Sounds like a good addition to the series. Did not plan that, but let me see if I can include MM/AOS8.

​@@hermanrobers Great, that would be a real help for me and I'm sure for many others! In the Airheads community, I have often seen questions about CPPM and Mobility Master that refer to your videos, such as the wireless network, or wireless network with self-registration, but in which the answers are more related to IAP.

@@hermanrobers Yes it will be Great as the most of implementation now a days with MM and MC but in general I believe the concepts are same .

Configuration steps on Aruba Mobility controllers are similar, but screens look different. You could check the following series for more details on how to setup controllers, including the connection to ClearPass.

​@@hermanrobers can't find the video for the controllers? , is possible to configure one SSID for all employees in different departments and every employee connects to the Vlan to the employee's departments belong? thank you very much

@@mohammadalhaddad1472 Yes, you can do that (at least with Aruba Instant or Controllers). Just return in ClearPass a different role (and/or VLAN) based on role mapping with the OU or Department field or Group membership in AD. Which one is best depends on how your AD is setup and which is most reliable to determine the department of a user. And here is the video series for Aruba controllers: kzbin.info/www/bejne/el7ah2hrg52bncU

thank you for your reply, We try to use OU for a department name but can't make the filter work, in AD I can see the department name in OU. and I am still confused about how to step the Role :(. I will watch the video again and try to make work. Thank you very much

These steps are similar, it just looks different on an Aruba controller. You can check kzbin.info/www/bejne/sJq8nnp4qpaJja8 to see how the workflow is on a controller.

@@hermanrobers thank you, just one more question, is it mandatory to setup the AP in tunnel mode if we use controller as a radius client?

First make sure that you see the request matched to the right service. Then if you still see this message, it means that what you configured as Authentication Methods (like EAP-TLS) does not match what the client is capable to do. In the workshop, I use certificates issued by Active Directory. If the client does not have a client certificate that if could use for client authentication, it may reject the EAP-TLS method with this error as a result. Please check that you have a client certificate, and configured EAP-TLS on the client (where on Windows that is called Smartcard or other certificate).

You could preconfigure the client through Group Policies or other Device Management. Networks normally don't switch security types, and if they do it's recommended to use a different SSID name to avoid the issue that you see. You probably won't want that your clients connect to an open SSID with the same name as your WPA2-Enterprise SSID, so consider this more a security measure.

@@hermanrobers thank you for the reply, regarding the group policy on the AD I can specify such an option ? and regarding the SSID I think there is misunderstood. the users will connect with there laptops inside and outside the office, so when they want they connect externally the SSID will not be WPA-Enterprise

@@mohammedkeswani2494 not sure if I still understand... if you want your users to connect to your company SSID internally with WPA-Enterprise and on other locations with WPA-PSK (example), you should have different SSID names because the same SSID name cannot (should not) be used with different security mechanisms. If you want users inside your company connect to the corporate network with WPA-Enterprise, and at home or on the road to the home network or hotspots, there is no issue as those will be different SSID names.

@@hermanrobers thank you, that is what I wanted to know. as when I tested the SSID that I wanted to connect to it is testing fine, when I want to revert to the other SSID on the same office "that doesn't use WPA-Enterprise" I had to forget that network then join to it again.

Matthias, what is the username that you see? The User's or the Machine? With EAP-TLS there are two separate entries for just the user authentication (once the client is logged in) and one for the computer authentication (if the client is logged out, and most times when you first connect to a network). If you see the role Machine Authenticated for a user authentication, that means that ClearPass has seen a computer authentication as well. You can check the video on User+Computer authentication, and the one on TEAP that combines both User and Computer in the same authentication.

​@@hermanrobers Thx for your explanation.I see the User´s username. Makes sense...

For the Radsec Cert on the IAP, you will need to upload a client certificate (plus private key) for that IAP. That client certificate needs to be issued by a CA that is in ClearPass in the Trust List enabled for purpose RadSec. A p12 file will work best. The RadSec CA should be the root CA certificate that issued the RadSec certificate that is installed on your ClearPass server. For that cert, I prefer to use a .pem file.

@@hermanrobers for radsec cert you have mentioned client cert to be uploaded. Can we use same cert on a client devices (such as laptop) or do we need to generate a new cert just for iap's. Do we need chain it in the order server, inter, root, private key Or Just server and private key? Thanks

@@rajum3386 For the client certificate, the one on for your AP, you should 'chain' it to have client-cert and intermediates up-to the root (root CA should not be in the chain). While it technically would work to have the same certificate for laptops and IAPs, that is strongly deprecated. Certificates should be device or user unique, so in case you lose a certificate, you don't need to replace the certificates on all of your devices. As well with different certificates, you can use the attributes in the certificate in your access decision, or for RadSec to link a Network Device in ClearPass to a specific certificate.