Yes, you should be able to use the local user repository as identity store.
No, you don't need ClearPass on both ends for eduroam, as it builds on standards and radius proxy.
If your outbound (SP mode / RADIUS Proxy) shows timeouts, then the request is not proxied correctly, cannot reach the upstream RADIUS server or the upstream server does not allow/accept the requests.
If inbound (IdP) requests show Service Categorization Failed, then the service in ClearPass is not configured correctly.
The document that you refer to seems to be quite accurate at first glance. And the two issues that you describe can be analyzed/troubleshooted, where it is more likely to succeed if you involve someone who understand RADIUS and ClearPass, and how eduroam works and operates with forwarding, IdPs and SPs, etc. Aruba TAC should be able to troubleshoot these two issues as well, and it seems just configuration issues on either the ClearPass or the upstream RADIUS server.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jun 02, 2024 06:05 AM
From: ajorigenes17
Subject: EDUROAM WITH CLEARPASS LOCAL DATABASE AS AUTHENTICATION SOURCE
Hello everyone,
I have a project for school with eduroam for there wireless. the school FLR already built there eduroam using free radius setup which is already working and running , the other branch of this school which I will implement the eduroam is using ClearPass. Now we have a issue communicating the FLR, once the outbound user/guest will connect to the eduroam ssid it will reject the user and it will show and alert status " NO RESPONSE FROM SERVER" or if the inbound user will connect to the eduroam it will reject the user and will show from access tracker "SERVICE CATEGORIZATION FAILED", I already tried to reverse the configuration base on the given information that need to match from the services but still no luck.
Testing :
- FLR public ip and clearpass is already pingable from both ends from clearpass CLI
- secret key is matched based the details given.
Here is my concern:
- Is clearpass local database supported by eduroam as identity store or do I need an microsoft AD, LDAP Server etc. ?
- Do I need to have clearpass both end from the school FLR so the server will communicate properly ?
note :
I already follow the giant eduroam documentation and eduroam clearpass templates it help me by doing the initial setup .
chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://archive.geant.org/projects/gn3/geant/services/cbp/Documents/cbp-79_guide_to_configuring_eduroam_using_the_aruba_wireless_controller_and_clearpass.pdf
I hope someonce could help me for this issue since we've been testing this for almost a 1month.
Thank you, everyone !