Security

Reply
Occasional Contributor II
Posts: 19
Registered: ‎09-19-2014

Does Clearpass authenticate against all authentication sources configured in a service?

After reading the "Authentication and Authorization Architecture and Flow" section in the documentation, I'm still unclear about how Clearpass handles multiple authentication sources.  If a user is authenticated successfully against the first configured source, does it stop going down the list?  I would assume yes. 

 

But what if the enforcement policy for that service includes conditions that check multiple authorization sources, and the authentication and authorization are both the same source?  For example, if I have authentication sources domain1.example.com, followed by domain2.example.com, and enforcement policies with these conditions: "Authorization:domain1.example.com:memberOf  CONTAINS  group1" and "Authorization:domain2.example.com:memberOf  CONTAINS  group2".  If domain1 is not queried for authentication, the authorization attributes will not be gathered, and the enforcement conditions can't be checked. If the rule evaluation algorithm is set to check 'all applicable', does Clearpass go back and authenticate separately for domain2 so it can evaluate all of the rules?

Guru Elite
Posts: 8,190
Registered: ‎09-08-2010

Re: Does Clearpass authenticate against all authentication sources configured in a service?

Yes, it stops going through the list once the user is found. It moves on to authorization based on the authorization list.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 19
Registered: ‎09-19-2014

Re: Does Clearpass authenticate against all authentication sources configured in a service?

Great, so once it moves on to authorization, it authenticates (gathering authorization attributes) against all applicable sources listed in the enforcement policy (assuming the all-applicable option is set), even if that source wasn't queried in the original authentication stage?

Occasional Contributor II
Posts: 19
Registered: ‎09-19-2014

Re: Does Clearpass authenticate against all authentication sources configured in a service?

Remember, I'm interested in situations where the authentication server is also set to gather authorization attributes.  They're not separate servers.

Guru Elite
Posts: 8,190
Registered: ‎09-08-2010

Re: Does Clearpass authenticate against all authentication sources configured in a service?

It will always gather authorization information from the same authentication
source.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 19
Registered: ‎09-19-2014

Re: Does Clearpass authenticate against all authentication sources configured in a service?

Even if that source wasn't queried for authentication during the authentication stage?

Guru Elite
Posts: 8,190
Registered: ‎09-08-2010

Re: Does Clearpass authenticate against all authentication sources configured in a service?

Does the user exist in two authentication sources? I'm confused.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 19
Registered: ‎09-19-2014

Re: Does Clearpass authenticate against all authentication sources configured in a service?

No, the user should only be in one authentication source.  But Clearpass doesn't know that, so when it gets to the authorization stage, and there are enforcement policies referencing authorization sources from which the user was not authenticated, one might expect Clearpass to attempt authentication against those sources to gather authorization attributes. 

Aruba
Posts: 1,642
Registered: ‎04-13-2009

Re: Does Clearpass authenticate against all authentication sources configured in a service?

For the authorization stage; authentication is not done; but it will check the listed authorization sources for additional attributes if the account exists in another datastore.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Search Airheads
Showing results for 
Search instead for 
Did you mean: