Security

I have run into a situation where one entity in a multi-entity deployment does not want to allow Clear Pass to be joined to their domain. They would like to stand up their own Windows NPS and have us add it to the controller. 

The challenge is that we are trying to maintain the use of a single production SSID throughout the entire property for simplicity and to reduce SSID overhead.

Can I add their Windows NPS to the server group on the controller which already contains two Clear Pass servers? Will the server group profile fall through to the NPS server to authenticate the user when they are not found in Clear Pass? If so can I also use a server derivation rule that uses an Aruba-User-Role attribute sent from NPS to assign the user from this entity a role?

Clear Pass currently is functioning as the AAA service for the other three property entities. This is a resort with four different hotel entities all within one property. We have all three entities joined to CPPM and we are using their AD servers for authentication queries. This one particular entity will not allow us to join CPPM to their domain but will allow us to add their NPS server to the controller as a RADIUS server. 

What I am trying to accomplish is to have one hotel_admin SSID throughout the entire resort where no matter if you are an employee of entity 1, 2, 3 or 4 you get a role based on the entity you are employed by. The property has alot of share spaces so entity 1 employees for instance might have to go over to entity 2's facility for meetings, etc... 

I am performing role mapping with role enforcement on Clear Pass and it is working well for entities 1-3. Now I just need to figure out how to accomodate entity 4. I thought if I added their NPS server to the server group in the controller which has Clear Pass already and use an Aruba-User-Role atttribute to do role assigment through a derivation rule that this might work. 

Any other options to achieve what I want to do? Could I add their AD server as an authentication source in Clear Pass without joining CPPM to their domain?

re: add their domain without join: What authenticatoin methods are in use?

To handle those users, I'd suggest proxying requests from ClearPass to their NPS server and pointing the controller only to ClearPass.

Tim, 

Currently they are just using EAP-PEAP/MSCHAPv2. 

How would I proxy requests from CPPM to NPS? I am familiar with RADIUS querying AD via LDAP/LDAPS with WinBind but not RADIUS to RADIUS directly. 

I found this discussion which verifies that RADIUS proxy or forwarding is supported but the discussion never reveals the solution. 

https://community.arubanetworks.com/t5/Security/Does-Clearpass-support-Radius-Forwarding/td-p/196821

What I am unsure of is if I can somehow use the RADIUS proxy target within the same service I am using for the other entities. I dont see a way of differentiating entity 4's connection from entities 1, 2 & 3. 

If I add entity 4's NPS server as a proxy target how do I use that as an authentication source in my service? Is that at all possible? 

Just to clarify all entities are using a single SSID to get a role based on their entity property. Currently entities 1-3 have groups in their AD that we are using memberof as the condition in a role mapping to assign a role on the controller. Entity 4 however is only giving us access to their NPS server to authenticate their users. 

How do I effectively authenticate entity 4's users in my service if I only have their NPS server to authenticate against? It is not clear to me the logic in a service that would process this request. If I create a second service just for the RADIUS proxy how would the user from entity 4 fall through the first dot1X service, where users are authenticating against AD servers, and hit the second service which is the RADIUS proxy?

I have a somewhat similar issue, where I also have to send requests through a NPS.

Did you ever get this working?