ClearPass – How to setup a Generic Radius Catch-all Service
One of the common questions that I am asked is “how do I know what attributes I can use to differentiate services in ClearPass. My response is always “have you setup a generic RADIUS catchall service?” Their response is usually “what is that?” I wanted to take a few minutes to share this simple yet very valuable service on CPPM.
So why do we need to setup a Generic RADIUS catch-all service? The purpose of the generic service is to give us visibility into any valid RADIUS request coming into CPPM from a known Network Device and allows us to use the incoming RADIUS attributes in those requests to customize our more specific services to trigger on a particular attribute. Here is a quick example of the attributes that are passed in a RADIUS authentication request:
The first thing we need to do to create a new service. In CPPM select Configuration -> Start Here. This will bring up the Service Template Options. Scroll down and select RADIUS Enforcement (Generic).
This will bring up the Add Service Screen. You will need to enter a name for the newly created service. I like to call it Generic RADIUS Catch-all. Do not add any Service Rules to this service.
Select Next. This will take you to the authentication tab. You will need to select any authentication method that will be used in your network. I typically select EAP MSCHAPv2, EAP PEAP, EAP TLS, EAP TTLS, MSCHAP, CHAP, and PAP. Under the authentication source drop down select Local User Repository.
Select Next. This will take you to the Roles Tab. Since we are only using this service for visibility into the RADIUS attributes sent in a RADIUS request we do not need to perform any Role Mappings.
Select Next. This will take you to the Enforcement Tab. Since we are only using this service for visibility into the RADIUS attributes sent in a RADIUS request we do not need to define a custom Enforcement Profile. Leave the “Sample Allow Access Policy” as the defined Enforcement Policy.
Select Next. This will take you to the Summary tab. You can review the service configuration on this tab. Click Save.
When you click Save you will be taken to the Reorder Service screen. You need to make sure that the Generic RADIUS service that you just created is the LAST SERVICE in the list!!! This will insure that it will not interfere with any customized RADIUS services. With that being said, when you are ready to create the new customized services you need to make sure you reorder them as well so they are processed before the generic service.
The next step is to add your controllers or switches to CPPM as valid NAD devices under Configuration->Network->Devices.
Once your network devices are added all incoming RADIUS Requests will trigger this service. Now you are ready to make a RADIUS user authentication request to see what information CPPM will receive.