Security

I am currently doing a POC for Clearpass and I'm trying to test some functionality by using Clearpass to help authenticate my Avaya/Nortel switch administration logins.  I'm currently using the 5500 series switches.  While setting the service in Clearpass to try to use AD, I can see the requests coming in but it can't seem to assign an Auth-Type to it.  I then tried to use local authentication (local db) and I have that working and authenticating correctly in CP but doesn't seem to be sending back the right stuff to allow the login.  Is there any documentation/white papers on this anywhere?  I've been scouring google for some pointers for quite sometime and nothing concrete yet.  Thanks for anything!

Did you look at any RADIUS guides for Avaya?  I know that Airwave for us requires a VSA called "Aruba-Admin-Role" to be passed back matching the roles defined in Airwave.  Something similar perhaps for Avaya switching?

Have you tried the following:

For the Avaya 5500, you can set an Enforcement Profile that returns RADIUS IETF attribute Service-Type to either 6 or 7 for the following permissions.   I am not sure anyting more granular exists.:

- 6 returns Administrative (read/write)

- 7 returns NAS Prompt (read only)

Thanks for the reply guys, I'll give that a shot.  

Clembo, that worked perfect for passing the attribute back to the device!  Now the other thing that I had listed in my first post is the other thing I'm trying to figure out.  When trying to have this authenticate to AD instead of the local CP database, it doesn't seem to negotiate a correct Auth-Type on the CP side of things (I assume) but not sure.  When using the local DB, it uses PAP with no issues.  This isn't to say that there is something more I need to configure on the Avaya side, but I haven't found it yet if so.  Any other ideas?

The service should work with either local db or AD.   What is the error on the Alerts tab in Access Tracker when you try to auth against AD?

This is what the alerts tab says on an unsuccessful AD attempt.  Keep in mind a couple things:

- I am using AD auth on other profiles so I know all those settings are correct

- I have tried adding in all of the authentication methods by themselves to try each

In the service, what authentication methods do you already have configured?  Try adding PAP if it is not already in there.

cjoseph, currently in the profile using the local db auth, I noticed that it was using PAP on those successful auths so I thought this would also work when switching it to AD Auth, but it doesn't.  Like I had stated, I've tried all of the different auth types by themselves in the profile and then tested and none of them seemed to stick.

BsFan14 try setting your AD auth source to "Allow bind using user password". 

This is what works for me with auth method of PAP. 

My Nortel 5520 Switch (V6.2.4):

• radius-server host 172.18.x.y
• radius-server key ********
• radius accounting enable
• cli password switch telnet radius

in ClearPass ENF profile return this:

• Radius:IETF  Service-Type Administrative-User
• ClearPass Radius Authentication for Nortel switch is PAP only, you have no other choice.
• Port 1812 by default

Hope it helps!

if you are still having issue, would you mind to share your summary screen of ClearPass service