Security

Reply
Frequent Contributor I
Posts: 61
Registered: ‎01-18-2012

Clearpass - Using EAP-PEAP for selected AD users

Hello,

 

Our network uses mainly EAP-TLS for network auth and that is working fine, I'm trying to setup access for selected users via EAP-PEAP and I cannot seem to be able to have the request hit the right rule.

 

We use Clearpass and I have setup two 802.1x rules one for users trying to authenticate with EAP-PEAP on top of the main one for EAP-TLS auth.

 

2015-11-11 08_36_23-ClearPass Policy Manager - Aruba Networks.png

 

My problem is, even with the Authentication OuterMethod set to EAP-PEAP, users never seem to hit that rule.

 

2015-11-11 08_47_10-Photos.png

 

This particular user should have hit the PEAP rule but did not.

 

Any ideas on how I could make sure that EAP-PEAP users will hit the first rule?

 

Thanks

Guru Elite
Posts: 20,348
Registered: ‎03-29-2007

Re: Clearpass - Using EAP-PEAP for selected AD users

Add mschap as an authentication method.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 61
Registered: ‎01-18-2012

Re: Clearpass - Using EAP-PEAP for selected AD users

Hi cjoseph,

 

I've tried MSCHAP and EAP-MSCHAPv2 as both inner and outer methods with no luck.

 

Thanks

Frequent Contributor I
Posts: 61
Registered: ‎01-18-2012

Re: Clearpass - Using EAP-PEAP for selected AD users

I should add that I did put MSCHAP as an Authentication method :

 

2015-11-11 10_03_29-Photos.png

 

Thanks

Frequent Contributor I
Posts: 61
Registered: ‎01-18-2012

Re: Clearpass - Using EAP-PEAP for selected AD users

Would it be possible to add a Service condition that if a user matches an AD Group?

 

On a Microsoft NPS server this was possible, I'm trying to replicate this on Clearpass.

Guru Elite
Posts: 20,348
Registered: ‎03-29-2007

Re: Clearpass - Using EAP-PEAP for selected AD users

Don't know if you got it fixed, but this is how mine is working:

peap.png



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 61
Registered: ‎01-18-2012

Re: Clearpass - Using EAP-PEAP for selected AD users

No I haven't got it working correctly, but I will try adding both MSCHAP and EAP MSCHAPv2 and report back.

 

Thanks

Frequent Contributor I
Posts: 61
Registered: ‎01-18-2012

Re: Clearpass - Using EAP-PEAP for selected AD users

It's not working for me. Can I ask what are your service conditions?

Guru Elite
Posts: 20,348
Registered: ‎03-29-2007

Re: Clearpass - Using EAP-PEAP for selected AD users

It is pretty bare (PAP only is needed for Captive Portal-you can ignore that).

8021x-service-bare.png



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 485
Registered: ‎05-11-2011

Re: Clearpass - Using EAP-PEAP for selected AD users

Seems to me that Colin is answering for a pure EAP-PEAP case, not the question Yann is trying to get answered.

 

Yann, seems you can't use Authentication type during service categorization. It's probably logical (too early in the process or whatever), but someone with more knowledge of the process will have to explain why ;)

 

One way you could solve it is to add EAP-PEAP to main .1x serviceIn the role mapping do a test for "Authentication OuterMethod equals EAP-PEAP" AND the AD group you mentioned and give it a custom role like "EAP-PEAP-USER". Now you're free to add a "Tips Role NOT EQUALS EAP-PEAP-USER" to the EAP-TLS tests and whatever needed in the enforcement policy to give the EAP-PEAP-USER access..

 


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Search Airheads
Showing results for 
Search instead for 
Did you mean: