Security

Hi

 

I have a requirement , where i have to create a VIP at F5 LTM for our radius servers at Clearpass (publisher and suscribers). All the users will land to VIP IP for radius authentication in order to achieve load balancing b/w radius servers.

when i crearted the VIP i am getting below error on clearpass:

Error Code: 204
Error Category: Authentication failure
Error Message: Failed to classify request to service
Alerts for this Request

RADIUS Service Categorization failed

 

Kindly help to create a service on Clearpass for the same...

You need to look at the RADIUS request a create a service that matches the attributes.

Are you doing SNAT at the F5? Please check the radius input attributes to see which attributes are send in the radius request. Compare this with the service rule filter

I would like to know what Service should be created on clearpass in order to make authentication successfull from F5 LTM..

As mentioned, you need to look at the RADIUS request and build matching service rules.

here is the o/p from access tracker:

 

Authentication:ErrorCode 204
Authentication:Full-Username testuser
Authentication:Full-Username-Normalized testuser
Authentication:MacAuth NotApplicable
Authentication:Posture Unknown
Authentication:Status Failed
Authentication:Username testuser
Connection:Dest-IP-Address 10.xx.xx.xx
Connection:Dest-Port 1645
Connection:NAD-IP-Address 10.xx.xx.xx
Connection:Protocol RADIUS
Connection:Src-IP-Address 10.xx.xx.xx
Connection:Src-Port 38829
Date:Date-Time 2019-04-11 20:06:18

 

 

Policies Used -
Service: -
Authentication Method: -
Authentication Source: None
Authorization Source: -
Roles: -
Enforcement Profiles: -
Service Monitor Mode: Disabled
Online Status: Not Available

 

 

 

Have you added pap as a authentication method in the service? F5 is using pap for testing

No, how can i do it ?

In the clearpass service and than go to the authentication tab. Here you can add a auth method. Propably there is now EAP-PEAP. Please add PAP also here. I would advice to create a specific service only for F5 health checking because PAP is not secure

i would also prefer to create a new service, is there any example template from where i can take reference in order to create a new service specific for F5 ?

I don’t think there is a template in clearpass. Just create a service and filter on the NAS id of the F5 and the test user username.

https://www.arubanetworks.com/techdocs/ClearPass/6.7/PolicyManager/index.htm#CPPM_UserGuide/Services/ServiceTypesRADIUS.htm%3FTocPath%3DServices%7CConfiguring%2520Other%2520Policy%2520Manager%2520Services%7C_____8

Is this for health monitoring? If yes you need to use PAP authentication.