Q: What are the different Radius Proxy solutions within Clearpass and what is the difference between Radius Proxy Service and a Radius Service using a Token Server or Radius Authentication Source?
A: A) Radius Proxy service:
Radius request from NAS is proxied by Cearpass to target radius server(s) including all VSAs. Not possible to add, remove or alter VSA sent to the target server. Multiple proxy targets can be defined. Clearpass distributes the radius requests over the target(s) using round-robin.
Radius Reply from target radius server is proxied by Clearpass to NAS including all VSAs. it is possible to remove (filter) VSAs received from target radius server.
Using the enforcement profile, Radius VSAs can be added to the radius reply sent to the NAS.
B) Radius Service with Radius based Auth Source:
Can be used in any service of type 'Radius' and can therefore be combined with other authentication sources like AD, LDAP, SQL etc.
Radius request from NAS is proxied by Cearpass to radius auth-source including all VSAs. Not possible to remove or alter VSAs to the radius auth-source. However, it is possible to add/insert VSAs into the request sent by Clearpass to the radius auth-source (Pre-Proxy).
Radius Reply including the VSAs from radius auth-source is proxied by Clearpass to NAS.
Using the radius enforcement profile, the values of these Radius VSAs can be overwritten and other VSAs can be added into the radius reply sent to the NAS.
Selectively adding VSA to the Authentication Source (Post-Proxy), makes the VSAs available as Authorization attributes, which can then be used to build the policy.
C) Token Server as Authentication Source
Used for EAP-GTC authentication against any token server than can authenticate users by acting as a RADIUS server (for example, RSA SecurID Token Server) .
Radius request from NAS is proxied by Cearpass to Token (radius) server including all VSAs. It is not possible to add, remove or alter VSA sent to the token server.
Radius Reply including the VSAs from Token Server is proxied by Clearpass to NAS.
Using the radius enforcement profile, the values of these Radius VSAs can be overwritten and other VSAs can be added into the radius reply sent to the NAS.
Selectively adding VSA to the Token Server Source, makes the VSA Available as Authorization attribute, which can then be used to build the policy.
The "special" thing about our Token Server Authentication Source is that it terminates the EAP transaction and sends PAP to the Token server. In other words, the Token Server solution is really designed for two factor authentication for dot1x (EAP-GTC) against a Token Server like RSA Secure ID).