1. Reviewing the onboarding profile deployment
Which onboarding method is being used? Is it ClearPass Onboard? Check directly on the endpoint to see if EAP-TLS is actually configured as the authentication method in the Wi-Fi profile.
2. Confirming whether any Aruba policy or ClearPass configuration could force fallback to PEAP
ClearPass, like any other RADIUS server, cannot influence the authentication method used by the endpoint or force a fallback to a different authentication method. During authentication, ClearPass sequentially sends all authentication methods configured in the service to the NAD until the endpoint selects the method configured on it. If the endpoint does not support any of the methods configured in the service, authentication is aborted-with a message stating that the endpoint does not support any of the methods used.
3. Identifying why endpoints continue advertising/attempting PEAP after successful EAP-TLS onboarding.
The endpoint uses the authentication method configured in its Wi-Fi profile. Check the endpoint configuration.
4. Providing guidance on how to force the endpoint to use EAP-TLS exclusively
In the service, you can only select [EAP TLS] as the authentication method. As a result, endpoints that use other authentication methods will not be able to authenticate.
Please post the Alarm Section for a Rejected Authentication. In the Summary Section, only the [Other] role is assigned. This happens when no condition matches in the role mapping; in that case, ClearPass uses the default role. This may be the cause of the rejections, rather than the use of EAP-PEAP.
------------------------------
Regards,
Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: May 28, 2026 11:06 AM
From: Joel Jimenez
Subject: Login Status: REJECT
Subject: Authentication Issue After Successful Onboarding – Devices Still Attempting PEAP Instead of EAP-TLS
Issue Description
We are experiencing an authentication issue affecting multiple users after completing the Aruba onboarding process successfully.
The onboarding process finishes without errors, and certificates appear to be deployed correctly to the endpoints. However, after onboarding is completed, affected devices continue failing authentication attempts.
Our investigation indicates that although the expected authentication method should be EAP-TLS, the authentication logs and client behavior suggest that the devices are still attempting authentication using EAP-PEAP.
Observed Behavior
User successfully completes onboarding
Certificate installation appears successful
Device attempts to connect to the corporate SSID
Authentication fails
Authentication method appears as EAP-PEAP instead of EAP-TLS
Expected Behavior
After successful onboarding, the device should authenticate using EAP-TLS with the installed client certificate.
Troubleshooting Performed
Re-ran onboarding process multiple times
Reinstalled onboarding profile
Verified certificate presence on the endpoint
Confirmed SSID configuration is intended for EAP-TLS
Verified that monitor mode / 802.11 capability is available
Authentication issue persists consistently
Suspected Cause
It appears that the onboarding profile may not be fully replacing the previous wireless authentication configuration, or the endpoint is retaining an older PEAP-based profile/policy and continues attempting authentication with PEAP instead of switching to EAP-TLS.
Request for Support
Please assist with:
Reviewing the onboarding profile deployment
Confirming whether any Aruba policy or ClearPass configuration could force fallback to PEAP
Identifying why endpoints continue advertising/attempting PEAP after successful EAP-TLS onboarding
Providing guidance on how to force the endpoint to use EAP-TLS exclusively
This issue is affecting multiple users.
-------------------------------------------