Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass admin login - via external RADIUS server

This thread has been viewed 67 times

  • 1.  ClearPass admin login - via external RADIUS server

    Posted Dec 12, 2019 06:49 AM

    I just want to make sure I'm clear and up to date on this - is TACACS+ and local users the only option for admin user login to CPPM boxes? I have read that this is the case but the info was a few years old.

     

    We have an external RADIUS server which we use for management logins to our general network equipment so it would be ideal to use this for admin login to CPPM if possible.

     



  • 2.  RE: ClearPass admin login - via external RADIUS server

    Posted Dec 12, 2019 11:27 AM

    I have the same issue you do. First they tell me to use SAML SSO for admin log in but that causes issues as our clearpass server doing management log in doesn't share same certs and has to rely on other parts of the infrastructure. If oyu use TACACS+ you can only specify 1 IP address which breaks redundancy since my 3 Clearpass for management accounts are in different subnets. This futhure puts more reliance on other parts of our network for something that needs to run independant of failures of things on the network.



  • 3.  RE: ClearPass admin login - via external RADIUS server

    Posted Nov 05, 2021 09:58 AM
    I have the same issue, have you found a way to make it work with an external RADIUS server?

    ------------------------------
    Diego
    ------------------------------

    Original Message


  • 4.  RE: ClearPass admin login - via external RADIUS server

    EMPLOYEE
    Posted Nov 10, 2021 11:38 AM
    You can try to use RADIUS Proxy, or Token Server in your ClearPass Admin Authentication service. Both should use a backend RADIUS server for the authentication.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 5.  RE: ClearPass admin login - via external RADIUS server

    Posted Nov 26, 2021 11:51 AM
    Thank you Herman. 
    I found this post which did not help much but I am starting to think it may not be possible?

    When I tried using proxy Radius like you suggested, I get stuck when trying to create the enforcement profiles. If I try to use a "TACACS+ Based Enforcement" template, it will then allow me to add cpass:CLI and cpass:HTTP services. When choosing "RADIUS Based Enforcement" template, I can't add those two services. 

    Any additional suggestions?

    FYI We use Radiator running on Linux as our RADIUS server for admin user authentication.

    ------------------------------
    Diego
    ------------------------------

    Original Message


  • 6.  RE: ClearPass admin login - via external RADIUS server

    Posted May 18, 2022 11:57 AM
    Hi all,

    For reference we use Radiator TACACS+ and our configuration end up being:

    AuthorizeGroup admin permit service=cpass protocol=http {AdminPrivilege="Super Administrator"}
    AuthorizeGroup admin permit service=cpass protocol=cli {AdminPrivilege="Super Administrator"}

    Hopefully this helps someone in the future.

    ------------------------------
    mike Lee
    ------------------------------

    Original Message


  • 7.  RE: ClearPass admin login - via external RADIUS server

    EMPLOYEE
    Posted May 22, 2022 10:14 PM
    The ClearPass config to go with the Radiator TACACS+ bit Mike shared: 

    https://community.arubanetworks.com/browse/articles/blogviewer?blogkey=72bcdff5-a399-426a-9fe6-4a866574162f

    ------------------------------
    Phillip Hichens
    ------------------------------

    Original Message