02-25-2015 09:57 AM
After reading the "Authentication and Authorization Architecture and Flow" section in the documentation, I'm still unclear about how Clearpass handles multiple authentication sources. If a user is authenticated successfully against the first configured source, does it stop going down the list? I would assume yes.
But what if the enforcement policy for that service includes conditions that check multiple authorization sources, and the authentication and authorization are both the same source? For example, if I have authentication sources domain1.example.com, followed by domain2.example.com, and enforcement policies with these conditions: "Authorization:domain1.example.com:memberOf CONTAINS group1" and "Authorization:domain2.example.com:memberOf CONTAINS group2". If domain1 is not queried for authentication, the authorization attributes will not be gathered, and the enforcement conditions can't be checked. If the rule evaluation algorithm is set to check 'all applicable', does Clearpass go back and authenticate separately for domain2 so it can evaluate all of the rules?
Solved! Go to Solution.
02-25-2015 09:58 AM
02-25-2015 10:02 AM
Great, so once it moves on to authorization, it authenticates (gathering authorization attributes) against all applicable sources listed in the enforcement policy (assuming the all-applicable option is set), even if that source wasn't queried in the original authentication stage?
02-25-2015 10:05 AM
Remember, I'm interested in situations where the authentication server is also set to gather authorization attributes. They're not separate servers.
02-25-2015 10:18 AM
02-25-2015 10:23 AM
02-25-2015 10:30 AM
No, the user should only be in one authentication source. But Clearpass doesn't know that, so when it gets to the authorization stage, and there are enforcement policies referencing authorization sources from which the user was not authenticated, one might expect Clearpass to attempt authentication against those sources to gather authorization attributes.
07-27-2015 09:22 PM
For the authorization stage; authentication is not done; but it will check the listed authorization sources for additional attributes if the account exists in another datastore.
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX