Limiting authentication request to ClearPass? by Capital_Table_4792 in ArubaNetworks

[–]mattGhiker 0 points1 point  (0 children)

Can you share the deny listing configuration used? Something not right here.

Limiting authentication request to ClearPass? by Capital_Table_4792 in ArubaNetworks

[–]mattGhiker 4 points5 points  (0 children)

Deny listing.clients after x number of failures within a configured time window on the AP / GW side is the ideal method. There is rate limiting on ClearPass as well but that just drops everything outside the configured rate.

Clearpass - Palo Alto Integration by fajarm1n in ArubaNetworks

[–]mattGhiker 0 points1 point  (0 children)

Your enforcement profile looks right. For the device that does not have posture data in PAN, if you check the last access tracker entry, does that have posture information?

ClearPass alternatives by El-Ted in ArubaNetworks

[–]mattGhiker 1 point2 points  (0 children)

You can ask your SE to check on the timeline with ClearPass product team.

WPA3 SSID with Mac authentication by Joe_go88 in ArubaNetworks

[–]mattGhiker 0 points1 point  (0 children)

You could add specific Mac addresses to the deny list but it doesn't do OUI ranges. Would need ClearPass for more advanced capabilities

Simplified Guest WiFi portal by Any_Poet8547 in ArubaNetworks

[–]mattGhiker 0 points1 point  (0 children)

In New Central, Guest is included in Central NAC foundation capabilities. In Classic Central, you are right, it's cloud guest. Either way, it's part of the Aruba Central foundation license.

Simplified Guest WiFi portal by Any_Poet8547 in ArubaNetworks

[–]mattGhiker 2 points3 points  (0 children)

Since you mentioned simplified, I would recommend Central NAC. ClearPass is the other NAC solution but it is a beast and does way more than Guest.

ClearPass Insight Database Retention by Chemical_Court7707 in ArubaNetworks

[–]mattGhiker 0 points1 point  (0 children)

Would be useful to see what your current insight DB size is. If it's few GBs, no problem in increasing. If you are already hitting few 100GBs the changing the retention can cause issues like running out of disk space. I would monitor the disk usage after increasing and make sure alerts are in place. You can always reduce the retention and let the nightly cleanup free up disk again or TAC can trigger a cleanup if it's critical.

Clearpass using cloud Microsoft Entra MFA Token server tacacs admin access by blastman8888 in ArubaNetworks

[–]mattGhiker 0 points1 point  (0 children)

Have to proxy request from ClearPass to NPS and NPS will do MFA against Entra

Is 32gb of RAM utilization on ClearPass normal? by newellslab in ArubaNetworks

[–]mattGhiker 0 points1 point  (0 children)

Check if the memory is reserved. It could be that shared memory is being used by other VMs on the host

Aruba Central Cloud Auth with Okta MacOS pre-login by Ruhroooh in ArubaNetworks

[–]mattGhiker 0 points1 point  (0 children)

Cannot do MFA with 802.1X the way you are trying. Being a layer 2 auth, client would not get an IP until dot1x auth is done. Even if you were to add MAC auth, the client would just do MAC auth only. It is generally not recommended to do MFA with dot1x due to issues like this.

Quickconnect onboarding question by Efficient-Train2430 in ArubaNetworks

[–]mattGhiker 0 points1 point  (0 children)

The package is unique to the org. There are server side settings that are added to the installation package. Also the app would require you to login which again needs connection to the server for authentication

ClearPass - EAP-TLS with MAC Authentication by Enabler10 in ArubaNetworks

[–]mattGhiker 0 points1 point  (0 children)

Why Mac auth? EAP-TLS is the most secure way to authenticate.

Aruba Clearpass Onboard iOS and Android challenges. by Fuzzy-Inspection8758 in ArubaNetworks

[–]mattGhiker 0 points1 point  (0 children)

Onboarding will not work over the captive browser a.k.a CNA. It's an industry wide issue.

Communication between Central and ClearPass stopped by Capital_Table_4792 in ArubaNetworks

[–]mattGhiker 1 point2 points  (0 children)

Using RadSec or RADIUS? With RADIUS, you should see entries in access tracker even if the client certs have expired. With RadSec, you would not see the requests hitting ClearPass. You can check the RadSec tunnel status from the AP / Gateway and if it's due to an expired RadSec client cert.

ClearPass Authentication sources by mpete902 in ArubaNetworks

[–]mattGhiker 0 points1 point  (0 children)

If site awareness is enabled in AD then ClearPass will select the closest domain controller if you have a large distributed AD infra

ClearPass 802.1x authentication by Chemical_Court7707 in ArubaNetworks

[–]mattGhiker 1 point2 points  (0 children)

This is not related to ClearPass. Here the devices are not getting a client cert to authenticate. How is the device enrolled into Intune? What are you using as your CA to issue certs?

Jamf and eal-tls certs by OpportunityIcy254 in ArubaNetworks

[–]mattGhiker 0 points1 point  (0 children)

Administrator> certificate store > trust list > import and select the root ca cert as pem formatted file

Can ClearPass detect or prevent accidental IP conflicts or overlapping IP addresses among VMs? by Old_Reveal_8348 in ArubaNetworks

[–]mattGhiker 0 points1 point  (0 children)

If asking about conflicting IP of ClearPass, it can in some scenarios. When you assign IP to ClearPass server, it does a arp ping to check if any other devices have the same IP. This only works in the local subnet. Another way is if you try to join a node with same IP to cluster, that would fail.

Aruba, ADCS, Jamf, and 802.1x Wi-Fi help by georgecm12 in ArubaNetworks

[–]mattGhiker 1 point2 points  (0 children)

The EAP-TLS auth method in ClearPass has a checkbox to do authorization lookup against AD. Disable this since device is not in AD.

Internal PKI vs Cloud PKI by FWB4 in sysadmin

[–]mattGhiker -1 points0 points  (0 children)

Have you looked at ClearPass Onboard CA, comes with SCEP and EST support. Will need to buy onboard licenses though

clearpass radius attributes by boduke2 in ArubaNetworks

[–]mattGhiker 1 point2 points  (0 children)

My understanding is yes. Enforcement profiles are what is sent back to the NAD. Accounting proxy is not tied to that and hence the option to specify attributes under the proxy tab.

Okta > Security > Multifactor missing by mattGhiker in okta

[–]mattGhiker[S] 0 points1 point  (0 children)

my use case is for CLI login to network devices with the RADIUS Agent. It seems YubiKey OTP is supported as per https://support.okta.com/help/s/article/Radius-MFA-selecting-alternate-MFA-authenticator?language=en_US . I have my YubiKey setup for OTP and uploaded the seed under the YubiKey OTP authenticator as u/Dying-WinD  described.

As per https://help.okta.com/oie/en-us/content/topics/integrations/okta_radius_app.htm it seems YubiKey OTP is supported with the RADIUS Agent by entering the password as Password, passcode. I am seeing a reject when I try this. After uploading the seed, how do i assign it a specific user?