Security

Reply
Highlighted
Occasional Contributor II

Using ClearPass Radius for authentication on Always on VPN

Hi Guys,

 

I'm having difficulty settings up ClearPass to be used as the Radius Server for my evaluation of Always on VPN. The NPS is set to forward all requests to ClearPass and hopefully receive an allow or deny message back.

 

I have set up a service, policy, roles and role mappings (see attachments) however it's not able to classify the login as one thing or another. 

 

Could anyone suggest how I go about this instead?

 

Wes1.PNG2.PNG3.PNG4.PNG5.PNG

Highlighted
Moderator

Re: Using ClearPass Radius for authentication on Always on VPN

You can’t use a certificate’s value in service categorization as it hasn’t been presented yet.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Occasional Contributor II

Re: Using ClearPass Radius for authentication on Always on VPN

From the radius request details

 

Radius:IETF:User-Name

 

From the computed attributes

 

Certificate:Subject-AltName-msUPN

 

 

Is there another way to make sure these have to match to work?

Highlighted
Moderator

Re: Using ClearPass Radius for authentication on Always on VPN

You can only use those in policy, not service categorization.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Occasional Contributor II

Re: Using ClearPass Radius for authentication on Always on VPN

Thanks Tim that makes sense.

 

I'll try that and see what happens.

Highlighted
Occasional Contributor II

Re: Using ClearPass Radius for authentication on Always on VPN

Okay so I've created this instead.

 

1.PNG2.PNG3.PNG4.PNG5.PNG6.PNG7.PNG

 

Still allows access even though it shouldn't as user-name and msUPN are different accounts (they are both valid accounts though).

 

If the msUPN is an invalid account it certainly doesn't work.

Highlighted
Contributor I

Re: Using ClearPass Radius for authentication on Always on VPN

Did you ever get this fully working? We are about to start testing AOVPN and i'd rather use clearpass to than build an M$ server.

Highlighted
Contributor I

Re: Using ClearPass Radius for authentication on Always on VPN

What are you passing back to the server to tell it that it is authenticated and let the user in?  What are you putting in the Enforcement Profile?   What documents did you use to help create this?  Any updates?

Highlighted
New Contributor

Re: Using ClearPass Radius for authentication on Always on VPN

We're trying to do the same, pass the authentication to clearpass but not sure what we're missing.  We pass back an access accept but the always-on server denies the device.  Any ideas on what we're missing here in the enforcement profile?

Highlighted

Re: Using ClearPass Radius for authentication on Always on VPN

I think the question would be to figure out what the RAS Server from MS needs in order to allow the client. I would expect, that the RAS would need some special VSA to fully authenticate the user and that a simple accept is not enough. 


visit our Youtube Channel:
https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ/featured
Please visit my personal blog as well:
https://www.flomain.de
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: