Security

Reply
Occasional Contributor I

Service for authentication of F5 LTM with clearpass

Hi

 

I have a requirement , where i have to create a VIP at F5 LTM for our radius servers at Clearpass (publisher and suscribers). All the users will land to VIP IP for radius authentication in order to achieve load balancing b/w radius servers.

when i crearted the VIP i am getting below error on clearpass:

Error Code: 204
Error Category: Authentication failure
Error Message: Failed to classify request to service
Alerts for this Request

RADIUS Service Categorization failed

 

Kindly help to create a service on Clearpass for the same...

Guru Elite

Re: Service for authentication of F5 LTM with clearpass

You need to look at the RADIUS request a create a service that matches the attributes.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Super Contributor II

Re: Service for authentication of F5 LTM with clearpass

Are you doing SNAT at the F5? Please check the radius input attributes to see which attributes are send in the radius request. Compare this with the service rule filter

Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
Occasional Contributor I

Re: Service for authentication of F5 LTM with clearpass

I would like to know what Service should be created on clearpass in order to make authentication successfull from F5 LTM..

Guru Elite

Re: Service for authentication of F5 LTM with clearpass

As mentioned, you need to look at the RADIUS request and build matching service rules.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Super Contributor II

Re: Service for authentication of F5 LTM with clearpass

Is this for health monitoring? If yes you need to use PAP authentication.

Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
Occasional Contributor I

Re: Service for authentication of F5 LTM with clearpass

here is the o/p from access tracker:

 

Authentication:ErrorCode 204
Authentication:Full-Username testuser
Authentication:Full-Username-Normalized testuser
Authentication:MacAuth NotApplicable
Authentication:Posture Unknown
Authentication:Status Failed
Authentication:Username testuser
Connection:Dest-IP-Address 10.xx.xx.xx
Connection:Dest-Port 1645
Connection:NAD-IP-Address 10.xx.xx.xx
Connection:Protocol RADIUS
Connection:Src-IP-Address 10.xx.xx.xx
Connection:Src-Port 38829
Date:Date-Time 2019-04-11 20:06:18

 

 

Policies Used -
Service: -
Authentication Method: -
Authentication Source: None
Authorization Source: -
Roles: -
Enforcement Profiles: -
Service Monitor Mode: Disabled
Online Status: Not Available

 

 

 

Super Contributor II

Re: Service for authentication of F5 LTM with clearpass

Have you added pap as a authentication method in the service? F5 is using pap for testing

Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
Occasional Contributor I

Re: Service for authentication of F5 LTM with clearpass

No, how can i do it ?

Super Contributor II

Re: Service for authentication of F5 LTM with clearpass

In the clearpass service and than go to the authentication tab. Here you can add a auth method. Propably there is now EAP-PEAP. Please add PAP also here. I would advice to create a specific service only for F5 health checking because PAP is not secure

Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: