Is it possible to use the Active Directory only as authorization source instead of the normal setup: authentication and authorization?I am receiving this error when a user tries to authenticate:
The authentication source is configured like this:
Looks like you are using RADIUS proxy in your service, which limits what you can further do with authorization as the actual authentication does not happen on your ClearPass, and you have RADIUS attributes filled already from your proxy.
The error tells you that it expects an attribute Radius:IETF:Ldap-UserDn, which is expected to come from the AP/switch (NAD), it will not work if that attribute comes as the RADIUS response from the proxy server, to my knowledge.
It may be good to discuss the somewhat wider context with your Aruba partner or local Aruba SE to better understand what you try to achieve (in authentication methods, authorization sources, used attributes & mapping). It's just hard to provide you with a proper answer based on the available information.
It's true, we use the RADIUS proxy functionality because of MS-CHAPv2 timeouts when the authentication is handled by ClearPass. Due to the size of the domain, it takes too long before ClearPass receives a response from the domain controller.Unfortunately, we and our partner never found a solution for this. This is why we send the authentication to Microsoft NPS.
Is there an other way, for example LDAP, to do role mapping. Or this is not possible at all when you use RADIUS Proxy?
RADIUS Proxy is designed to proxy the full RADIUS request, to my understanding. So I don't think what you try to do is possible.
I've never heard about MS-CHAPv2 giving issues in large domains, and I would not understand either why that would be except if your domain controllers are heavily overloaded. With password servers you configure which are the preferred servers for the MSCHAPv2 authentication.
Having said that, you probably are aware of the point that it's strongly deprecated to still use MSCHAPv2 due to broken cryptography, especially against important accounts like AD. Expect more problems coming in the future with new Windows (and other OS) updates.
Why is ClearPass giving you the option to configure authorization and enforcement when selecting RADIUS proxy than? That's a little bit confusing:
We're using the PEAP-MSCHAP-v2 authentication for our eduroam users.I know that Microsoft is forcing you to change the authentication to PEAP-TLS or EAP-TLS. But this requires some additional tools to enroll certificates to BYOD-devices...like ClearPass Onboard.For 50000 devices connected each day this is a very expensive solution.
If it is for eduroam, you could have a look at 'geteduroam'. That provides integrations with existing single-sign on solutions and has options to get client certificates deployed as well. From that perspective it looks similar to Onboard, but specific for eduroam.
I don't know why Radius proxy allows authorization, but it be because it's just part of the standard settings. I just got from the past that RADIUS proxy works different from standard RADIUS services, and you can strip/add attributes but still somewhat limited. For the chosen approach it doesn't surprise me that you run into issues. You may try with TAC to get a definitive answer, as I don't know everything.
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.