02-06-2013 09:45 AM
I have only spent a day going through, but I can't seem to find away to use an external RADIUS server (MS NPS) to authenticate ClearPass Administrators to use the software.
I went through and found the local TACACS [Policy Manager Admin Network Login Service], an noticed that I could no change or use with another RADIUS or RADIUS Proxy server with the [Admin Network Login Policy] Enforcement Policy.
My question to the masses: is it possible to point ClearPass Administrators to authenticate with a external/third-party RADIUS client (i.e MS NPS) instead of using the local TACACS and user DB?
Any insight would be greatly appreciated
02-06-2013 03:54 PM
I am not aware of any way to do this. However, it is easy enough to setup your own CPPM login service and authenticate against AD if that's essentially what you were going for.
Here's what I did:
- Copied default CPPM login service.
- Placed the new login service above the default.
- Set my AD servers as the authentication source.
- Created a role mappings that mapped AD groups to predefined TACACS roles.
- And I left the Enforcement policy and profiles as they were.
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
02-11-2013 03:12 PM
Both Radius as external authentication server for guests and for operators seems to be gone.
I'm hoping this will come back in the next big release 6.1 due for march I think..
-ACMX #316 :: ACCP-
Intelecom - Norway
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
02-12-2013 04:37 AM
I believe for guest/mobility-users to authenticate to the WLAN(s) you can still use external RADIUS by setting up a proxy RADIUS server in CP 184.108.40.206902.
Unfortunately what I would like (required) to do is use an external RADIUS server to authenticate the CP Administrators using a third part 2FA solution. These requirements also restrict me from using AD because the CP software does not recognize hard certs (Common Access Card) to log into the CP webinterface.
Thank you both for your posts, hopefully in later patches/code upgrades this matter can be added to the already great features of CP.
02-08-2016 12:59 PM
Hi, I've been searching for the same solution; having CP adminstrators and provisioners authenticated by Microsoft NPS.
When a CP adminstrator or provisioner accesses CP it needs to authenticate using it's domain credentials. Once the client starts, the authentcation request hits CP, which should forward the request to NPS which then does the authentication in Active Directory and assigning back the proper privilge level to the client.
I'm aware of the LDAP option in CP which can directly authetnicate in AD, but I need to have NPS do the LDAP query so basically need CP just to do a passthrough.
Currenlty I'm using CP 6.5.5 but I don't see the external authentication server option availalbe.
As this thread was created on 2013, I can iagine the option might be available by now.
02-09-2016 04:42 AM - edited 02-09-2016 04:43 AM
So with tacacs, beside doing direct LDAP queries to Active Directory can I forward the authentication requests to NPS as well? If so, do you have a link to the documentation how to configure this.
If it is not possible, which I assume after reading the documentation, will Aruba build in support to passthrough authentication requests to NPS in the near future?
02-09-2016 05:04 AM
04-05-2016 01:03 AM
Hi, sorry for my late reply.
The customer does not want to have NPS replaced by ClearPass due to company policy. Therefor I've been looking to forward request from CP to NPS, which does the LDAP query in AD.
Currenlty I'm trying to see if it is ok to have CP do the LDAP directly in AD, and bypass NPS although it is not conform company policy.
04-14-2016 04:57 PM
Im having the the same issue. What we want is the Administrators of the CPPM box to be authenticated against our external RADIUS which has 2FA.
Is is possible for Network Administrator Login autheication to use external Radius or are we just stuck with TACACS+ for admin login?
In my case, all privileged users(admins) accounts are stored on this RADIUS server, separate from the normal users databases.
So the question is, can ClearPass support this functionality /Use case? we are using HW-CP5K running on 220.127.116.11367