If it is for eduroam, you could have a look at 'geteduroam'. That provides integrations with existing single-sign on solutions and has options to get client certificates deployed as well. From that perspective it looks similar to Onboard, but specific for eduroam.
I don't know why Radius proxy allows authorization, but it be because it's just part of the standard settings. I just got from the past that RADIUS proxy works different from standard RADIUS services, and you can strip/add attributes but still somewhat limited. For the chosen approach it doesn't surprise me that you run into issues. You may try with TAC to get a definitive answer, as I don't know everything.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Dec 06, 2023 09:48 AM
From: rjvannugteren
Subject: ClearPass - Active Directory authorization only (no authentication)
Hi Herman,
Why is ClearPass giving you the option to configure authorization and enforcement when selecting RADIUS proxy than? That's a little bit confusing:
We're using the PEAP-MSCHAP-v2 authentication for our eduroam users.
I know that Microsoft is forcing you to change the authentication to PEAP-TLS or EAP-TLS. But this requires some additional tools to enroll certificates to BYOD-devices...like ClearPass Onboard.
For 50000 devices connected each day this is a very expensive solution.
Original Message:
Sent: Dec 06, 2023 06:38 AM
From: Herman Robers
Subject: ClearPass - Active Directory authorization only (no authentication)
RADIUS Proxy is designed to proxy the full RADIUS request, to my understanding. So I don't think what you try to do is possible.
I've never heard about MS-CHAPv2 giving issues in large domains, and I would not understand either why that would be except if your domain controllers are heavily overloaded. With password servers you configure which are the preferred servers for the MSCHAPv2 authentication.
Having said that, you probably are aware of the point that it's strongly deprecated to still use MSCHAPv2 due to broken cryptography, especially against important accounts like AD. Expect more problems coming in the future with new Windows (and other OS) updates.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Dec 01, 2023 10:34 AM
From: rjvannugteren
Subject: ClearPass - Active Directory authorization only (no authentication)
Hi Robert,
It's true, we use the RADIUS proxy functionality because of MS-CHAPv2 timeouts when the authentication is handled by ClearPass. Due to the size of the domain, it takes too long before ClearPass receives a response from the domain controller.
Unfortunately, we and our partner never found a solution for this. This is why we send the authentication to Microsoft NPS.
Is there an other way, for example LDAP, to do role mapping. Or this is not possible at all when you use RADIUS Proxy?
Original Message:
Sent: Dec 01, 2023 05:14 AM
From: Herman Robers
Subject: ClearPass - Active Directory authorization only (no authentication)
Looks like you are using RADIUS proxy in your service, which limits what you can further do with authorization as the actual authentication does not happen on your ClearPass, and you have RADIUS attributes filled already from your proxy.
The error tells you that it expects an attribute Radius:IETF:Ldap-UserDn, which is expected to come from the AP/switch (NAD), it will not work if that attribute comes as the RADIUS response from the proxy server, to my knowledge.
It may be good to discuss the somewhat wider context with your Aruba partner or local Aruba SE to better understand what you try to achieve (in authentication methods, authorization sources, used attributes & mapping). It's just hard to provide you with a proper answer based on the available information.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Nov 18, 2023 10:11 AM
From: rjvannugteren
Subject: ClearPass - Active Directory authorization only (no authentication)
Hi,
Is it possible to use the Active Directory only as authorization source instead of the normal setup: authentication and authorization?
I am receiving this error when a user tries to authenticate:
2023-11-18 15:22:01,000 | [AuthReqThreadPool-58-0x7fa5c07e3700 r=R0227532c-02-6558c888 h=163] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =%{Radius:IETF:Ldap-UserDn}, error=No values for param=Radius:IETF:Ldap-UserDn |
2023-11-18 15:22:01,000 | [AuthReqThreadPool-58-0x7fa5c07e3700 r=R0227532c-02-6558c888 h=163] WARN Ldap.LdapQuery - Failed to get value for attributes=Nested Groups] |
The authentication source is configured like this:
The service is configured like this: