Great videos! Which video do you show the creation of the profiles ?

That message means that your client does not trust the ClearPass RADIUS/EAP certificate. I think this is covered in the video's for wireless, and the same applies for wired 802.1X: Client must have the root CA that issued your ClearPass server certificate (RADIUS/EAP) installed and trusted.

@@hermanrobers the root CA that issued in ClearPass server certificate (RADIUS/EAP) installed and trusted in pc

David, the Arubalab-workshop-CA is the root CA that issued the radius.arubalab.loc EAP server certificate. In general, you just want to check against the root, otherwise you can't replace expiring or revoked certificates. So the client checks that the radius.arubalab.loc certificate presented by ClearPass is issued by the Arubalab-workshop-CA. In this case the certificate is issued directly by the root, if there were an intermediate CA, then still you would verify against the root in which case the client checks the chain from server to intermediate to root.

That is a pretty accurate description. OnConnect should only (in my opinion) be used where you can't use MACAuth/802.1X, which is close to never with these day's switches. 802.1X/MACAuth is pro-active: Access after authentication, where SNMP enforcement is reactive (change access after it has been given). Feature is there just for flexibility, but I have personally not ran into situations where it works better than MAC Auth.

BTW, if you want to deploy OnConnect, it is described in the ClearPass Wired Policy Enforcement Guide, available on www.arubanetworks.com/clearpassdocs

I don't have such switch, however ClearPass works great with this equipment when I worked with customers running that. If you need some guidance, the ClearPass Solution Guide for Wired Policy Enforcement covers this in detail: community.arubanetworks.com/t5/Security/ClearPass-Solution-Guide-Wired-Policy-Enforcement/td-p/298161. As the VLAN enforcement in this video is IEEE standard, if you change the Network Access Device configuration from HPE to Cisco, I think you can get this up and running pretty quick. For more technical questions, you can use the Airheads Community site (community.arubanetworks.com) to find answers and ask your questions.

Sure, you can configure per port if it is controlled by ClearPass. If you want a static VLAN on the port without any authentication, then you can just do it like you always did before ClearPass. A benefit of doing port authentication is that you don't need to configure your port static, and if you move clients around the port automatically adapts to what you connect (colorless port concept). You can mix&match colorless ports and static configured ports without any issue.

Very likely, if you can configure your switch for RADIUS 802.1X authentication to ClearPass and follow the steps in the workshop where you replace everything Aruba switch with the Alcatel OLT, you should be able to get quite a bit. Alcatel should have ClearPass experience and integration notes, as they resell ClearPass with their products. Probably it is best, if you can't do it yourself, to involve an Aruba partner that knows ClearPass already. If you have most steps done, and authentications getting in, and still get stuck, you can use the Airheads forum (community.arubanetworks.com) to post your questions. Or contact the Aruba TAC (support.arubanetworks.com) to get you helped out. In my experience they are very willing to help you out, even with equipment that they don't know or tested.

In the example, it's an allow-all. But you should put in ACLs that block traffic that admins should not use, or allow what they should do and block everything else. There is no generic content for the role, it's dependent on your environment.