Security

 View Only
Back to discussions
Expand all | Collapse all

RadSec with ClearPass for Guest Authentication - Any Specific Considerations?

This thread has been viewed 50 times

  • 1.  RadSec with ClearPass for Guest Authentication - Any Specific Considerations?

    Posted Nov 09, 2025 11:01 AM

    Hi everyone,

    I'd like to ask if there are any specific considerations or known limitations when using RadSec for Guest authentication in a ClearPass environment.

    We currently have RadSec fully operational for both wired and 802.1X wireless authentication, but we're now trying to extend this setup to the Guest network (MAC authentication + captive portal). However, we're facing some challenges during the authentication process.

    Our ClearPass server is hosted in the cloud (AWS/Azure), and we're using Aruba Instant APs managed by Aruba Central. The goal is to ensure all RADIUS communication between the APs and ClearPass happens over RadSec for security and encryption.

    So, my questions are:

    • Are there special configurations or limitations when applying RadSec to Guest networks?

    • Does the MAC + web authentication flow behave differently over RadSec compared to traditional RADIUS?

    • Are there certificate or policy adjustments required specifically for this scenario?

    Any documentation, examples, or lessons learned from similar deployments would be really appreciated.

    Thank you in advance for your help!



    -------------------------------------------


  • 2.  RE: RadSec with ClearPass for Guest Authentication - Any Specific Considerations?

    Posted Nov 09, 2025 05:12 PM

    once you have configured your radsec auth server all the authentication and accounting records will be using radsec. 

    are you seeing any issues?



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 3.  RE: RadSec with ClearPass for Guest Authentication - Any Specific Considerations?

    Posted Nov 09, 2025 06:58 PM

    Hi, thanks again for your reply!

    Yes, RadSec is already fully configured and working properly for both wired and 802.1X wireless authentication.

    However, we're now facing an issue specifically with the Guest authentication flow (MAC auth + captive portal).

    We currently have two ClearPass servers for testing purposes:

    • One using standard RADIUS (on-prem)

    • Another using RadSec (cloud-hosted on Azure)

    When we point the Guest SSID to the on-prem RADIUS server, all guest authentications complete successfully.
    But when we switch to the cloud RadSec server, all Guest authentications start to fail with REJECT, as shown in the Access Tracker screenshot below.

    All requests appear with Source: RADSEC, and the Login Status: REJECT, even though the same service and enforcement policy work perfectly when using the traditional RADIUS connection.

    So I'd like to confirm:

    • Is there any known limitation or special handling when using RadSec for Guest authentication (MAC + Web Auth)?

    • Could this be related to certificate trust, policy mapping, or session handling differences under RadSec?

    • Should the Guest service or enforcement profile be adjusted when the connection goes through RadSec instead of standard RADIUS?

    Any insights, documentation, or examples from similar RadSec + Guest deployments would be really appreciated.

    -------------------------------------------

    Original Message


  • 4.  RE: RadSec with ClearPass for Guest Authentication - Any Specific Considerations?

    Posted Nov 09, 2025 08:04 PM

    We have deployed radsec for wired/wireless dot1x, MAC auth and CP with no issues. 

    so in your case are you running one Clearpass cluster across on-prem and azure nodes?

    also when you open one of the access tracker rejects, what is the exact reject error?



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------

    Original Message


  • 5.  RE: RadSec with ClearPass for Guest Authentication - Any Specific Considerations?

    Posted Nov 10, 2025 02:17 AM

    Accept or Reject depends on the authentication method, role mapping, and enforcement used.
    Please share the output of the Aller section from the Access Tracker.
    The service configuration, i.e., authentication, role mapping, and enforcement, would also be helpful.



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------

    Original Message


  • 6.  RE: RadSec with ClearPass for Guest Authentication - Any Specific Considerations?

    Posted Nov 10, 2025 04:28 AM

    As already pointed out Alert section of Access Tracker record will show why authentication fails. It has nothing to do with RADsec per-se. Your radsec communication is working as expected.

    You can also check Access Tracker record log for additional information.

    Best, Gorazd 



    ------------------------------
    Gorazd Kikelj
    MVP Guru 2025
    ------------------------------

    Original Message


  • 7.  RE: RadSec with ClearPass for Guest Authentication - Any Specific Considerations?

    Posted Nov 10, 2025 08:27 PM

    Hi Gorazd,

    Thank you for the clarification - that makes perfect sense. It's good to know that RadSec communication itself is working correctly, and that the issue is likely related to the authentication logic within the service rather than the RadSec setup.

    We'll proceed to collect and review the detailed Access Tracker → Alerts section and record logs to identify the exact reason for the REJECTs. Once we have that data, I'll share it here for further analysis.

    Thanks again for confirming this point - that helps narrow down the investigation direction.

    -------------------------------------------

    Original Message


  • 8.  RE: RadSec with ClearPass for Guest Authentication - Any Specific Considerations?

    Posted Nov 17, 2025 01:55 PM
    Edited by Cleiton da Silva dos Santos Nov 17, 2025 01:55 PM

    Hi everyone,

    As suggested, we collected the full Access Tracker details from one of the failed Guest authentication attempts when using the ClearPass RadSec (cloud) node.

