Security

Reply
MVP
Posts: 706
Registered: ‎12-01-2010

Double up RADIUS servers to ease a migration

We've been using Blackshield for 2-factor RADIUS and are now moving to SafeNet.

I can authenticate users to one or the other, so now I'm ready to migrate.

 

To test, I built a service and put Blackshield in as a source and got it working, then I put SafNet in as a source and tested to make sure that worked too.

 

What I was hoping to do next is put them both in and have ClearPass try one and roll to the other if a user fails while we migrate users - the goal being to slip the change in without having to schedule a cut.

 

When I put both sources in the Authentication Sources box and click save, CPPM tells me that whichever one is first doesn't have an Authorization source set, so it must be listed last.

 

Both have Authorization sources, so I'm confused.

 

What am I missing?

 

safenet-radius.pngsafenet-radius.pngblackshield-radius.png

 

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: Double up RADIUS servers to ease a migration

I am not sure on your specific problem but why not use two auth sources in the service and do it that way?

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
MVP
Posts: 706
Registered: ‎12-01-2010

Re: Double up RADIUS servers to ease a migration

I was clearly unclear ;)

 

That's what I'm trying to do. When I add either source alone, the service works, when I try to add a other one, I can't save my changes as the first source doesn't meet CPPM's expectations.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
MVP
Posts: 706
Registered: ‎12-01-2010

Re: Double up RADIUS servers to ease a migration

So far TAC agrees that it should work and are also puzzled.

They have been able to recreate the issue and so I'm sure a solution is forthcoming.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
MVP
Posts: 1,407
Registered: ‎11-30-2011

Re: Double up RADIUS servers to ease a migration

just for future knowledge, did you / TAC solve this?

MVP
Posts: 706
Registered: ‎12-01-2010

Re: Double up RADIUS servers to ease a migration

Still have a TAC case open. I'm waiting on engineering to figure out why it isn't working as expected.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
MVP
Posts: 706
Registered: ‎12-01-2010

Re: Double up RADIUS servers to ease a migration

TAC has reversed course. You can't get there from here.

 

Apparently the RADIUS-proxy process only fails to the next server if the first fails to respond, and you can't put two sources in the normal RADIUS configuration.

 

We're going to have to send all users the new tokens, and plan a cut date to drop the old and turn on the new rather than stand up two and let the users migrate. Ah well.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
MVP
Posts: 706
Registered: ‎12-01-2010

Re: Double up RADIUS servers to ease a migration

Turns out I was able to solve this by another method - ClearPass saves the day!!

 

After pointing the VPN concentrator (Cisco ASA) at ClearPass and reading through the strings which the ASA sends to CPPM, I found that I could match the cryptotunnel name and username.

 

It's more work than I want, but it lets me match each user as they install the new token and send them to the new Authentication (2-factor) provider. Once all users from a particular group have converted, I can deleted the individual services and replace them with a single service for the group. After all groups are done, I can delete all of the extra services and just point the catch-all VPN service at the end to the new provider.

 

As usual there is always one more way to skin the cat.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Search Airheads
Showing results for 
Search instead for 
Did you mean: