Security

last person joined: 5 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Using ClearPass Radius for authentication on Always on VPN

  • 1.  Using ClearPass Radius for authentication on Always on VPN

    Posted Nov 06, 2018 11:36 AM

    Hi Guys,

     

    I'm having difficulty settings up ClearPass to be used as the Radius Server for my evaluation of Always on VPN. The NPS is set to forward all requests to ClearPass and hopefully receive an allow or deny message back.

     

    I have set up a service, policy, roles and role mappings (see attachments) however it's not able to classify the login as one thing or another. 

     

    Could anyone suggest how I go about this instead?

     

    Wes1.PNG2.PNG3.PNG4.PNG5.PNG



  • 2.  RE: Using ClearPass Radius for authentication on Always on VPN

    Posted Nov 06, 2018 11:38 AM
    You can’t use a certificate’s value in service categorization as it hasn’t been presented yet.


  • 3.  RE: Using ClearPass Radius for authentication on Always on VPN

    Posted Nov 07, 2018 09:25 AM

    From the radius request details

     

    Radius:IETF:User-Name

     

    From the computed attributes

     

    Certificate:Subject-AltName-msUPN

     

     

    Is there another way to make sure these have to match to work?



  • 4.  RE: Using ClearPass Radius for authentication on Always on VPN

    Posted Nov 07, 2018 09:29 AM
    You can only use those in policy, not service categorization.


  • 5.  RE: Using ClearPass Radius for authentication on Always on VPN

    Posted Nov 07, 2018 10:36 AM

    Thanks Tim that makes sense.

     

    I'll try that and see what happens.



  • 6.  RE: Using ClearPass Radius for authentication on Always on VPN

    Posted Nov 08, 2018 04:27 AM

    Okay so I've created this instead.

     

    1.PNG2.PNG3.PNG4.PNG5.PNG6.PNG7.PNG

     

    Still allows access even though it shouldn't as user-name and msUPN are different accounts (they are both valid accounts though).

     

    If the msUPN is an invalid account it certainly doesn't work.



  • 7.  RE: Using ClearPass Radius for authentication on Always on VPN

    Posted Mar 08, 2019 06:03 AM

    Did you ever get this fully working? We are about to start testing AOVPN and i'd rather use clearpass to than build an M$ server.



  • 8.  RE: Using ClearPass Radius for authentication on Always on VPN

    Posted Apr 28, 2020 12:15 PM

    What are you passing back to the server to tell it that it is authenticated and let the user in?  What are you putting in the Enforcement Profile?   What documents did you use to help create this?  Any updates?



  • 9.  RE: Using ClearPass Radius for authentication on Always on VPN

    Posted May 21, 2020 09:41 AM

    We're trying to do the same, pass the authentication to clearpass but not sure what we're missing.  We pass back an access accept but the always-on server denies the device.  Any ideas on what we're missing here in the enforcement profile?



  • 10.  RE: Using ClearPass Radius for authentication on Always on VPN

    Posted May 25, 2020 12:37 AM

    I think the question would be to figure out what the RAS Server from MS needs in order to allow the client. I would expect, that the RAS would need some special VSA to fully authenticate the user and that a simple accept is not enough.