Security

I have only spent a day going through, but I can't seem to find away to use an external RADIUS server (MS NPS) to authenticate ClearPass Administrators to use the software.

 

I went through and found the local TACACS [Policy Manager Admin Network Login Service], an noticed that I could no change or use with another RADIUS or RADIUS Proxy server with the [Admin Network Login Policy] Enforcement Policy.

 

My question to the masses: is it possible to point ClearPass Administrators to authenticate with a external/third-party RADIUS client (i.e MS NPS) instead of using the local TACACS and user DB?

 

Any insight would be greatly appreciated

I am not aware of any way to do this.  However, it is easy enough to setup your own CPPM login service and authenticate against AD if that's essentially what you were going for.

 

Here's what I did:

1. Copied default CPPM login service.
2. Placed the new login service above the default.
3. Set my AD servers as the authentication source.
4. Created a role mappings that mapped AD groups to predefined TACACS roles.
5. And I left the Enforcement policy and profiles as they were.

 

 

Ouch.. It seems external radius authentication didn't make it to 6.0.x release of cp. Its definitely there in cpguest 3.9.x..

Both Radius as external authentication server for guests and for operators seems to be gone.

I'm hoping this will come back in the next big release 6.1 due for march I think..

John,

 

I believe for guest/mobility-users to authenticate to the WLAN(s) you can still use external RADIUS by setting up a proxy RADIUS server in CP 6.0.2.46902.

 

Unfortunately what I would like (required) to do is use an external RADIUS server to authenticate the CP Administrators using a third part 2FA solution.  These requirements also restrict me from using AD because the CP software does not recognize hard certs (Common Access Card) to log into the CP webinterface. 

 

Thank you both for your posts, hopefully in later patches/code upgrades this matter can be added to the already great features of CP.

 

 

Hi, I've been searching for the same solution; having CP adminstrators and provisioners authenticated by Microsoft NPS.

When a CP adminstrator or provisioner accesses CP it needs to authenticate using it's domain credentials. Once the client starts, the authentcation request hits CP, which should forward the request to NPS which then does the authentication in Active Directory and assigning back the proper privilge level to the client.

I'm aware of the LDAP option in CP which can directly authetnicate in AD, but I need to have NPS do the LDAP query so basically need CP just to do a passthrough.

 

Currenlty I'm using CP 6.5.5 but I don't see the external authentication server option availalbe.

As this thread was created on 2013, I can iagine the option might be available by now.

Management authentication for ClearPass uses TACACS+, not RADIUS.

So with tacacs, beside doing direct LDAP queries to Active Directory can I forward the authentication requests to NPS as well? If so, do you have a link to the documentation how to configure this.

If it is not possible, which I assume after reading the documentation, will Aruba build in support to passthrough authentication requests to NPS in the near future?

NPS is a RADIUS server, not a TACACS server.

May I ask what the use case is here? ClearPass is designed to replace NPS. 

Sent from Nine

Hi, sorry for my late reply.

The customer does not want to have NPS replaced by ClearPass due to company policy. Therefor I've been looking to forward request from CP to NPS, which does the LDAP query in AD.

Currenlty I'm trying to see if it is ok to have CP do the LDAP directly in AD, and bypass NPS although it is not conform company policy.

Im having the the same issue. What we want is  the Administrators of the CPPM box to be authenticated against our external RADIUS which has 2FA.

 

Is is possible for Network Administrator Login autheication to use external Radius or are we just stuck with TACACS+ for admin login?

 

In my case, all privileged users(admins) accounts are stored on this RADIUS server, separate from the normal users databases.

 

So the question is, can ClearPass support this functionality /Use case?  we are using HW-CP5K running on 6.5.3.75367

Hi, the guest provisioners in my company are still authenticating using a local account in CP. I really would like to move forward and enhance the security by having them using their companies AD account, based on PEAP-MSCHAPv2.

I recently upgraded to the latest 6.6 version and read through the deployment and user guide docs, but I did not see the so called external auth. option which seemed to be there in older code.

My questions are:

 

- Will this option return in a near future code? Is it on the road map?

- If not, CP can do LDAP direclty into AD using TCACS only. Documentation states that CP system has to be domain joined, correct?

- How to have the auth request send to CP, passthrough towards NPS to authenticate the AD user? Maybe this sound weird but cusomter does have reasons not to have CP authenticate directly to AD.

Any documentation which describes this setup or real life experience?

 

btw, I'm aware CP is TACACS+ and NPS is RADIUS. Just trying to get it working based on companies policy and request.

For guest operator auth using AD, you simply have to create a guest operator login service in ClearPass with an AD auth source. You'll want to use PAP which doesn't require domain join.

Have you reached out to your ClearPaas partner?

Hi Tim,

 

Thanks for your response and confirmation that it can be done without joining CP to the domain.

Using PAP shouldn't be an issue as the company is using private and secured lines.

 

Will look to setup this solution.

Cheers!