Security

Hey Guys,

 

We've 3 clearpass servers in our network. We would like to load balance the RADIUS requests among these 3 clearpass servers using F5 load balancers. 

 

Already added F5 LB as Network Access Device in clearpass with SHARED secret and configured F5 with clearpass for authentication, authorisation & accounting with shared secret.

 

But F5 needs a clearpass user account with password to be entered when configuring AAA in it. How could this can be accomplished? Need to create local user or use an existing AD domain user in clearpass?

 

Could you please help?

Why would F5 need an account?  In my experience, load balancers will accept a RADIUS reject as an indication the server is healthy for load balancing.  If an account is needed, I would recommend a local user account and a seperate service just for this.  That way it can be tracked in its own service and if you need to take a node out for maintenance, etc...just disable the service and the server will be marked down or unhealthy and taken out of the load balancing scheme.  

 

You may also use iRules or a website http check as well to use as a measurement for health as ClearPass is also a web server.  Lastly, you can add health checks against SQL too.

 

If you do a boolean check as mentined above, it may prove more robust than just AAA as a failure of one service (like SQL) could affect ClearPass even though the RADIUS service still checks out ok.

 

Hope this all makes sense.

Hey great! Thanks for your reply. That's sounds good.

Could you please guide on the steps to create a service for this local user authentication?

If I'm creating a local user in clearpass with username and password and going to give this credentials in F5 (when adding health monitors), what kind of service needs to be created in clearpass side? 802.1X wired or Mac auth bypass or any other? Because we've configured wired service with authentication source as local user repository. But getting error in clearpass as 'service classification failed, failed to classify the service '

Please help! Thanks in advance.

Can you post the access tracker details for this failure?

Sent from my iPhone

Hi,

 

Please see the attached doc for the access tracker error found on clearpass during the F5 integration. Would this help?

Try a generic radius service and add a service categorization of NAD-IP-Address EQUALS 10.197.128.11

That should work but remember the service ordering is important as well.

Let us know if you need some help here.
Sent from my iPhone

Bro,

 

I think this is gonna work! Now, this RADIUS generic service is triggered.. But rather getting "RADIUS Cannot select appropriate authentication method" error now.. Whar auth method and sources need to be selected in this service? Can you help?

Try adding in all of the authentication methods to the service, test with an access request, then look at the entry in access tracker on the input tab and it will tell you the method it used.

 

This should also be configurable on F5. My guess is PAP or MSCHAP

Sent from my iPhone

Hi,

 

Yes.. You're perfect.. The authentication method used is PAP. Now clearpass can authenticate F5 successfully. I can see it in access tracker of clear pass.

 

I've configured F5 like this: Created a virtual server ip, added all 3 clearpass servers to it, mentioned the ports (1812 & 1813) to be load balanced. 

 

I've configured a switch with RADIUS details by giving F5 load balancer virtual server ip so that it'll contact clearpass for RADIUS authentication thro F5. But unfortunately, the RADIUS requests are not getting load balanced successfully. 

 

I'm getting 'radius server dead, can't able to reach radius server' in switch when it tries to get authenticated via F5.

 

Is there anything we're missing here? Any good F5 integration with clearpass server document available? 

Hey.. Thank you guys for the answers. Corrected the issue with F5, it was having some SHARED-KEY passowrd issue with the switch.

 

Now it is working fine. Switch can authenticate thro F5 to clearpass.

 

Thanks,Bharani,,