AAA, NAC, Guest Access & BYOD

 View Only
last person joined: one year ago 

Solutions for legacy and existing products and solutions, including Clearpass, CPPM, OnBoard, OnGuard, Guest, QuickConnect, AirGroup, and Introspect
Back to Library

Can Kerberos authentication source be used for Application authetnication or WEB authentication? 

Mar 27, 2017 05:55 AM

Q:

Can we use 'Kerberos authentication source' to authenticate users for an Application authentication or Web authentication request? Like 'Guest operator login' or 'Onguard user authentication'?



A:

We cannot use 'Authentication source - Type' as Kerberos to authenticate user for a Application authetnication or WEB authentication request. This is not supported in Clearpass 6.4.x, 6.5.x and 6.6.x versions. When a Kerbrose authentication source is mapped to a custom 'Guest Operator Login' service, we will get the below error message rejecting the request. 

If we place the Policy service module in DEBUG, below are the Dashboard log outputs: 

Request Log: 

2016-09-21 08:25:09,006    [RequestHandler-1-0x7f160a9f4700 r=psauto-1473841713-25 h=79 r=W00000003-02-57e1f68c] INFO Core.ServiceReqHandler - Service classification result = Custom_Guest Operator Logins]
2016-09-21 08:25:09,009    [ajp-apr-8009-exec-4] R:W00000003-02-57e1f68c] ERROR com.avenda.tips.webauthservice.AuthenHandler - Failed to get serverMgr for authSourceId=3001
2016-09-21 08:25:09,009    [ajp-apr-8009-exec-4] R:W00000003-02-57e1f68c] ERROR com.avenda.tips.webauthservice.WebAuthHandler - Failed to perform webauth, reason=InternalErrorInAuthentication
2016-09-21 08:25:09,017    [RequestHandler-1-0x7f160a9f4700 r=psauto-1473841713-26 h=83 r=W00000003-02-57e1f68c] DEBUG IAT.RadiusIOAttrHolder - getValue: Internal attr for attrName=Connection:Client-Mac-Address Value=<NULL>

If the user is not found in the authorization source, still the same error message could be displayed with the below message.

2016-09-02 07:39:59,791 [RequestHandler-1-0x7f9366bd5700 r=psauto-1472781404-31 h=223 r=W00000002-01-57c8df77] INFO Core.ServiceReqHandler - Service classification result = Custom_Guest Operator Logins]
2016-09-02 07:39:59,796 [ajp-apr-8009-exec-3] R:W00000002-01-57c8df77] ERROR com.avenda.tips.webauthservice.AuthenHandler - Failed to get serverMgr for authSourceId=3001
2016-09-02 07:39:59,824 [ajp-apr-8009-exec-3] R:W00000002-01-57c8df77] ERROR com.avenda.tips.dataaccess.db.DbAuthenSession - User 'arun' not present in Admin User Repository](localhost)
2016-09-02 07:39:59,824 [ajp-apr-8009-exec-3] R:W00000002-01-57c8df77] WARN com.avenda.tips.webauthservice.AuthenHandler - Authentication failed @ Admin User Repository]
2016-09-02 07:39:59,824 [ajp-apr-8009-exec-3] R:W00000002-01-57c8df77] ERROR com.avenda.tips.webauthservice.WebAuthHandler - Failed to perform webauth, reason=UserNotFound

Workaround:

It is recommend to use 'Generic LDAP' as 'Authentication source - Type' instead of  'Kerberos'. 

Statistics
0 Favorited
6 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.