    Here are the key findings:

    Summary:

    • Login Status: REJECT

    • Service:  User Authentication with MAC Caching

    • Authentication Method: PAP

    • Authentication Source: Local:localhost

    • Enforcement Profile: Deny Access Profile

    • ClearPass Version: 6.11.11.261865 (Cloud)

    Input Tab:

    • Authentication:ErrorCode: 216

    • Authentication:Status: Failed

    • Authorization Attributes: [Endpoints Repository]:Unique-Device-Count = 1

    • Connection: Aruba IAP 

    Alerts Tab:

    • Error Code: 216

    • Error Category: Authentication failure

    • Error Message: User authentication failed

    • Alert Detail: RADIUS PAP: CLEAR TEXT password check failed

    (Attached screenshots show the full Summary, Input, Output, and Alerts sections from Access Tracker.)

    This only happens when the Guest SSID is pointing to the RadSec (cloud) server.
    If we redirect the same SSID to the on-prem RADIUS server, the authentication completes successfully and the user is redirected to the post-auth Guest role as expected.

    We'd like to confirm if anyone has seen this "PAP CLEAR TEXT password check failed" error specifically in Guest + RadSec scenarios, or if this could be related to password handling or certificate validation differences between RadSec and standard RADIUS.

    Any insights or recommendations are welcome.

    Thank you again for the guidance and support!

    -------------------------------------------

    Original Message


  • 9.  RE: RadSec with ClearPass for Guest Authentication - Any Specific Considerations?

    Posted Nov 10, 2025 08:26 PM

    Hi, thank you for your reply and guidance!

    You're absolutely right - the behavior seems related to the service logic (authentication, role mapping, or enforcement).

    We're planning to run new authentication tests with the client to collect complete information from the Access Tracker → Alerts section, as well as screenshots of the service configuration, including authentication, role mapping, and enforcement policies.

    Once we gather those details, I'll share them here for further analysis.

    Just to recap, this issue only occurs when the Guest SSID points to the ClearPass node using RadSec (cloud). When using the on-prem RADIUS node, authentication and role assignment work perfectly.

    Thanks again for your help - I'll update the thread soon with the requested information.

    -------------------------------------------

    Original Message


  • 10.  RE: RadSec with ClearPass for Guest Authentication - Any Specific Considerations?

    Posted Nov 10, 2025 08:24 PM

    Hi, thanks for your reply!

    Yes, the environment is currently in migration to the cloud - the final design will be a hybrid ClearPass cluster, with one node remaining on-premises and another hosted in the cloud (Azure), both operating within the same cluster.

    We'll run some additional tests together with the client to capture the detailed Access Tracker logs for the REJECT cases you mentioned. Once we have those results, I'll share the exact reject reason and additional findings here.

    Thanks again for your support and for confirming that RadSec works fine in similar deployments - that's very helpful as a reference.

    -------------------------------------------

    Original Message


  • 11.  RE: RadSec with ClearPass for Guest Authentication - Any Specific Considerations?

    Posted Nov 17, 2025 07:06 PM

    why are you using PAP for MAC authentication?

    Perhaps you can paste the screenshot for your MAC caching service.



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------

    Original Message


  • 12.  RE: RadSec with ClearPass for Guest Authentication - Any Specific Considerations?

    Posted Nov 17, 2025 08:13 PM

    Hi,

    As requested, I'm sharing the full configuration of the Guest MAC Authentication and User Authentication with MAC Caching services from our ClearPass environment.

    Below are the screenshots for reference:

    1. Service List View – showing both MAC Auth and User Auth with MAC Caching services

    2. Service Summary and Conditions – including authentication sources and methods

    3. Role Mapping Policy – mapping GuestUser roles

    4. Enforcement Policy – showing conditions and profiles for Guest access

    (All screenshots attached below for visibility.)

    For context:

    • The User Authentication with MAC Caching service is using PAP, MSCHAP, and CHAP as authentication methods.

    • The issue only occurs when the Guest SSID points to the RadSec (Cloud) node.

    • When pointing to the on-prem RADIUS node, authentication and redirection work perfectly.

    We're currently investigating whether the PAP method may be affecting authentication via RadSec or if any special adjustment is needed for MAC caching in cloud deployments.

    Thanks again for the guidance - any feedback on this configuration would be appreciated.

    -------------------------------------------

    Original Message


  • 13.  RE: RadSec with ClearPass for Guest Authentication - Any Specific Considerations?

    Posted Nov 20, 2025 11:00 AM

    Hi everyone,

    Following the previous suggestions, I've collected the Access Tracker details from one of the rejected authentication attempts for the Guest service using RadSec.

    Here are the key findings:

    • Service: GuestANET_Refinaria User Authentication with MAC Caching

    • Authentication Method: PAP

    • Authentication Source: Local:localhost

    • Authorization Source: [Endpoints Repository], [Time Source]

    • Error Code: 216

    • Error Category: Authentication failure

    • Error Message: User authentication failed

    • Alert: RADIUS PAP: CLEAR TEXT password check failed

    • Enforcement Profile Applied: Deny Access Profile

    • Online Status: Offline

    • Access Device: Aruba Instant AP (RadSec connection active)

    This behavior only occurs when the SSID points to the ClearPass cloud node (RadSec). When the SSID uses the on-prem RADIUS node, authentication works normally and the user is redirected to the correct Guest role.

    At this point, the issue appears to be related to PAP authentication or password validation when requests come through RadSec, since the error specifically refers to "clear text password check failed."

    Has anyone seen a similar behavior when using RadSec with Guest authentication (MAC + Web Auth)?
    Could this be related to certificate handling, policy configuration, or how ClearPass processes PAP requests under RadSec?

    We're running ClearPass 6.11.11.261865 (Cloud) and will appreciate any insights or examples from similar hybrid setups (on-prem + cloud cluster).

    Thanks for all the guidance so far - your feedback has been very helpful.

    -------------------------------------------



Related Content