Security

Reply
Contributor I
Posts: 31
Registered: ‎02-18-2015

Need to setup an external RADIUS server as an Authentication source in CPPM

Does ClearPass support an external RADIUS server as an authentication srouce?  I checked under authentication sources by adding a new authenticaiton source.  But I don't see an option under "Type" for "RADIUS Server".  The only option that would possibly apply in my case seems to be the "Token Server".  

 

The reason why I need this is that I have a use case where we may need to point to an external SteelBelt radius. I will try to convince the client to just replace that system with ClearPass but in the mean time... 

 

I wonder if anyone has tried to setup an external RADIUS server as an authentication source in CPPM?  And is Token Server the right option? 

Guru Elite
Posts: 8,191
Registered: ‎09-08-2010

Re: Need to setup an external RADIUS server as an Authentication source in CPPM

Are you on 6.5?


Thanks,
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor I
Posts: 31
Registered: ‎02-18-2015

Re: Need to setup an external RADIUS server as an Authentication source in CPPM

Nah running 6.4.4 right now.  But since I am in the eval stages of the product I am open to anything that works. 

Guru Elite
Posts: 8,191
Registered: ‎09-08-2010

Re: Need to setup an external RADIUS server as an Authentication source in CPPM

6.5 adds support for external RADIUS authentication.

Thanks,
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor I
Posts: 31
Registered: ‎02-18-2015

Re: Need to setup an external RADIUS server as an Authentication source in CPPM

It looks like "Token Server" template may work to setup an external radius server.  It looks like clearpass acts as  a RADIUS proxy in this case.   I set it up and did some tests with a bogus account and with clearpass packet capture i see the radius request go out with "AVP - proxy state" defined.. I also see the external radius sever sends "access-rejects" in response to the proxy requests.  its rejected because I used a bogus account.  

 

But seems like this would work... It makes sense since AmigoPod claimed that it could talk to external RADIUS servers a while back.  I guess it doesn't matter anymore since 6.5 has explicit support for external radius.  My guess is that its similar setup to the token server on 6.4.

 

Thanks for pointing out the 6.5 support bit. I'll play with that when I upgrade. 

Search Airheads
Showing results for 
Search instead for 
Did you mean: