Security

Reply
Occasional Contributor I

Using ClearPass Radius for authentication on Always on VPN

Hi Guys,

 

I'm having difficulty settings up ClearPass to be used as the Radius Server for my evaluation of Always on VPN. The NPS is set to forward all requests to ClearPass and hopefully receive an allow or deny message back.

 

I have set up a service, policy, roles and role mappings (see attachments) however it's not able to classify the login as one thing or another. 

 

Could anyone suggest how I go about this instead?

 

Wes1.PNG2.PNG3.PNG4.PNG5.PNG

Guru Elite

Re: Using ClearPass Radius for authentication on Always on VPN

You can’t use a certificate’s value in service categorization as it hasn’t been presented yet.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor I

Re: Using ClearPass Radius for authentication on Always on VPN

From the radius request details

 

Radius:IETF:User-Name

 

From the computed attributes

 

Certificate:Subject-AltName-msUPN

 

 

Is there another way to make sure these have to match to work?

Guru Elite

Re: Using ClearPass Radius for authentication on Always on VPN

You can only use those in policy, not service categorization.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor I

Re: Using ClearPass Radius for authentication on Always on VPN

Thanks Tim that makes sense.

 

I'll try that and see what happens.

Occasional Contributor I

Re: Using ClearPass Radius for authentication on Always on VPN

Okay so I've created this instead.

 

1.PNG2.PNG3.PNG4.PNG5.PNG6.PNG7.PNG

 

Still allows access even though it shouldn't as user-name and msUPN are different accounts (they are both valid accounts though).

 

If the msUPN is an invalid account it certainly doesn't work.

Occasional Contributor II

Re: Using ClearPass Radius for authentication on Always on VPN

Did you ever get this fully working? We are about to start testing AOVPN and i'd rather use clearpass to than build an M$ server.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: