Security

Reply
New Contributor

Clearpass as RADIUS Client

For 802.1X based authentication, WLC acts as an authenticator and in turn communicates with external RADIUS servers. But NAS (Network Access Server) may be sperate from WLC e.g clearpass can be NAS.

So in the following network architecture, where Clearpass is acting as a NAS (and doing access control based on Radius respone from AAA), what shall be the communication mechanism between WLC and NAS (Note: it's 802.1x authentication)?

 

UE <--(EAPOL)--> WLC <--(??)--> NAS <---(RADIUS)----> AAA Server

 

Guru Elite

Re: Clearpass as RADIUS Client

RADIUS or RadSec is used between the NAS and the RADIUS server.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: Clearpass as RADIUS Client

That is correct but my question was what protocol is used between WLC and NAS for 802.1x? If authenticator runs on WLC then how does NAS sniff RADIUS replies from RADIUS Server for user access control?
Guru Elite

Re: Clearpass as RADIUS Client

The WLC is the NAS. Not sure I understand your question. NAS to AAA server uses the RADIUS or RadSec protocols.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: Clearpass as RADIUS Client

Let me ask it this way.

1) Can we can a NAS which is separate from WLC for 802.1x auth?

In following way:
UE <—> WLC <—> NAS <—> RADIUS-Server

2) Clearpass itself can act as NAS for 802.1x? Right?
Guru Elite

Re: Clearpass as RADIUS Client

The NAS is always the WLC.

What are you actually trying to do/accomplish? Take out the terminology for a second.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: Clearpass as RADIUS Client

Okay. Our AAA server is external and WLC is configured for 802.1x (EAP-TTLS). We are using Palo Alto as Firewall along with access control.

Once the AAA server has authenticated the user, it categories the users in certain access categories (in Access-Accept). But these categories have to be applied to Palo Alto which is being controlled by an entity (say X, which is kind of access controller).

Now because Access-Accept reaches WLC and not X, how to configure the firewall from X based on RADIUS server response?


[e.g imagine X is clearpass].
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: