Security

Reply
Occasional Contributor I

ClearPass Management User RADIUS

I have only spent a day going through, but I can't seem to find away to use an external RADIUS server (MS NPS) to authenticate ClearPass Administrators to use the software.

 

I went through and found the local TACACS [Policy Manager Admin Network Login Service], an noticed that I could no change or use with another RADIUS or RADIUS Proxy server with the [Admin Network Login Policy] Enforcement Policy.

 

My question to the masses: is it possible to point ClearPass Administrators to authenticate with a external/third-party RADIUS client (i.e MS NPS) instead of using the local TACACS and user DB?

 

Any insight would be greatly appreciated

Re: ClearPass Management User RADIUS

I am not aware of any way to do this.  However, it is easy enough to setup your own CPPM login service and authenticate against AD if that's essentially what you were going for.

 

Here's what I did:

  1. Copied default CPPM login service.
  2. Placed the new login service above the default.
  3. Set my AD servers as the authentication source.
  4. Created a role mappings that mapped AD groups to predefined TACACS roles.
  5. And I left the Enforcement policy and profiles as they were.

 

 

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
MVP

Re: ClearPass Management User RADIUS

Ouch.. It seems external radius authentication didn't make it to 6.0.x release of cp. Its definitely there in cpguest 3.9.x..

Both Radius as external authentication server for guests and for operators seems to be gone.

I'm hoping this will come back in the next big release 6.1 due for march I think..

Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Occasional Contributor I

Re: ClearPass Management User RADIUS

John,

 

I believe for guest/mobility-users to authenticate to the WLAN(s) you can still use external RADIUS by setting up a proxy RADIUS server in CP 6.0.2.46902.

 

Unfortunately what I would like (required) to do is use an external RADIUS server to authenticate the CP Administrators using a third part 2FA solution.  These requirements also restrict me from using AD because the CP software does not recognize hard certs (Common Access Card) to log into the CP webinterface. 

 

Thank you both for your posts, hopefully in later patches/code upgrades this matter can be added to the already great features of CP.

 

 

Frequent Contributor I

Re: ClearPass Management User RADIUS

Hi, I've been searching for the same solution; having CP adminstrators and provisioners authenticated by Microsoft NPS.

When a CP adminstrator or provisioner accesses CP it needs to authenticate using it's domain credentials. Once the client starts, the authentcation request hits CP, which should forward the request to NPS which then does the authentication in Active Directory and assigning back the proper privilge level to the client.

I'm aware of the LDAP option in CP which can directly authetnicate in AD, but I need to have NPS do the LDAP query so basically need CP just to do a passthrough.

 

Currenlty I'm using CP 6.5.5 but I don't see the external authentication server option availalbe.

As this thread was created on 2013, I can iagine the option might be available by now.

Guru Elite

Re: ClearPass Management User RADIUS

Management authentication for ClearPass uses TACACS+, not RADIUS.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: ClearPass Management User RADIUS

So with tacacs, beside doing direct LDAP queries to Active Directory can I forward the authentication requests to NPS as well? If so, do you have a link to the documentation how to configure this.

If it is not possible, which I assume after reading the documentation, will Aruba build in support to passthrough authentication requests to NPS in the near future?

Guru Elite

Re: ClearPass Management User RADIUS

NPS is a RADIUS server, not a TACACS server.

May I ask what the use case is here? ClearPass is designed to replace NPS. 

Sent from Nine

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: ClearPass Management User RADIUS

Hi, sorry for my late reply.

The customer does not want to have NPS replaced by ClearPass due to company policy. Therefor I've been looking to forward request from CP to NPS, which does the LDAP query in AD.

Currenlty I'm trying to see if it is ok to have CP do the LDAP directly in AD, and bypass NPS although it is not conform company policy.

New Contributor

Re: ClearPass Management User RADIUS

Im having the the same issue. What we want is  the Administrators of the CPPM box to be authenticated against our external RADIUS which has 2FA.

 

Is is possible for Network Administrator Login autheication to use external Radius or are we just stuck with TACACS+ for admin login?

 

In my case, all privileged users(admins) accounts are stored on this RADIUS server, separate from the normal users databases.

 

So the question is, can ClearPass support this functionality /Use case?  we are using HW-CP5K running on 6.5.3.75367

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: