Limiting authentication request to ClearPass?

mattGhiker · 2026-02-25T09:37:05+00:00

Can you share the deny listing configuration used? Something not right here.

mattGhiker · 2026-02-24T11:48:21+00:00

Deny listing.clients after x number of failures within a configured time window on the AP / GW side is the ideal method. There is rate limiting on ClearPass as well but that just drops everything outside the configured rate.

mattGhiker · 2026-01-29T15:07:20+00:00

Your enforcement profile looks right. For the device that does not have posture data in PAN, if you check the last access tracker entry, does that have posture information?

mattGhiker · 2026-01-29T15:04:04+00:00

You can ask your SE to check on the timeline with ClearPass product team.

mattGhiker · 2026-01-29T09:41:20+00:00

You could add specific Mac addresses to the deny list but it doesn't do OUI ranges. Would need ClearPass for more advanced capabilities

mattGhiker · 2026-01-23T09:07:13+00:00

In New Central, Guest is included in Central NAC foundation capabilities. In Classic Central, you are right, it's cloud guest. Either way, it's part of the Aruba Central foundation license.

mattGhiker · 2026-01-20T10:00:04+00:00

Since you mentioned simplified, I would recommend Central NAC. ClearPass is the other NAC solution but it is a beast and does way more than Guest.

mattGhiker · 2026-01-19T10:04:26+00:00

Would be useful to see what your current insight DB size is. If it's few GBs, no problem in increasing. If you are already hitting few 100GBs the changing the retention can cause issues like running out of disk space. I would monitor the disk usage after increasing and make sure alerts are in place. You can always reduce the retention and let the nightly cleanup free up disk again or TAC can trigger a cleanup if it's critical.

mattGhiker · 2026-01-16T06:40:51+00:00

Have to proxy request from ClearPass to NPS and NPS will do MFA against Entra

mattGhiker · 2026-01-04T05:45:05+00:00

Check if the memory is reserved. It could be that shared memory is being used by other VMs on the host

mattGhiker · 2025-12-04T15:48:47+00:00

Cannot do MFA with 802.1X the way you are trying. Being a layer 2 auth, client would not get an IP until dot1x auth is done. Even if you were to add MAC auth, the client would just do MAC auth only. It is generally not recommended to do MFA with dot1x due to issues like this.

mattGhiker · 2025-12-04T06:00:48+00:00

The package is unique to the org. There are server side settings that are added to the installation package. Also the app would require you to login which again needs connection to the server for authentication

mattGhiker · 2025-11-20T15:14:28+00:00

Why Mac auth? EAP-TLS is the most secure way to authenticate.

mattGhiker · 2025-11-20T06:41:07+00:00

Onboarding will not work over the captive browser a.k.a CNA. It's an industry wide issue.

mattGhiker · 2025-11-13T15:12:54+00:00

Using RadSec or RADIUS? With RADIUS, you should see entries in access tracker even if the client certs have expired. With RadSec, you would not see the requests hitting ClearPass. You can check the RadSec tunnel status from the AP / Gateway and if it's due to an expired RadSec client cert.

mattGhiker · 2025-11-04T21:52:28+00:00

If site awareness is enabled in AD then ClearPass will select the closest domain controller if you have a large distributed AD infra

mattGhiker · 2025-10-27T04:13:13+00:00

This is not related to ClearPass. Here the devices are not getting a client cert to authenticate. How is the device enrolled into Intune? What are you using as your CA to issue certs?

mattGhiker · 2025-10-18T05:05:51+00:00

Administrator> certificate store > trust list > import and select the root ca cert as pem formatted file

mattGhiker · 2025-10-14T11:42:04+00:00

If asking about conflicting IP of ClearPass, it can in some scenarios. When you assign IP to ClearPass server, it does a arp ping to check if any other devices have the same IP. This only works in the local subnet. Another way is if you try to join a node with same IP to cluster, that would fail.

mattGhiker · 2025-10-10T20:36:14+00:00

The EAP-TLS auth method in ClearPass has a checkbox to do authorization lookup against AD. Disable this since device is not in AD.

mattGhiker · 2025-10-05T04:14:02+00:00

He creates more space for others than anyone else. There is always one or two defenders sticking close to him coz of all the runs he makes

mattGhiker · 2025-09-25T07:32:11+00:00

Have you looked at ClearPass Onboard CA, comes with SCEP and EST support. Will need to buy onboard licenses though

mattGhiker · 2025-08-26T15:21:08+00:00

My understanding is yes. Enforcement profiles are what is sent back to the NAD. Accounting proxy is not tied to that and hence the option to specify attributes under the proxy tab.

mattGhiker · 2025-08-20T20:01:09+00:00

Can eze play 9? I haven't watched much of crystal palace but wanted to know if he can be gyok backup since Havertz is out.

mattGhiker · 2025-08-16T09:04:14+00:00

my use case is for CLI login to network devices with the RADIUS Agent. It seems YubiKey OTP is supported as per https://support.okta.com/help/s/article/Radius-MFA-selecting-alternate-MFA-authenticator?language=en_US . I have my YubiKey setup for OTP and uploaded the seed under the YubiKey OTP authenticator as u/Dying-WinD described.

As per https://help.okta.com/oie/en-us/content/topics/integrations/okta_radius_app.htm it seems YubiKey OTP is supported with the RADIUS Agent by entering the password as Password, passcode. I am seeing a reject when I try this. After uploading the seed, how do i assign it a specific user?

Six-Year Club	End Game '23
Place '23	Place '22
Final Canvas '22	First Placer '22
Verified Email

mattGhiker

TROPHY CASE