Security

Reply
Frequent Contributor I
Posts: 69
Registered: ‎05-06-2013

What are best practices or tips to use a RADIUS server as authentication source for ClearPass?

We use Microsoft MFA for two-factor authentication (2FA). MFA can be used as a RADIUS server so I created a Service in my CPPM to use MFA as the authentication source. When I attempt to authenticate to a device now, I get the expected phone call from MFA and I enter my PIN as required for that system. MFA logs indicate I passed authentication but CPPM is showing a failed auth message. What am I missing? Are there specific vendor-specific attributes (VSAs) I need to configure for MFA to send back to CPPM?

Frequent Contributor I
Posts: 69
Registered: ‎05-06-2013

Re: What are best practices or tips to use a RADIUS server as authentication source for ClearPass?

Any takers?

Community Administrator
Posts: 33
Registered: ‎11-01-2012

Re: What are best practices or tips to use a RADIUS server as authentication source for ClearPass?

You didn't say why the RADIUS auth was failing. Is it timing out waiting for the MFA to complete? The default timeout is only 10 seconds.

Frequent Contributor I
Posts: 69
Registered: ‎05-06-2013

Re: What are best practices or tips to use a RADIUS server as authentication source for ClearPass?

Error Code:
206
Error Category:
Authentication failure
Error Message:
Access denied by policy
Alerts for this Request
RADIUS Applied 'Reject' profile

Frequent Contributor I
Posts: 69
Registered: ‎05-06-2013

Re: What are best practices or tips to use a RADIUS server as authentication source for ClearPass?

I also have increased the timeout on the CPPM service as well as the ASA aaa config to 40 seconds.

Frequent Contributor I
Posts: 69
Registered: ‎05-06-2013

Re: What are best practices or tips to use a RADIUS server as authentication source for ClearPass?

Also, I've verified with a packet capture on MFA server that a RADIUS Access-Accept(2) message is being returned to CPPM.

Frequent Contributor I
Posts: 69
Registered: ‎05-06-2013

Re: What are best practices or tips to use a RADIUS server as authentication source for ClearPass?

bump

Frequent Contributor I
Posts: 69
Registered: ‎05-06-2013

Re: What are best practices or tips to use a RADIUS server as authentication source for ClearPass?

It turns out that I needed to use a separate Authorization source. Before this requirement I had never written a ClearPass RADIUS service that used separate Authentication and Authorization sources. In this case, Authentication points to MFA as a RADIUS service and Authorization points to Active Directory. Thanks to TAC for helping me with this one. 

Search Airheads
Showing results for 
Search instead for 
Did you mean: