Security

Reply
MVP
Posts: 1,110
Registered: ‎10-11-2011

Many authentication sources

I have several sites, each with their own CP server and AD server.  I've created a service for each site and added their local AD server as the first authentication source.  As a second authentication source for each site, I've selected our AD servers at our DR facility in case the local AD server fails.  I believe this will acomplish fail-through of authentication sources if the first authentication source (local AD servers) are unavailable.  However, I'm wondering what happens for authentications that fail on the first AD server, if someone uses incorrect credentials. Does the authentication fail-through to the next authentication source?   If so, this may be undesirable since the AD servers all contain the same records, and I'd be querying the second authentication source for no reason.  I'd like to know in which cases secondary or tertiary authentication sources would be used.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite
Posts: 20,995
Registered: ‎03-29-2007

Re: Many authentication sources

Compnerd,

 

You need to add backup servers into the backup parameter for redundancy of each authentication source to accomplish that.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: Many authentication sources

Here's what I did:

 

Authentication source 1: Primary Site AD Servers

Primary: AD Server 1

Backup: AD Server 2

 

Authentication source 2: DR AD servers

Primary: AD Server 1

Backup: AD Server 2 

 

If the primary AD server in authentication source 1 goes down, we fail to the backup AD server at Site 1.  I added authentication source 2 in case both AD servers at site 1 are inaccessible.  Will authentication not fail through to authentication source 2 if authentication source 1 is inaccessible?

 

Since my understanding was incorrect, can you please explain in what use case multiple authentication sources would be setup?

 

Thanks.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite
Posts: 20,995
Registered: ‎03-29-2007

Re: Many authentication sources

If you look at the context-specific help when you are editing the service it will detail all of this.  I am going to copy and paste it below.  In multiple authentication sources CPPM will look to see if the user exists in the authentication source.  If it does not exist, it will move onto the next one.  If the user exists and the password is rejected, a reject is sent back to the NAS device and everything stops there.  If you have the same database you should use the backup tab in the authentication source to list servers that you want to be tried in case the the first server is unresponsive:

 

Authentication and Authorization

As the first step in Service-based processing, Policy Manager uses an Authentication Method to authenticate the user or device against an Authentication Source. Once the user or device is authenticated, Policy Manager fetches attributes for role mapping policies from the Authorization Sources associated with this Authentication Source.

Architecture and Flow

Policy Manager divides the architecture of authentication and authorization into three components:

  Authentication Method. Policy Manager initiates the authentication handshake by sending available methods, in priority order, until the client accepts a methods or until it NAKs the last method, with the following possible outcomes:
  Successful negotiation returns a method, for use in authenticating the client against the Authentication Source.
  Where no method is specified (for example, for unmanageable devices), Policy Manager passes the request to the next configured policy component for this Service.
  Policy Manager rejects the connection.

An Authentication Method is only configurable for some service types (Refer to Policy Manager Service Types). All 802.1X services (wired and wireless) have an associated Authentication Method. An authentication method (of type MAC_AUTH) can be associated with MAC authentication service type.

  Authentication Source. In Policy Manager, an authentication source is the identity store (Active Directory, LDAP directory, SQL DB, token server) against which users and devices are authenticated. Policy Manager first tests whether the connecting entity - device or user - is present in the ordered list of configured Authentication Sources. Policy Manager looks for the device or user by executing the first Filter associated with the authentication source. Once the device or user is found, Policy Manager then authenticates this entity against this authentication source. The flow is outlined below:
  On successful authentication, Policy Manager moves on to the next stage of policy evaluation, which is to collect role mapping attributes from the authorization sources.
  Where no authentication source is specified (for example, for unmanageable devices), Policy Manager passes the request to the next configured policy component for this Service.
  If Policy Manager does not find the connecting entity in any of the configured authentication sources, it rejects the request.
  Once Policy Manager successfully authenticates the user or device against an authentication source, it retrieves role mapping attributes from each of the authorization sources configured for that authentication source. It also, optionally, can retrieve attributes from authorization sources configured for the Service.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 20,995
Registered: ‎03-29-2007

Re: Many authentication sources

To add to that, you don't even have to put a list of ip address for primary or backup servers in particular.  You can just put in the domain for the hostname and CPPM will enumerate AD and find an available AD server.  Those servers do NOT have to be setup as Radius Devices or anything.  They just need to be a domain controller to service an authentication:

 

servers.png



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: Many authentication sources

You're right.  I missed those tidbits of info in the help.  Scrolled right past them!  Thank you for pointing that information out.

 

Your second reply, brings up something that I've been trying to find out, but keep getting different answers from Aruba employees.  I've been creating a separate service with authentication sources for each site so that we don't have authentications going across the WAN.  Based on what you're saying, it sounds like I don't need to setup site specific services and authentication sources.  I need to test this!

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: Many authentication sources

I was able to test AD authentication using the domain name rather than a server FQDN.  I setup a packet capture in CP and generated an authentication.  I can confirm that the CP servers are using their local server AD server for authentication.  This is a great find since I understood this was not possible!

 

This leads me to my next question.  If I use the domain name as the primary server, should I setup a backup server with an actual AD FQDN?  I want to be sure that in case of a failure of the primary AD server occurs, CP will use another server.  I can't properly test this in my environment since I can't take an AD server out of service.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Aruba Employee
Posts: 12
Registered: ‎10-24-2012

Re: Many authentication sources

I just want to make some clarification. The screen shot that is being shown is for LDAP lookups and attribute fetching. Not for authentication.

 

Authentication is handled by samba/winbind and DNS.

So if you have AD sites and services configured, DNS will return the AD servers that are in charge of those subnets.
Otherwise we will send to any of the AD servers that DNS returns.

 

In 6.1.1 (which came out on monday); we added a new CLI option to specify the 'password server' which is the server or list of servers that we will send the authentcation request to.
This allows you to sepficy the FQDN or IP of the DC's local to that CPPM server. Or in your case, 1 or 2 local and 1 remote.

 

It is however a good idea to shorten the LDAP timeout if you are using the domain in the authenticaiton profile. Otherwise there is the possibility that the RADIUS session will timeout waiting for a LDAP responce.

 

Hope this helps.

 

MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: Many authentication sources

Not sure I follow, Gary.

 

These are authentication sources that we're configuring, are they not?  My understanding is that authentication sources are used for authentication as well as authorization (attribute fetching).

 

We do have AD Site and Services configured.  So I assumed that since I changed the primary server  to the domain name in my authentication source that I'm now leveraging AD S&S to determine the local AD server for authentication and authorization.  A local AD server is returned, the result of resolving the primary server domain name in the authentication source, should be used to authenticate the credentials (using samba/winbind) and then perform an LDAP lookup to retrieve attributes for those credentials, right?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite
Posts: 20,995
Registered: ‎03-29-2007

Re: Many authentication sources

[ Edited ]

thecompnerd,

 

<From Gary>

 

That field is ONLY used for LDAP lookups and attribute fetching.  It is also done to lookup a user to see if it exists, BEFORE AUTHENTICATON.  Authentication is sent through Winbind, and transmitted to an available Domain Controller..."Which DC is actually determined by AD sites and Services, where the end user specifies what subnets go to what DC's."



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: