Occasional Contributor II

Failthrough using RADIUS and Clearpass

I am attempting ot set up a wireless SSID that 2 groups of users can connect to, 1 set of users uses clearpass which is connected to a company AD server. The other group of users has a RADIUS connection on the controller to another DC under another company IT department. I have it set up so that when a user authenticates successfully using the RADIUS connection with the external company they are shuttled into a particular VLAN. The other gets the default VLAN for the VAP.


The problem is that in order to allow these two to coexist I need users of the external company to be able to get rejected auth against the clearpass server (I'm not worried about the load for rejections as they are a small subset of users). I set it up so it has fail through, which means since it's 802.1x i need to terminate at the controller, which i've done. The problem is that once it terminates the EAP-PEAP EAP-MSCHAP at the controller, if it attempts to fail from authenticating to the external radius first and then moves on to clearpass, clearpass spits out a message in access tracker saying "Cannot select appropriate authentication method".


Is there a situation I can get this to work other than setting up the Clearpass server to also be a radius client for the other company's DC, and spitting that user back to the controller in a different role that then maps the alternate VLAN?


Am I missing something?

Guru Elite

Re: Failthrough using RADIUS and Clearpass

You can use the RADIUS proxy feature to send requests for those users to another RADIUS server.

Tim Cappalli | Aruba Security
@timcappalli | | ACMX #367 / ACCX #480
Guru Elite

Re: Failthrough using RADIUS and Clearpass

You need to look at the attributes of the incoming radius request that is not classified and see why it is not being classified by clearpass.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Occasional Contributor II

Re: Failthrough using RADIUS and Clearpass

Thanks for the tips! Turns out I had added the MSCHAPv2 but not the basic MSCHAP authentication source to Clearpass, so it didn't know what to do with the inner auth.


Search Airheads
Showing results for 
Search instead for 
Did you mean: