Security

I am attempting ot set up a wireless SSID that 2 groups of users can connect to, 1 set of users uses clearpass which is connected to a company AD server. The other group of users has a RADIUS connection on the controller to another DC under another company IT department. I have it set up so that when a user authenticates successfully using the RADIUS connection with the external company they are shuttled into a particular VLAN. The other gets the default VLAN for the VAP.

The problem is that in order to allow these two to coexist I need users of the external company to be able to get rejected auth against the clearpass server (I'm not worried about the load for rejections as they are a small subset of users). I set it up so it has fail through, which means since it's 802.1x i need to terminate at the controller, which i've done. The problem is that once it terminates the EAP-PEAP EAP-MSCHAP at the controller, if it attempts to fail from authenticating to the external radius first and then moves on to clearpass, clearpass spits out a message in access tracker saying "Cannot select appropriate authentication method".

Is there a situation I can get this to work other than setting up the Clearpass server to also be a radius client for the other company's DC, and spitting that user back to the controller in a different role that then maps the alternate VLAN?

Am I missing something?

You can use the RADIUS proxy feature to send requests for those users to another RADIUS server.

You need to look at the attributes of the incoming radius request that is not classified and see why it is not being classified by clearpass.

Thanks for the tips! Turns out I had added the MSCHAPv2 but not the basic MSCHAP authentication source to Clearpass, so it didn't know what to do with the inner auth.