Security

last person joined: 20 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

What are best practices or tips to use a RADIUS server as authentication source for ClearPass?

This thread has been viewed 4 times

  • 1.  What are best practices or tips to use a RADIUS server as authentication source for ClearPass?

    Posted Apr 18, 2016 02:59 PM

    We use Microsoft MFA for two-factor authentication (2FA). MFA can be used as a RADIUS server so I created a Service in my CPPM to use MFA as the authentication source. When I attempt to authenticate to a device now, I get the expected phone call from MFA and I enter my PIN as required for that system. MFA logs indicate I passed authentication but CPPM is showing a failed auth message. What am I missing? Are there specific vendor-specific attributes (VSAs) I need to configure for MFA to send back to CPPM?



  • 2.  RE: What are best practices or tips to use a RADIUS server as authentication source for ClearPass?

    Posted Apr 19, 2016 10:28 AM

    Any takers?



  • 3.  RE: What are best practices or tips to use a RADIUS server as authentication source for ClearPass?

    Posted Apr 19, 2016 10:53 AM

    You didn't say why the RADIUS auth was failing. Is it timing out waiting for the MFA to complete? The default timeout is only 10 seconds.



  • 4.  RE: What are best practices or tips to use a RADIUS server as authentication source for ClearPass?

    Posted Apr 19, 2016 11:07 AM

    Error Code:
    206
    Error Category:
    Authentication failure
    Error Message:
    Access denied by policy
    Alerts for this Request
    RADIUS Applied 'Reject' profile



  • 5.  RE: What are best practices or tips to use a RADIUS server as authentication source for ClearPass?

    Posted Apr 19, 2016 11:11 AM

    I also have increased the timeout on the CPPM service as well as the ASA aaa config to 40 seconds.



  • 6.  RE: What are best practices or tips to use a RADIUS server as authentication source for ClearPass?

    Posted Apr 19, 2016 11:26 AM

    Also, I've verified with a packet capture on MFA server that a RADIUS Access-Accept(2) message is being returned to CPPM.



  • 7.  RE: What are best practices or tips to use a RADIUS server as authentication source for ClearPass?

    Posted Apr 20, 2016 04:07 PM

    bump



  • 8.  RE: What are best practices or tips to use a RADIUS server as authentication source for ClearPass?
    Best Answer

    Posted Apr 26, 2016 09:30 AM

    It turns out that I needed to use a separate Authorization source. Before this requirement I had never written a ClearPass RADIUS service that used separate Authentication and Authorization sources. In this case, Authentication points to MFA as a RADIUS service and Authorization points to Active Directory. Thanks to TAC for helping me with this one.