Security

Reply
Contributor I
Posts: 35
Registered: ‎03-21-2011

Can Webauth use an external Radius to authenticate?

Hi,

 

Is there any way to add an external Radius Server as Authentication Source?

 

My customer wants to use the web page on CPPM, then the username/password will be authenticated by their existing external Radius Server.

 

Thanks in advance.

 

 

 

Regards,

Patrick

 

MVP
Posts: 561
Registered: ‎11-28-2011

Re: Can Webauth use an external Radius to authenticate?

You could probably achieve this by setting up a RADIUS proxy target and service.

 

Configuration>Network>Proxy Targets

Configuration>Services>Add Service (type RADIUS Proxy)

Kudos appreciated, but I'm not hunting! (ACMX 104)
Contributor I
Posts: 35
Registered: ‎03-21-2011

Re: Can Webauth use an external Radius to authenticate?

Thanks.

 

But in order for Radius Proxy to work, you have to receive a Radius request in the first place....

 

In my situation, the authentication request is from the ClearPass Web page (WebAuth). So this will never hit the Radius Proxy service. Any other idea?

 

Thank you very much.

 

Patrick

 

MVP
Posts: 561
Registered: ‎11-28-2011

Re: Can Webauth use an external Radius to authenticate?

I see. There might be options...

 

Can you expand more on what your customer is really trying to achieve?

 

I.e. so this user is looking at a webpage (username/password) on Clearpass. For what purpose? How did they get there? And then what happens if they enter valid details?

 

Kudos appreciated, but I'm not hunting! (ACMX 104)
Contributor I
Posts: 35
Registered: ‎03-21-2011

Re: Can Webauth use an external Radius to authenticate?

Thanks. The scenario is:

 

LanSwitch---------CPPM---------------3rd_Party_radius

 

 

The LanSwitch can redirect client to CPPM guest page for authentication, but customer doesn’t want to use CPPM as authentication source. They have centralized Radius.

 

So if CPPM  can send the username/passwd to 3rd party radius for authentication, when succeeded, CPPM sends a COA to LanSwitch to change client role.

 

If you need more info please let me know.

 

I heard that we can make CPPM to change Guest request from WebAuth to Radius_Auth. But I don't know how.

 

Regards,

Patrick

 

 

 

MVP
Posts: 561
Registered: ‎11-28-2011

Re: Can Webauth use an external Radius to authenticate?

[ Edited ]

Under a normal deployment type (for instance with an Aruba controller or IAP), it's the network device that converts the web login to a RADIUS which it then sends to Clearpass (which you could then proxy).

 

If a user is looking directly at a Clearpass page, the Clearpass would have to understand something about how the user got there and what to do next.

 

I.e. when a user types in details, think about how you expect the Clearpass to know how we got to this point and where the "LANSwitch" is with which we need to communicate. AND, when the details are entered (assuming Clearpass knows the switch involved), what should it send back to that switch to tell it the user is "ok" and can now be treated differently.

 

So, when you say "LANSwitch", what manufacturer and product model is the user connected to (you'd have to understand this to model it)? And how specifically does this device redirect the user in your scenario? Futhermore, if you're talking COA, this would assume the network device is involved in a RADIUS conversation with Clearpass in the first place. So how is it doing that (protocol, feature, maybe like Cisco WCCP)?

Kudos appreciated, but I'm not hunting! (ACMX 104)
Frequent Contributor I
Posts: 62
Registered: ‎05-06-2013

Re: Can Webauth use an external Radius to authenticate?

Was this ever solved? I'm trying to use RADIUS as authentication source from CPPM.

Contributor I
Posts: 35
Registered: ‎03-21-2011

Re: Can Webauth use an external Radius to authenticate?

Yes it had been solved.

 

However maybe your requirement is different if you wanted to use CMMP as Radius Server.

 

MVP
Posts: 1,392
Registered: ‎11-30-2011

Re: Can Webauth use an external Radius to authenticate?


pydiao wrote:

Yes it had been solved.

 


can you explain how for the case of the third party radius server?

Search Airheads
Showing results for 
Search instead for 
Did you mean: