08-22-2014 04:32 AM
Simple question but have not found a solid answer anywhere?
Does Clearpass support Radius Forwarding with Instant Access Point?
ClearPass Policy Manager 188.8.131.52263 on CP-VA-5K platform.
08-22-2014 05:54 AM
Consulting Systems Engineer - ACCX, ACDX, ACMX
If you found my post helpful, please give kudos
08-22-2014 05:57 AM - edited 08-22-2014 05:58 AM
This function been around since Window Server 2003 NPS, however I'm struggling to find this in the Clearpass Policy Manager.
The Clearpass Policy Manager is the Radius server.
RADIUS Access-Request messages are processed or forwarded by NPS only if the settings of the incoming message match at least one of the connection request policies configured on the NPS server.
If the policy settings match and the policy requires that the NPS server process the message, NPS acts as a RADIUS server, authenticating and authorizing the connection request.
If the policy settings match and the policy requires that the NPS server forwards the message, NPS acts as a RADIUS proxy and forwards the connection request to a remote RADIUS server for processing.
- explanation taken from http://msdn.microsoft.com/en-us/library/cc753603.a
08-22-2014 05:59 AM - edited 08-22-2014 06:02 AM
Yes you would just use the RADIUS proxy feature.
- Setup a proxy target:
Configuration > Network > Proxy Target
- Create a new RADIUS proxy service that matches the appropriate attributes or if you just want things to fall through to this, setup the basic rules like NAS-Port-Type and Service-Type and then put the service at the bottom of your 1X services.
08-22-2014 06:07 AM
This is what i initially presumed, however adding the Proxy Target, then adding a new RADIUS proxy service did not work.
If you don't mind, could you point out what we are missing?
I know the Proxy Target works correctly, as we have this option enabled using the Microsoft NPS previously.
08-22-2014 06:17 AM
Just added a few service rules to match the Aruba-Essid-Name. I can see the following errors:
Error Code: 208
Error Category: Authentication failure
Error Message: No response from home server
Is the Radius Proxy service suppose to have the Authorization option enabled or disabled?
08-22-2014 06:18 AM
You only need it if you are making decision in your enforcement policy with attributes from an authorization source. Since you have an allow all, you don't need it.
That error is saying that the NPS server did not respond. Can you check the NPS server event log for any errors?
08-22-2014 06:22 AM
Thanks for the fast replies so far.
I had the option to allow all for testing purposes, but have now tested this with one of our live policies without luck - same error.
The other end, it is suppose to be recieve the accounting forwarded packets but nothing recieved.