Security

 View Only

  • 1.  Chaining Clearpass clusters for RADIUS proxy

    Posted Jul 21, 2025 09:15 AM
      |   view attached

    I have requirement to proxy RADIUS traffic to a third party for wired NAC. We have two Clearpass clusters and only one can forward RADIUS traffic to third parties but a different cluster receives RADIUS traffic from switch ports. The business would prefer that network switches not forward RADIUS traffic to the customer facing cluster and has asked if we can forward from one cluster to the other and then on to the customer RADIUS. I can see how we can easily create RADIUS proxy services in both clusters to forward the traffic on but its the return path that is confusing me. Once the response is received from the customer RADIUS, how would we return this to the business cluster?



    ------------------------------
    --------------------
    Stewart Smith
    ACMX, ACDX, ACCP, ACSA
    --------------------
    ------------------------------

    Attachment(s)

    pdf
    RADIUS-Proxy.pdf   329 KB 1 version


  • 2.  RE: Chaining Clearpass clusters for RADIUS proxy

    Posted Jul 21, 2025 09:27 AM

    Using the RADIUS proxy functionality the RADIUS request will be forwarded to another RADIUS server. That RADIUS server needs to handle that request and do the authentication. The authentication respons is send to the ClearPass server and that server is sending the respons back to the switch.

    So the return flow is the same. For the other ClearPass cluster is just an normal authentication request where the source IP is the first ClearPass server.



    ------------------------------
    Willem Bargeman
    Systems Engineer Aruba
    ACEX #125
    ------------------------------



  • 3.  RE: Chaining Clearpass clusters for RADIUS proxy
    Best Answer

    Posted Jul 21, 2025 09:51 AM

    Ok, so the RADIUS response received by the customer facing cluster will just be returned to the original cluster without any other configuration being required?

    I was thinking the response would stop at this intermediate. So I just need a RADIUS proxy service on both clusters 



    ------------------------------
    --------------------
    Stewart Smith
    ACMX, ACDX, ACCP, ACSA
    --------------------
    ------------------------------

    Original Message


  • 4.  RE: Chaining Clearpass clusters for RADIUS proxy

    Posted Jul 21, 2025 09:54 AM

    Yes correct. No additional configuration is required. 



    ------------------------------
    Willem Bargeman
    Systems Engineer Aruba
    ACEX #125
    ------------------------------

    Original Message


  • 5.  RE: Chaining Clearpass clusters for RADIUS proxy

    Posted Jul 31, 2025 05:07 AM

    I just wanted to revisit this to be sure. On my corporate cluster I create a RADIUS proxy service that forwards the auth request from the switch to my commercial cluster. On the commercial cluster I create a RADIUS proxy service with a condition that the request has originated from the corporate cluster and with proxy targets that forward the request to the third party. When the commercial cluster receives the response from the third party, will this automatically be forwarded back to the corporate cluster? Obviously the RADIUS proxy service on the commercial cluster has an enforcement policy which is defaulted to accept all. Is this going to affect the response?

    I am just not seeing at the moment how the response will be returned and not just stop at the commercial cluster. I don't have two clusters  in my test environment so am not able to test this first



    ------------------------------
    --------------------
    Stewart Smith
    ACMX, ACDX, ACCP, ACSA
    --------------------
    ------------------------------

    Original Message


  • 6.  RE: Chaining Clearpass clusters for RADIUS proxy

    Posted Jul 31, 2025 06:05 AM

    Yes that works. It's just a new authentication request between the two clusters. So the commercial clusters simply return the response to the IP address of the corporate cluster.

    The RADIUS response (accept / deny + attributes) will be proxied from the and (by default) not altered. 



    ------------------------------
    Willem Bargeman
    Systems Engineer Aruba
    ACEX #125
    ------------------------------

    Original Message


  • 7.  RE: Chaining Clearpass clusters for RADIUS proxy

    Posted Jul 31, 2025 06:09 AM

    Perfect, thanks for confirming



    ------------------------------
    --------------------
    Stewart Smith
    ACMX, ACDX, ACCP, ACSA
    --------------------
    ------------------------------

    Original Message


  • 8.  RE: Chaining Clearpass clusters for RADIUS proxy

    Posted Jul 21, 2025 09:42 AM

    This is how eduroam, the federated network for higher education,  works. Please note that you will have active sessions on both ClearPass clusters, so you will need to have enough concurrent user Access licenses on both clusters and you may need to proxy the RADIUS accounting as well (enable proxy for accounting requests).



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



Related Content