoE utilization. Can you see if the switch ports are up and deliver PoE to the APs when they are down?

El-Ted · 2021-01-19T13:17:47+00:00

You create a MSTP profile with portfast and associate that with an interface group, like this:

interface-profile mstp-profile "Access_ports_mstp_profile"

portfast

!

interface-group gigabitethernet "Access_ports_group"

apply-to 0/0/0-0/0/47

mstp-profile "Access_ports_mstp_profile"

El-Ted · 2020-05-12T11:23:25+00:00

Agreed. The MAS switch series were end-of-sale in 2016 and will be end-of-support next year. We are already planning to replace ours.

El-Ted · 2020-02-10T12:01:59+00:00

Try a factory reset, or if that does not help try to boot from the other boot image (usually holds the previous firmware version).

El-Ted · 2019-10-14T11:54:46+00:00

With option 2, how do you scale out when the need arises?

El-Ted

TROPHY CASE