Security

Reply
Occasional Contributor I
Posts: 5
Registered: ‎03-03-2014

Radius authentication to AD through Clearpass for my Avaya 5500 model network switches

I am currently doing a POC for Clearpass and I'm trying to test some functionality by using Clearpass to help authenticate my Avaya/Nortel switch administration logins.  I'm currently using the 5500 series switches.  While setting the service in Clearpass to try to use AD, I can see the requests coming in but it can't seem to assign an Auth-Type to it.  I then tried to use local authentication (local db) and I have that working and authenticating correctly in CP but doesn't seem to be sending back the right stuff to allow the login.  Is there any documentation/white papers on this anywhere?  I've been scouring google for some pointers for quite sometime and nothing concrete yet.  Thanks for anything!

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: Radius authentication to AD through Clearpass for my Avaya 5500 model network switches

Did you look at any RADIUS guides for Avaya?  I know that Airwave for us requires a VSA called "Aruba-Admin-Role" to be passed back matching the roles defined in Airwave.  Something similar perhaps for Avaya switching?

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: Radius authentication to AD through Clearpass for my Avaya 5500 model network switches

Have you tried the following:

 

For the Avaya 5500, you can set an Enforcement Profile that returns RADIUS IETF attribute Service-Type to either 6 or 7 for the following permissions.   I am not sure anyting more granular exists.:

 

- 6 returns Administrative (read/write)

- 7 returns NAS Prompt (read only)

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor I
Posts: 5
Registered: ‎03-03-2014

Re: Radius authentication to AD through Clearpass for my Avaya 5500 model network switches

Thanks for the reply guys, I'll give that a shot.  

Occasional Contributor I
Posts: 5
Registered: ‎03-03-2014

Re: Radius authentication to AD through Clearpass for my Avaya 5500 model network switches

Clembo, that worked perfect for passing the attribute back to the device!  Now the other thing that I had listed in my first post is the other thing I'm trying to figure out.  When trying to have this authenticate to AD instead of the local CP database, it doesn't seem to negotiate a correct Auth-Type on the CP side of things (I assume) but not sure.  When using the local DB, it uses PAP with no issues.  This isn't to say that there is something more I need to configure on the Avaya side, but I haven't found it yet if so.  Any other ideas?

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: Radius authentication to AD through Clearpass for my Avaya 5500 model network switches

The service should work with either local db or AD.   What is the error on the Alerts tab in Access Tracker when you try to auth against AD?

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor I
Posts: 5
Registered: ‎03-03-2014

Re: Radius authentication to AD through Clearpass for my Avaya 5500 model network switches

This is what the alerts tab says on an unsuccessful AD attempt.  Keep in mind a couple things:

 

- I am using AD auth on other profiles so I know all those settings are correct

- I have tried adding in all of the authentication methods by themselves to try each

 

Error Code:
216
Error Category:
Authentication failure
Error Message:
User authentication failed
 Alerts for this Request  
RADIUSCannot select appropriate authentication method
Guru Elite
Posts: 21,554
Registered: ‎03-29-2007

Re: Radius authentication to AD through Clearpass for my Avaya 5500 model network switches

In the service, what authentication methods do you already have configured?  Try adding PAP if it is not already in there.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 5
Registered: ‎03-03-2014

Re: Radius authentication to AD through Clearpass for my Avaya 5500 model network switches

cjoseph, currently in the profile using the local db auth, I noticed that it was using PAP on those successful auths so I thought this would also work when switching it to AD Auth, but it doesn't.  Like I had stated, I've tried all of the different auth types by themselves in the profile and then tested and none of them seemed to stick.

Regular Contributor I
Posts: 159
Registered: ‎03-03-2011

Re: Radius authentication to AD through Clearpass for my Avaya 5500 model network switches

BsFan14 try setting your AD auth source to "Allow bind using user password". 

 

This is what works for me with auth method of PAP. 

Regards,

Josh
___________
ACMP, ACCP
Search Airheads
Showing results for 
Search instead for 
Did you mean: