AAA, NAC, Guest Access & BYOD

 View Only
last person joined: one year ago 

Solutions for legacy and existing products and solutions, including Clearpass, CPPM, OnBoard, OnGuard, Guest, QuickConnect, AirGroup, and Introspect
Back to Library

Create unique 802.1X service in multiple authentication source environment 

Nov 10, 2014 08:10 AM

Introduction :

 

This article talks about creating a unique service for 802.1X authentication in an environment where we have multiple authentication sources.

 

Feature Notes :

 

This applies to all the versions of CPPM.

 

Environment :

 

Lets consider that we have 25 authentication sources. Each being a single child domain ( Active Directory). We have multiple campus and users part of all the domains roam across different campus.

 

Configuration Steps :

 

 

We will create a basic 802.1X service for authentication and add all the 25 AD servers as authentication source. This should work fine but  the maximum number of authentication sources that can be associated with a service is 24. This limit is not enforced by UI.

25 authentication sources in one service is too many. This will impact the RADIUS authentication processing time especially if the user is present in an authentication source down in the list.

We would see the below errors on the radius logs on CPPM. Radius service will be down and authentication would fail.
 

YYYY-MM-DD 11:56:16,009 [main] ERROR RadiusServer.Radius - Errors reading radiusd.conf
YYYY-MM-DD 13:35:47,760 [main] INFO RadiusServer.Radius - radiusd: Initializing SSL library
YYYY-MM-DD 13:35:47,764 [main] INFO RadiusServer.Radius - NID of OnboardDeviceType is 923
YYYY-MM-DD 13:35:47,764 [main] INFO RadiusServer.Radius - NID of OnboardDeviceUDID is 924
YYYY-MM-DD 13:35:47,764 [main] INFO RadiusServer.Radius - NID of OnboardDeviceIMEI is 925
YYYY-MM-DD 13:35:47,764 [main] INFO RadiusServer.Radius - NID of OnboardDeviceICCID is 926
YYYY-MM-DD 13:35:47,764 [main] INFO RadiusServer.Radius - NID of OnboardMACAddress is 927
YYYY-MM-DD 13:35:47,764 [main] INFO RadiusServer.Radius - NID of OnboardProductName is 928
YYYY-MM-DD 13:35:47,764 [main] INFO RadiusServer.Radius - NID of OnboardProductVersion is 929
YYYY-MM-DD 13:35:47,764 [main] INFO RadiusServer.Radius - NID of OnboardUserName is 930
YYYY-MM-DD 13:35:47,764 [main] INFO RadiusServer.Radius - NID of OnboardDeviceSerial is 931
YYYY-MM-DD 13:35:47,764 [main] INFO RadiusServer.Radius - NID of OnboardCustomField is 932
YYYY-MM-DD 13:35:47,764 [main] INFO RadiusServer.Radius - NID of OnboardEmailAddress is 933
YYYY-MM-DD 13:35:47,764 [main] INFO RadiusServer.Radius - Starting - reading configuration files ...
YYYY-MM-DD 13:35:47,765 [main] ERROR RadiusServer.Radius - /usr/local/avenda/tips/var/radconfig/services.conf17: Unexpected end of file
YYYY-MM-DD 13:35:47,765 [main] ERROR RadiusServer.Radius - Errors reading radiusd.conf
YYYY-MM-DD 13:37:31,264 [main] INFO RadiusServer.Radius - radiusd: Initializing SSL library
YYYY-MM-DD 13:37:31,267 [main] INFO RadiusServer.Radius - NID of OnboardDeviceType is 923
YYYY-MM-DD 13:37:31,267 [main] INFO RadiusServer.Radius - NID of OnboardDeviceUDID is 924
YYYY-MM-DD 13:37:31,267 [main] INFO RadiusServer.Radius - NID of OnboardDeviceIMEI is 925
YYYY-MM-DD 13:37:31,267 [main] INFO RadiusServer.Radius - NID of OnboardDeviceICCID is 926
YYYY-MM-DD 13:37:31,267 [main] INFO RadiusServer.Radius - NID of OnboardMACAddress is 927
YYYY-MM-DD 13:37:31,267 [main] INFO RadiusServer.Radius - NID of OnboardProductName is 928
YYYY-MM-DD 13:37:31,267 [main] INFO RadiusServer.Radius - NID of OnboardProductVersion is 929
YYYY-MM-DD 13:37:31,267 [main] INFO RadiusServer.Radius - NID of OnboardUserName is 930
YYYY-MM-DD 13:37:31,267 [main] INFO RadiusServer.Radius - NID of OnboardDeviceSerial is 931
YYYY-MM-DD 13:37:31,267 [main] INFO RadiusServer.Radius - NID of OnboardCustomField is 932
YYYY-MM-DD 13:37:31,267 [main] INFO RadiusServer.Radius - NID of OnboardEmailAddress is 933
YYYY-MM-DD 13:37:31,267 [main] INFO RadiusServer.Radius - Starting - reading configuration files ...
YYYY-MM-DD 13:37:31,268 [main] ERROR RadiusServer.Radius - /usr/local/avenda/tips/var/radconfig/services.conf17: Unexpected end of file
YYYY-MM-DD 13:37:31,268 [main] ERROR RadiusServer.Radius - Errors reading radiusd.conf
YYYY-MM-DD 13:45:12,985 [main] INFO RadiusServer.Radius - radiusd: Initializing SSL library
YYYY-MM-DD 13:45:12,989 [main] INFO RadiusServer.Radius - NID of OnboardDeviceType is 923
YYYY-MM-DD 13:45:12,989 [main] INFO RadiusServer.Radius - NID of OnboardDeviceUDID is 924
YYYY-MM-DD 13:45:12,989 [main] INFO RadiusServer.Radius - NID of OnboardDeviceIMEI is 925
YYYY-MM-DD 13:45:12,989 [main] INFO RadiusServer.Radius - NID of OnboardDeviceICCID is 926
YYYY-MM-DD 13:45:12,989 [main] INFO RadiusServer.Radius - NID of OnboardMACAddress is 927
YYYY-MM-DD 13:45:12,989 [main] INFO RadiusServer.Radius - NID of OnboardProductName is 928
YYYY-MM-DD 13:45:12,989 [main] INFO RadiusServer.Radius - NID of OnboardProductVersion is 929
YYYY-MM-DD 13:45:12,989 [main] INFO RadiusServer.Radius - NID of OnboardUserName is 930
YYYY-MM-DD 13:45:12,989 [main] INFO RadiusServer.Radius - NID of OnboardDeviceSerial is 931
YYYY-MM-DD 13:45:12,989 [main] INFO RadiusServer.Radius - NID of OnboardCustomField is 932
YYYY-MM-DD 13:45:12,989 [main] INFO RadiusServer.Radius - NID of OnboardEmailAddress is 933
YYYY-MM-DD 13:45:12,989 [main] INFO RadiusServer.Radius - Starting - reading configuration files ...
YYYY-MM-DD 13:45:12,989 [main] ERROR RadiusServer.Radius - /usr/local/avenda/tips/var/radconfig/services.conf17: Unexpected end of file
YYYY-MM-DD 13:45:12,989 [main] ERROR RadiusServer.Radius - Errors reading radiusd.conf


To avoid this we definitely need a better design. We can add all the child domains to a Global Catalogue and add Global Catalogue in the authentication source.  
However if we cannot make any changes to the AD, we can use the below solution.

 

 

Answer :

 

So how do we create a unique service?

As we are in multiple child domain environment, one user may be part of multiple domains.

So users will be recommended to login using the complete domain name ( user@aruba.com or aruba/user).

Configuration:

1: Create a basic 802.1X service using the template.
2: Make multiple copies of the same service.( one for each authentication source)
3: Add one AND condition in each service as shown below.


" Authentication:Full-Username = <Value>" 

The generic service will look like below.

rtaImage.jpg



We will add one more condition under Service Rule as shown below.

rtaImage.jpg

Make sure to add that AD server as authentication source in this which is mentioned in the new rule.


We will have to create multiple services to handle authentication request for each authentication source.

 

Verification :

 

Test with multiple clients and verify that correct service is hit.

Statistics
0 Favorited
5 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.