Security

Hi,

When setting AP1X to do TPM EAP-TLS authentication, what are the service requirements?

1) Is the method supposed to be EAP-TLS with No Authorization, No OCSP check?

2) Does just the Aruba Root CA need to be enabled or do all certs in the chain from the issuer need to be enabled?

3) Do they just need usage EAP or are there others?

I had it working with a 303H and a day of doing other things and manipulating things, I am just timing out. My cisco phone is failing too (I manipulated the trust list but didn't keep track enough). So I just want to make sure I understand the requirements for EAP-TLS on the wire in terms of trust list.

Even doing a port mirror, I'm not seeing the cert from the client. I'm seeing the hello with a big list of things I had in my trust list. I'm suspecting perhaps a fragmentation issue. This is on SD-Branch and RADIUS is coming from a 2930m switch managed by central. So I haven't tried radsec either.

Any help would be appreciated.

-------------------------------------------

I used the auth method of EAP-TLS with no OCSP. Also in my enforcement policy i used Authentication:OuterMethod equal EAP-TLS AND Certificate:Issuer-CN CONTAINS Aruba Networks

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

Thanks. That's what I'm doing. I moved everything back over to my test cluster both are working so it has something to do with my trust list.  Strangely, for Cisco phones, I needed to have the manufacturing SHA2 CA as well as the M2 root but for Aruba gear, even though trusted computing issuing CA issues the cert, it seems okay with just the root being trusted.

I suspect again that EAP-TLS fragmentation is causing an issue with my production setup. Radsec seems like what I eventually need but I'm hoping to not need it for now.

-------------------------------------------

Original Message:
Sent: Nov 20, 2025 06:32 PM
From: ariyap
Subject: AP TPM ap1x authentication for EAP-TLS against Clearpass

I used the auth method of EAP-TLS with no OCSP. Also in my enforcement policy i used Authentication:OuterMethod equal EAP-TLS AND Certificate:Issuer-CN CONTAINS Aruba Networks

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

Turns out I was dumb again. The static route that ensures all RADIUS traffic goes through one firewall instead of the active/active pair was missing for my new nodes and thus IP reassembly failed. It's a palo alto specific thing where re-assembly cannot occur between two active/active nodes even though session state is shared. Once I fixed that, everything flowed normally. And for whoever cares, Aruba will work if you just trust the root but Cisco requires both the issuing and the root.

Usage is EAP. No other usage is needed.

-------------------------------------------

Original Message:
Sent: Nov 21, 2025 09:19 AM
From: MT9
Subject: AP TPM ap1x authentication for EAP-TLS against Clearpass

Thanks. That's what I'm doing. I moved everything back over to my test cluster both are working so it has something to do with my trust list.  Strangely, for Cisco phones, I needed to have the manufacturing SHA2 CA as well as the M2 root but for Aruba gear, even though trusted computing issuing CA issues the cert, it seems okay with just the root being trusted.

I suspect again that EAP-TLS fragmentation is causing an issue with my production setup. Radsec seems like what I eventually need but I'm hoping to not need it for now.