ClearPass Policy Manager RADIUS Integration

ClearPass Policy Manager RADIUS Integration

In addition to issuing certificates, our onboarding solution can authenticate users with a built-in RADIUS server. Administrators benefit from the efficiency of the server detecting any potential connection issues and allowing a network engineer to remotely resolve it. If the client already has a RADIUS server in use, that is no problem. SecureW2 software solutions integrate with all major RADIUS vendors and leverages existing infrastructure for a seamless transition into certificate-based authentication. Along with the security and network visibility benefits of certificates, they can be utilized for SSL inspection, VPN, wired security, and much more, making a certificate platform a valuable multi-use tool at your disposal. This setup will demonstrate how to integrate with an existing CPPM RADIUS to authenticate x.509 certificates for secure Wi-Fi access.

To complete this setup, you need to have already configured :

  • A CPPM RADIUS Server
  • A SecureW2 Network Profile
  • An Identity Provider


Adding the SecureW2 CA into the CPPM Trust List

  1. Click Certificate Authorities under PKI Management
  2. Download the Root Certificate and the Intermediate Certificate
  3. Go to the ClearPass Policy Manager Page, navigate to Administration, and click Trust List
  4. Click Add and then Browse
    • Here we will upload the recently downloaded certificates
  5. Locate the certificates in your folder, click Open, and select Add Certificate (the names of your root and intermediate certificate will be the name of your organization)
  6. Check that the certificates are valid and enabled in the Trust List by typing the name of the certificates in the search bar

Confirmation that the certificates created are valid


Adding Our EAP-TLS Service

  1. In the ClearPass Policy Manager page, click Services
  2. Click Add, and in the drop-down for Type, change the value to 802.1X Wireless
    • The first service rule has been changed to wireless
  3. Delete the second service rule
  4. Create a new service rule to specify the SSID for authentication requests by clicking Click to add and choosing RADIUS: IETF in the Type field
    • In the Name field, choose Callback-ID
    • In the Operator field, choose CONTAINS
    • In the Value field, enter the name of your SSID
  5. Click the Authentication tab, then in the Authentication Methods section, delete all except EAP-TLS
    • If you are going to use PEAP-MSCHAPv2 in conjunction with EAP-TLS, do NOT delete it in Authentication Methods
  6. In the Authentication Sources section, add Customer CAS (Active Directory)
  7. To configure roles, click the Roles tab
  8. For the Roll Mapping Policy, click the dialog box and choose the [Guest Roles]
    • You can get very specific with the roles you assign, but for now, the default guest roles will suffice
  9. Click Save

Setting up a Service Rule in CCPM for EAP-TLS Authentication

Configuring Identity Lookup

  1. Click Configuration, and in the Authenticating section, click Sources
  2. Double-click Customer CAS (the active directory) and navigate to the Attributes tab
  3. Click Authentication under the Filter Name column
  4. In the bottom row, click Click to add… and add attribute userAccountControl
    • For the Alias Name, enter Account Status
    • For the Data Type, enter String
    • In the Enabled As section, check the box next to Attribute and click Save

Showing the correct settings and entries for Identity Lookup

Now that our Identity Lookup is configured to include this attribute, we have to go back to our Authentication Source to ensure that LDAP is sending over these attributes.

  1. Go back to the Authentication Source Customer CAS, navigate to the Attributes tab, and click Authentication in the Filter Name column
  2. In the Configure Filter window that appears, go to the Browse tab
  3. Click on the folder for your organization, and click CN=Users and click on the test user we previously created

Checking the LDAP to ensure that attributes are correctly sent

  • Check to see that userAccountControl is visible with a value assigned
    • If you see 66048, it means the user is enabled
    • If you see 66050, it means the user is disabled

To ensure that Authorization is enabled, you must:

  1. Navigate to Services and click on the SecureW2 CPPM RADIUS Server
  2. From here, click on the Service tab and check under More Options that the Authorization box is checked
  3. If you go to the Authorization tab, make sure that the Authentication Source is the one previously configured, Customer CAS
    • Customer CAS should also be included in the Additional authorization sources box shown below
  4. Click Save

Configuring the CAS to authorize users

Adding the Certificate Revocation List (CRL)

  1. In the ClearPass Policy Manager, navigate to Administration > Certificates > Revocation List
  2. Click Add
  3. In the window that appears, select URL

Location that the CRL will be added

  1. Navigate to the SecureW2 Management Portal, and click Certificate Authorities under PKI Management
  2. Click View that corresponds to the Intermediate CA and right click on the Base CRL link and click Copy Link Address

Copying the link address of the CRL

  1. Navigate back to the ClearPass Policy Manager and paste the URL in the Distribution URL field
  2. Click Save, and the CRL list has been added and will be checked


Concluding Thoughts

With the final Save click, the wireless network is configured for WPA2-Enterprise with EAP-TLS authentication. Now, network users will only need to complete the onboarding process once for uninterrupted and secure Internet use. Network administrators will see their IT help desk tickets reduced and if a problem should arise, they can easily diagnose the problem. Certificate-based authentication will eliminate password-related disconnects and MITM attacks, tie users and devices to network connections, improve network performance, and much more. Historically, setting up this type of network would have taken weeks, but with SecureW2, setting up certificate-based authentication with a ClearPass Policy Manager RADIUS server can take just a few hours. So if you’d like to try out SecureW2, or have any questions about how we integrate with ClearPass Policy Manager RADIUS server, drop us a line! We are happy to introduce a network professional with a Clearpass expert to facilitate a free trial and show how easy it can be to deploy certificate-based authentication.

ClearPass and ClearPass Policy Manager are either registered trademarks or trademarks of Hewlett Packard Enterprise Development LP in the United States and/or other countries. Other trademarks, logos and service marks used in this site are the property of SecureW2 or other third parties.

  • Email addresses from free providers (Gmail, Hotmail, etc.) will not be accepted.
  • This field is for validation purposes and should be left unchanged.