Security

last person joined: 8 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Double up RADIUS servers to ease a migration

Jump to Best Answer
  • 1.  Double up RADIUS servers to ease a migration

    Posted Oct 19, 2015 05:41 PM

    We've been using Blackshield for 2-factor RADIUS and are now moving to SafeNet.

    I can authenticate users to one or the other, so now I'm ready to migrate.

     

    To test, I built a service and put Blackshield in as a source and got it working, then I put SafNet in as a source and tested to make sure that worked too.

     

    What I was hoping to do next is put them both in and have ClearPass try one and roll to the other if a user fails while we migrate users - the goal being to slip the change in without having to schedule a cut.

     

    When I put both sources in the Authentication Sources box and click save, CPPM tells me that whichever one is first doesn't have an Authorization source set, so it must be listed last.

     

    Both have Authorization sources, so I'm confused.

     

    What am I missing?

     

    safenet-radius.pngsafenet-radius.pngblackshield-radius.png

     



  • 2.  RE: Double up RADIUS servers to ease a migration

    Posted Oct 21, 2015 07:53 PM

    I am not sure on your specific problem but why not use two auth sources in the service and do it that way?



  • 3.  RE: Double up RADIUS servers to ease a migration

    Posted Oct 21, 2015 08:00 PM

    I was clearly unclear ;)

     

    That's what I'm trying to do. When I add either source alone, the service works, when I try to add a other one, I can't save my changes as the first source doesn't meet CPPM's expectations.



  • 4.  RE: Double up RADIUS servers to ease a migration

    Posted Oct 29, 2015 04:41 PM

    So far TAC agrees that it should work and are also puzzled.

    They have been able to recreate the issue and so I'm sure a solution is forthcoming.



  • 5.  RE: Double up RADIUS servers to ease a migration

    Posted Dec 21, 2015 02:10 PM

    just for future knowledge, did you / TAC solve this?



  • 6.  RE: Double up RADIUS servers to ease a migration

    Posted Dec 21, 2015 02:14 PM

    Still have a TAC case open. I'm waiting on engineering to figure out why it isn't working as expected.



  • 7.  RE: Double up RADIUS servers to ease a migration
    Best Answer

    Posted Jan 18, 2016 01:59 PM

    TAC has reversed course. You can't get there from here.

     

    Apparently the RADIUS-proxy process only fails to the next server if the first fails to respond, and you can't put two sources in the normal RADIUS configuration.

     

    We're going to have to send all users the new tokens, and plan a cut date to drop the old and turn on the new rather than stand up two and let the users migrate. Ah well.



  • 8.  RE: Double up RADIUS servers to ease a migration

    Posted Feb 12, 2016 02:53 PM

    Turns out I was able to solve this by another method - ClearPass saves the day!!

     

    After pointing the VPN concentrator (Cisco ASA) at ClearPass and reading through the strings which the ASA sends to CPPM, I found that I could match the cryptotunnel name and username.

     

    It's more work than I want, but it lets me match each user as they install the new token and send them to the new Authentication (2-factor) provider. Once all users from a particular group have converted, I can deleted the individual services and replace them with a single service for the group. After all groups are done, I can delete all of the extra services and just point the catch-all VPN service at the end to the new provider.

     

    As usual there is always one more way to skin the cat.