Security

Reply
Occasional Contributor I
Posts: 5
Registered: ‎08-22-2014

Does Clearpass support Radius Forwarding?

Simple question but have not found a solid answer anywhere?

Does Clearpass support Radius Forwarding with Instant Access Point?

ClearPass Policy Manager 6.4.0.66263 on CP-VA-5K platform.

Guru Elite
Posts: 8,337
Registered: ‎09-08-2010

Re: Does Clearpass support Radius Forwarding?

Can you explain a bit more? What is radius forwarding?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: Does Clearpass support Radius Forwarding?

If this is radius proxy then yes this is supported regardless of device type
Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor I
Posts: 5
Registered: ‎08-22-2014

Re: Does Clearpass support Radius Forwarding?

[ Edited ]

This function been around since Window Server 2003 NPS, however I'm struggling to find this in the Clearpass Policy Manager.

 

The Clearpass Policy Manager is the Radius server.

 

 

RADIUS Access-Request messages are processed or forwarded by NPS only if the settings of the incoming message match at least one of the connection request policies configured on the NPS server.

 

If the policy settings match and the policy requires that the NPS server process the message, NPS acts as a RADIUS server, authenticating and authorizing the connection request.

 

If the policy settings match and the policy requires that the NPS server forwards the message, NPS acts as a RADIUS proxy and forwards the connection request to a remote RADIUS server for processing.

 

- explanation taken from http://msdn.microsoft.com/en-us/library/cc753603.aspx

 

 

 

Guru Elite
Posts: 8,337
Registered: ‎09-08-2010

Re: Does Clearpass support Radius Forwarding?

[ Edited ]

Yes you would just use the RADIUS proxy feature.

 

- Setup a proxy target:

   Configuration > Network > Proxy Target

 

nps-proxy-1.JPG

 

- Create a new RADIUS proxy service that matches the appropriate attributes or if you just want things to fall through to this, setup the basic rules like NAS-Port-Type and Service-Type and then put the service at the bottom of your 1X services.

   

radius-proxy-service.JPG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 5
Registered: ‎08-22-2014

Re: Does Clearpass support Radius Forwarding?

This is what i initially presumed, however adding the Proxy Target, then adding a new RADIUS proxy service did not work.

 

If you don't mind, could you point out what we are missing?

 

I know the Proxy Target works correctly, as we have this option enabled using the Microsoft NPS previously.

Guru Elite
Posts: 8,337
Registered: ‎09-08-2010

Re: Does Clearpass support Radius Forwarding?

Are you seeing anything hit the service in Access Tracker?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 5
Registered: ‎08-22-2014

Re: Does Clearpass support Radius Forwarding?

Just added a few service rules to match the Aruba-Essid-Name. I can see the following errors:

 

Error Code:    208
Error Category:    Authentication failure
Error Message:    No response from home server

Is the Radius Proxy service suppose to have the Authorization option enabled or disabled?

Guru Elite
Posts: 8,337
Registered: ‎09-08-2010

Re: Does Clearpass support Radius Forwarding?

You only need it if you are making decision in your enforcement policy with attributes from an authorization source. Since you have an allow all, you don't need it.

 

That error is saying that the NPS server did not respond. Can you check the NPS server event log for any errors?

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 5
Registered: ‎08-22-2014

Re: Does Clearpass support Radius Forwarding?

Thanks for the fast replies so far.

 

I had the option to allow all for testing purposes, but have now tested this with one of our live policies without luck - same error.

 

The other end, it is suppose to be recieve the accounting forwarded packets but nothing recieved.

Search Airheads
Showing results for 
Search instead for 
Did you mean: