We've been using Blackshield for 2-factor RADIUS and are now moving to SafeNet.
I can authenticate users to one or the other, so now I'm ready to migrate.
To test, I built a service and put Blackshield in as a source and got it working, then I put SafNet in as a source and tested to make sure that worked too.
What I was hoping to do next is put them both in and have ClearPass try one and roll to the other if a user fails while we migrate users - the goal being to slip the change in without having to schedule a cut.
When I put both sources in the Authentication Sources box and click save, CPPM tells me that whichever one is first doesn't have an Authorization source set, so it must be listed last.
Both have Authorization sources, so I'm confused.
What am I missing?
I am not sure on your specific problem but why not use two auth sources in the service and do it that way?
I was clearly unclear ;)
That's what I'm trying to do. When I add either source alone, the service works, when I try to add a other one, I can't save my changes as the first source doesn't meet CPPM's expectations.
So far TAC agrees that it should work and are also puzzled.
They have been able to recreate the issue and so I'm sure a solution is forthcoming.
just for future knowledge, did you / TAC solve this?
Still have a TAC case open. I'm waiting on engineering to figure out why it isn't working as expected.
TAC has reversed course. You can't get there from here.
Apparently the RADIUS-proxy process only fails to the next server if the first fails to respond, and you can't put two sources in the normal RADIUS configuration.
We're going to have to send all users the new tokens, and plan a cut date to drop the old and turn on the new rather than stand up two and let the users migrate. Ah well.
Turns out I was able to solve this by another method - ClearPass saves the day!!
After pointing the VPN concentrator (Cisco ASA) at ClearPass and reading through the strings which the ASA sends to CPPM, I found that I could match the cryptotunnel name and username.
It's more work than I want, but it lets me match each user as they install the new token and send them to the new Authentication (2-factor) provider. Once all users from a particular group have converted, I can deleted the individual services and replace them with a single service for the group. After all groups are done, I can delete all of the extra services and just point the catch-all VPN service at the end to the new provider.
As usual there is always one more way to skin the cat.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.