I'm having difficulty settings up ClearPass to be used as the Radius Server for my evaluation of Always on VPN. The NPS is set to forward all requests to ClearPass and hopefully receive an allow or deny message back.
I have set up a service, policy, roles and role mappings (see attachments) however it's not able to classify the login as one thing or another.
Could anyone suggest how I go about this instead?
From the radius request details
From the computed attributes
Is there another way to make sure these have to match to work?
Thanks Tim that makes sense.
I'll try that and see what happens.
Okay so I've created this instead.
Still allows access even though it shouldn't as user-name and msUPN are different accounts (they are both valid accounts though).
If the msUPN is an invalid account it certainly doesn't work.
Did you ever get this fully working? We are about to start testing AOVPN and i'd rather use clearpass to than build an M$ server.
What are you passing back to the server to tell it that it is authenticated and let the user in? What are you putting in the Enforcement Profile? What documents did you use to help create this? Any updates?
We're trying to do the same, pass the authentication to clearpass but not sure what we're missing. We pass back an access accept but the always-on server denies the device. Any ideas on what we're missing here in the enforcement profile?
I think the question would be to figure out what the RAS Server from MS needs in order to allow the client. I would expect, that the RAS would need some special VSA to fully authenticate the user and that a simple accept is not enough.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.