04-15-2014 12:49 AM
Is there any way to add an external Radius Server as Authentication Source?
My customer wants to use the web page on CPPM, then the username/password will be authenticated by their existing external Radius Server.
Thanks in advance.
04-15-2014 02:40 AM
You could probably achieve this by setting up a RADIUS proxy target and service.
Configuration>Services>Add Service (type RADIUS Proxy)
04-15-2014 02:43 AM
But in order for Radius Proxy to work, you have to receive a Radius request in the first place....
In my situation, the authentication request is from the ClearPass Web page (WebAuth). So this will never hit the Radius Proxy service. Any other idea?
Thank you very much.
04-16-2014 11:18 AM
I see. There might be options...
Can you expand more on what your customer is really trying to achieve?
I.e. so this user is looking at a webpage (username/password) on Clearpass. For what purpose? How did they get there? And then what happens if they enter valid details?
04-16-2014 07:33 PM
Thanks. The scenario is:
The LanSwitch can redirect client to CPPM guest page for authentication, but customer doesn’t want to use CPPM as authentication source. They have centralized Radius.
So if CPPM can send the username/passwd to 3rd party radius for authentication, when succeeded, CPPM sends a COA to LanSwitch to change client role.
If you need more info please let me know.
I heard that we can make CPPM to change Guest request from WebAuth to Radius_Auth. But I don't know how.
04-17-2014 12:11 AM - edited 04-17-2014 12:12 AM
Under a normal deployment type (for instance with an Aruba controller or IAP), it's the network device that converts the web login to a RADIUS which it then sends to Clearpass (which you could then proxy).
If a user is looking directly at a Clearpass page, the Clearpass would have to understand something about how the user got there and what to do next.
I.e. when a user types in details, think about how you expect the Clearpass to know how we got to this point and where the "LANSwitch" is with which we need to communicate. AND, when the details are entered (assuming Clearpass knows the switch involved), what should it send back to that switch to tell it the user is "ok" and can now be treated differently.
So, when you say "LANSwitch", what manufacturer and product model is the user connected to (you'd have to understand this to model it)? And how specifically does this device redirect the user in your scenario? Futhermore, if you're talking COA, this would assume the network device is involved in a RADIUS conversation with Clearpass in the first place. So how is it doing that (protocol, feature, maybe like Cisco WCCP)?