1. Reviewing the onboarding profile deployment
Which onboarding method is being used? Is it ClearPass Onboard? Check directly on the endpoint to see if EAP-TLS is actually configured as the authentication method in the Wi-Fi profile.
2. Confirming whether any Aruba policy or ClearPass configuration could force fallback to PEAP
ClearPass, like any other RADIUS server, cannot influence the authentication method used by the endpoint or force a fallback to a different authentication method. During authentication, ClearPass sequentially sends all authentication methods configured in the service to the NAD until the endpoint selects the method configured on it. If the endpoint does not support any of the methods configured in the service, authentication is aborted-with a message stating that the endpoint does not support any of the methods used.
3. Identifying why endpoints continue advertising/attempting PEAP after successful EAP-TLS onboarding.
The endpoint uses the authentication method configured in its Wi-Fi profile. Check the endpoint configuration.
4. Providing guidance on how to force the endpoint to use EAP-TLS exclusively
In the service, you can only select [EAP TLS] as the authentication method. As a result, endpoints that use other authentication methods will not be able to authenticate.
Please post the Alarm Section for a Rejected Authentication. In the Summary Section, only the [Other] role is assigned. This happens when no condition matches in the role mapping; in that case, ClearPass uses the default role. This may be the cause of the rejections, rather than the use of EAP-PEAP.
------------------------------
Regards,
Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------