Security

Reply
Highlighted
MVP

Re: Howto: Airwave authentication via Clearpass

I was refering to the original-post -- if my (limited) understanding of the roles and enforcement policies is any good, there are two references to the same role - one with and one without a dash.

 

I was actually planning on starting on your problem next - since I also don't have AD access, and need a few "groups" which don't exist. I'll post my results as I go.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Highlighted

Re: Howto: Airwave authentication via Clearpass

Just to explain a little more on what Ryan is doing is creating a custom attribute on a role. Not using just the role itself. We will need to use a custom sql query to use the attribute that he created to do what Ryan is trying to accomplish.

For example

Tarnold=ad
Admin=local role
Airwave admin=custom attribute in admin local role
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Highlighted
Super Contributor I

Re: Howto: Airwave authentication via Clearpass

For anyone that needs it, I finally got this to work with the help of Aruba TAC's Mathew. (Thanks!) Basically, we had to build a custom SQL filter/query for the local database. Go into the local DB authentication source, then under the attributes tab to create new. Then create something like what I've attached. This will allow you to then build enforcement polices based on the value of the custom attributes. Tons of use cases, but as of now, I'm using central AD for authentication and Clearpass local DB for authorization. I'm pretty happy with these results.

 

==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Contributor II

Re: Howto: Airwave authentication via Clearpass

Hi

 

I think I've followed the instructions but it's not working and I'm looking for some help. Everything is working on the ClearPass side. I can see the request come through via Access Tracker. It's accepted and I can see the User-Role being pushed back to Airwave

Radius:Aruba:Aruba-User-RoleAdminViaClearPass

 

This role is configured as an AMP-ADmin in Airwave (as instructed) and the role is enabled. However, from the Airwave login page I'm just getting login denied. What am I doing wrong?! Is there somewhere I can look in Airwave to show me the Accept coming back from ClearPass?

 

Thanks in advance for the help and feedback.

 

I'm using a beta of Airwave v8 against a 6.3.0 ClearPass install.

 

Chris

 

 

Highlighted
Super Contributor I

Re: Howto: Airwave authentication via Clearpass

The Radius:Aruba attribute you need to send from ClearPass to airwave is Aruba-Admin-Role, not Aruba-User-Role.

==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University

View solution in original post

Highlighted
Contributor II

Re: Howto: Airwave authentication via Clearpass

Cheers Ryan. Apologies to all for not following the instructions exactly!!!

Highlighted
Super Contributor II

Re: Howto: Airwave authentication via Clearpass

Hi guys! Great guide.

 

I've got an Airwave implemented like this and on my authentication source (AD) I had to check Allow bind using user password to get the authentication to work.

 

The issue I'm facing:

When I log in for the first time in a while, the authentication will always fail and this is what pops up in the access tracker:

print.JPG

 

 

If I log in again straight after, the login will be successful and I'll see my admin-role returned. 

 

Anyone know how I can fix this issue?

Christoffer Jacobsson | Aranya AB
Aruba Partner Ambassador
Aruba: ACMX #537 ACCP ACDP | CWNP: CWNE #306
Highlighted
MVP

Re: Howto: Airwave authentication via Clearpass

 Hello Christoffer

 

Is this AD source not in use by other services? Establishing the AD connection takes some time when you first instance it. Default server timeout on the AD source is 10 seconds. Might be that the authentication takes longer than 10 seconds first time, and when you try again the connection is established and cached so therefore it suceeds. Try adjusting the server timeout on the AD source - see if that makes any difference.


Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Highlighted
Super Contributor II

Re: Howto: Airwave authentication via Clearpass

Hi John and thank you for your reply.

 

Increasing the server timeout value from 10 to 15 seconds seem to have done the trick! The authentication happens instantaneously so there's no 12 second bind going on but changing it did solve the problem somehow. 

 

Thank you!

Christoffer Jacobsson | Aranya AB
Aruba Partner Ambassador
Aruba: ACMX #537 ACCP ACDP | CWNP: CWNE #306
Highlighted
Super Contributor II

Re: Howto: Airwave authentication via Clearpass

Hi again! I seem to have been to quick to announce this victory. Although the problem seems to be less frequent, it's still there. Any other suggestions of what could be causing this?
Christoffer Jacobsson | Aranya AB
Aruba Partner Ambassador
Aruba: ACMX #537 ACCP ACDP | CWNP: CWNE #306
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: