Simple question but have not found a solid answer anywhere?Does Clearpass support Radius Forwarding with Instant Access Point?ClearPass Policy Manager 184.108.40.206263 on CP-VA-5K platform.
This function been around since Window Server 2003 NPS, however I'm struggling to find this in the Clearpass Policy Manager.
The Clearpass Policy Manager is the Radius server.
RADIUS Access-Request messages are processed or forwarded by NPS only if the settings of the incoming message match at least one of the connection request policies configured on the NPS server.
If the policy settings match and the policy requires that the NPS server process the message, NPS acts as a RADIUS server, authenticating and authorizing the connection request.
If the policy settings match and the policy requires that the NPS server forwards the message, NPS acts as a RADIUS proxy and forwards the connection request to a remote RADIUS server for processing.
- explanation taken from http://msdn.microsoft.com/en-us/library/cc753603.aspx
Yes you would just use the RADIUS proxy feature.
- Setup a proxy target:
Configuration > Network > Proxy Target
- Create a new RADIUS proxy service that matches the appropriate attributes or if you just want things to fall through to this, setup the basic rules like NAS-Port-Type and Service-Type and then put the service at the bottom of your 1X services.
This is what i initially presumed, however adding the Proxy Target, then adding a new RADIUS proxy service did not work.
If you don't mind, could you point out what we are missing?
I know the Proxy Target works correctly, as we have this option enabled using the Microsoft NPS previously.
Are you seeing anything hit the service in Access Tracker?
Just added a few service rules to match the Aruba-Essid-Name. I can see the following errors:
Error Code: 208Error Category: Authentication failureError Message: No response from home server
Is the Radius Proxy service suppose to have the Authorization option enabled or disabled?
You only need it if you are making decision in your enforcement policy with attributes from an authorization source. Since you have an allow all, you don't need it.
That error is saying that the NPS server did not respond. Can you check the NPS server event log for any errors?
Thanks for the fast replies so far.
I had the option to allow all for testing purposes, but have now tested this with one of our live policies without luck - same error.
The other end, it is suppose to be recieve the accounting forwarded packets but nothing recieved.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.