Security

Dear Experts, 

 

Following scenario is achieved through cisco acs 4.2 and customer is concerned that it cant be done in Clearpass. 

 

1) 2 authentication sources are defined. Active Directory and Token Server (token server itself is integrated with AD so the backend server is actually just 1 Active directory)

2) ppl coming via remote VPN are authenticated against Clearpass. 

3) 1 Service is configured with AD as authentication Source 1, and Token server as authentication Source 2.

Assuming user1 with token is trying to log in

4) User1 is found in AD but since he is using Token, the authentcation doesnt succeed. And obviously the search doesnt continue to Token server.

 

The question is simple, is there any way to force clearpass to query the second authentication source even if the username is found and rejected in the first authentication source.If not, how scenarios like this would be achieved through clearpass. We have checked the possibility of 2 services but its not possible to identify one service request from another since both are coming from the same Firewall.

@Ronin101 - Were you able to solve this?  I have a very similar situation which would work great if I can set things up this way.

Dear, 

 

Just i was able to solve it. Initially TAC confirmed it might not be possible then i came up with the idea of writing custom LDAP query that would exclude the undesired OU. This would let the authentication request check for the next available authentication source. 

 

This solved the problem for the customer. 

Below is the query

 

"(&(sAMAccountName=%{Authentication:Username})(objectClass=user)(!(memberOf=CN=Sales,DC=fishandreef,DC=com)))"

 

Let me walk you through the customer requirement once again

1) Customer had 2 authentication sources 

    a) AD

    b) Token server

2) All of the users in a particular group (in this example, consider it to be "Sales") would be using token server (and token server was infact connected to the same AD)

3) So customer wanted that whenever there was a user connecting, and its group belongs to Sales, he should be authenticated via token server only. 

4) Now the simplest way would be, to use token server as the first authentication source. But here is the thing. Token server was also connected back to the same AD. So in background, there was essentially just one authentication source. Also we couldnt play much with what we can do with token server, because customer was complaining that they were doing it seamlessly with ACS 4.2 for years, so CPPM should do as well).

 

Let me know if it works for you. Using the query format, you can exclude multiple groups of users also.

Can't this scenario be achieved by segregating requests based on NAS ?

 

You would have one service processing requests coming from your VPN gateway, which will not check against AD. And a second service which will not check for tokens, only AD accounts.

It was considered. I dont recall the exact bits of customer issue but what
you are suggesting was the exact hurdle, they couldnt distinguish one
request from another.

There is a similar post and i guess you can adapt this solution through clearpass for your concern.

 

Refer to: 
https://community.arubanetworks.com/t5/Security/Clearpass-two-factor-with-Google-Authenticator/td-p/315361

 

Maybe this can help.