Authentication Methods and Sources

As a first step in the service-based processing, Policy Manager uses an authentication method to authenticate the user or device against an authentication source. Policy Manager includes several predefined Policy Manager authentication sources.

Default Authentication Methods

After the user or device is authenticated, Policy Manager fetches attributes for role-mapping policies from the authorization sources associated with this authentication source. For a general overview of Policy Manager authentication and authorization, see Authentication and Authorization Architecture and Flow.

Policy Manager provides the following default authentication methods:

Table 1: Default Authentication Methods

Authentication Methods

Description

[Allow All MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.  AUTH]

Provides default settings for Allow All MAC-AUTH authentication method.

[Aruba EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  GTC Generic Token Card. GTC is a protocol that can be used as an alternative to MSCHAPv2  protocol. GTC allows authentication to various authentication databases even in cases where MSCHAPv2  is not supported by the database.]

Provides the EAP-GTC EAP – Generic Token Card. (non-tunneled). (Generic Token Card) authentication method to use with the Aruba EAP-GTC EAP – Generic Token Card. (non-tunneled). plugin for Windows.

[Authorize]

Provides default settings for Authorize authentication method.

[CHAP Challenge Handshake Authentication Protocol. CHAP is an authentication scheme used by PPP servers to validate the identity of remote clients.]

Provides default settings for CHAP authentication method.

[EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  FAST]

Provides default settings for EAP-FAST authentication method.

[EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  GTC Generic Token Card. GTC is a protocol that can be used as an alternative to MSCHAPv2  protocol. GTC allows authentication to various authentication databases even in cases where MSCHAPv2  is not supported by the database.]

Provides default settings for EAP-GTC authentication method.

[EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  MD5 Message Digest 5. The MD5 algorithm is a widely used hash function producing a 128-bit hash value from the data input. ]

Provides default settings for EAP-MD5 authentication method.

[EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  MSCHAPv2]

Provides default settings for EAP-MSCHAPv2 authentication method.

[EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  PEAP Protected Extensible Authentication Protocol. PEAP is a type of EAP communication that addresses security issues associated with clear text EAP transmissions by creating a secure channel encrypted and protected by TLS.]

Provides default settings for EAP-PEAP authentication method.

[EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  PEAP Protected Extensible Authentication Protocol. PEAP is a type of EAP communication that addresses security issues associated with clear text EAP transmissions by creating a secure channel encrypted and protected by TLS. Public]

Provides default settings for EAP-PEAP-Public authentication method.

[EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  PEAP Protected Extensible Authentication Protocol. PEAP is a type of EAP communication that addresses security issues associated with clear text EAP transmissions by creating a secure channel encrypted and protected by TLS. Without Fast Reconnect]

Provides EAP-PEAP with Fast Reconnect disabled; recommended for Onboard.

[EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  PWD]

Provides default settings for EAP-PWD (EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  Password) authentication method.

[EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. ]

Provides default settings for EAP-TLS authentication method.

[EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. with OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. Enabled]

Provides EAP-TLS with OCSP (Online Certificate Status Protocol) enabled; recommended for Onboard.

[EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  TTLS]

Provides default settings for EAP-TTLS authentication method.

[MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. AUTH]

Provides default settings for MAC-AUTH authentication method.

[MSCHAP]

Provides default settings for MSCHAP authentication method.

[PAP Password Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure.]

Provides default settings for PAP (Password Authentication Protocol) authentication method.

[SSO Single Sign-On. SSO is an access-control property that allows the users to log in once to access multiple related, but independent applications or systems to which they have privileges. The process authenticates the user across all allowed resources during their session, eliminating additional login prompts.]

Provides default settings for SSO (Single Sign-On) authentication method.

Import/Export a default authentication source to ClearPass 6.10.8

Importing a default configuration source to ClearPass 6.10.8 from an earlier version fails and an error message such as "Default filter query cannot be modified" and "Custom SQL must not contain and data modifying SQL statements" display at Configuration > Authorization > Sources.

Imports, exports, and the display of default data in authentication sources and services are now validated.

After authentication sources containing default data or queries are exported from a lower version, and before they are imported to ClearPass 6.10.8, complete the following steps:

1. Make a copy of the XML Extensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. file and remove all the default AuthSources XML Extensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. tags: <AuthSource > ... </AuthSource>.

The ClearPass default AuthSource name is contained in "[<AuthSource-name>]". For eample: <AuthSource description="Authenticate users against Policy Manager local user database" name ="[Local User Repository]" is AuthorizationSource="true" type="Local">

2. Import the configuration in ClearPass 6.10.8

Tunneled and Non-Tunneled Authentication Methods

Refer to the following list of tunneled and non-tunneled authentication methods Policy Manager supports:

Default Authentication Sources

The following table describes the predefined Policy Manager authentication sources that are part of the Policy Manager local SQL database. These default authentication sources appear in brackets; they cannot be copied or deleted.

Table 2: Local Authentication Sources

Authentication Source Name

Description

[Admin User Repository]

Users are authenticated against this Policy Manager admin user database.

[Denylist User Repository]

This database includes blocked users who have exceeded bandwidth or session-related limits.

[Endpoints Repository]

Authenticates endpoints against the local Policy Manager database. This database supports the following filter categories:

Authentication

Status

Profile

Fingerprint

MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. caching

[Guest Device Repository]

Authenticates Guest devices against the local Policy Manager database. This database supports the following filter queries:

Authentication

Device Role ID

Device MPSK

Authorization

[Guest User Repository]

Authenticates Guest users against the local Policy Manager database. This database supports the following filter queries:

Authentication

Authorization

[Insight Repository]

Insight database with session information for users and devices. This database supports the following filter queries:

WebAuth check

MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. caching

Successful login count since midnight

Active sessions

Online status

Daily duration

Weekly duration

Monthly duration

[Local User Repository]

Authenticates users against the Policy Manager local user database.

[Onboard Devices Repository]

Authenticates Onboard devices against the local Policy Manager database.

[Social Login Repository]

Authenticates users againstPolicy Manager Social Login database. This database supports the following filter queries:

Authentication

Social

[Time Source]

Authorization source for implementing various time functions.