Security

Hello,

 

Our network uses mainly EAP-TLS for network auth and that is working fine, I'm trying to setup access for selected users via EAP-PEAP and I cannot seem to be able to have the request hit the right rule.

 

We use Clearpass and I have setup two 802.1x rules one for users trying to authenticate with EAP-PEAP on top of the main one for EAP-TLS auth.

 

 

My problem is, even with the Authentication OuterMethod set to EAP-PEAP, users never seem to hit that rule.

 

 

This particular user should have hit the PEAP rule but did not.

 

Any ideas on how I could make sure that EAP-PEAP users will hit the first rule?

 

Thanks

Add mschap as an authentication method.

Hi cjoseph,

 

I've tried MSCHAP and EAP-MSCHAPv2 as both inner and outer methods with no luck.

 

Thanks

I should add that I did put MSCHAP as an Authentication method :

 

 

Thanks

Would it be possible to add a Service condition that if a user matches an AD Group?

 

On a Microsoft NPS server this was possible, I'm trying to replicate this on Clearpass.

Don't know if you got it fixed, but this is how mine is working:

No I haven't got it working correctly, but I will try adding both MSCHAP and EAP MSCHAPv2 and report back.

 

Thanks

It's not working for me. Can I ask what are your service conditions?

It is pretty bare (PAP only is needed for Captive Portal-you can ignore that).

Seems to me that Colin is answering for a pure EAP-PEAP case, not the question Yann is trying to get answered.

 

Yann, seems you can't use Authentication type during service categorization. It's probably logical (too early in the process or whatever), but someone with more knowledge of the process will have to explain why ;)

 

One way you could solve it is to add EAP-PEAP to main .1x service. In the role mapping do a test for "Authentication OuterMethod equals EAP-PEAP" AND the AD group you mentioned and give it a custom role like "EAP-PEAP-USER". Now you're free to add a "Tips Role NOT EQUALS EAP-PEAP-USER" to the EAP-TLS tests and whatever needed in the enforcement policy to give the EAP-PEAP-USER access..

 

John, you hit the proverbial nail on the head. Your explanation caused several puzzle pieces to fall in place.

 

I went back to a bare bones service condition and let the enforcement policy do the heavy lifting. It is now working like a champ.

 

Thank you all for your input!

@Yann

I land in the same situation as yours, will you be able to share me snapshot of your configuration, please.​

------------------------------
Faizan Sayed
------------------------------

Original Message:
Sent: Nov 12, 2015 08:49 AM
From: Yann Arbour
Subject: Clearpass - Using EAP-PEAP for selected AD users

John, you hit the proverbial nail on the head. Your explanation caused several puzzle pieces to fall in place.

 

I went back to a bare bones service condition and let the enforcement policy do the heavy lifting. It is now working like a champ.

 

Thank you all for your input!

You may need to look at access tracker > Input > Radius request and make sure that you have all the necessary attributes to match in the service.

Another thing you could try and do is use the Authentication:OuterMethod Not Equal EAP-TLS and see if it works.