Security

Hi Everybody,

Note this is for Clearpass 3.9 and not 6 (can't upgrade this one).

Does anybody know if it's possible to activate a "fallthrough" type function for guest users authenticating, against more than 1 external server?

In this case, there are 2 AD domains (with RADIUS NPS in each), and username/passwords supplied to Clearpass by users are not inclusive of the domain prefix (because users can't cope with this).

Basic operation of Clearpass would be to check the server ranked highest. When that reports a "fail" for users, Clearpass by default doesn't move on to the other server.

If found some reference in the manual for operator logins fallthrough on multiple LDAP, but this isn't the same obviously.

Is there an option somewhere to enable checking of multiple EAS that I'm missing?

I assume you are talking about external RADIUS servers?

ClearPass Guest 3.9 only supports a single proxy RADIUS server.  Multiple RADIUS isn't supported for fail-through, because there isn't a way to differentiate between "password incorrect" and "user not found" – both results are Access-Reject.  In the first case, auth should fail immediately, in the second case the auth should continue against a different server.

This is possible with LDAP, because it's possible to distinguish between "password incorrect" and "user not found".

Yes, that's the scenario.

So just to confirm, you're saying this is feasible with LDAP? If so I'll test it out.

The reason I wasn't sure about LDAP, is that information in the gudies was referencing using LDAP for operator logins, and not client authentication requests. Hence my original points.

I'll go test with multiple LDAPs.

Thanks.