Users Guide

ManualsBrandsDell ManualsAccess PlatformsW-ClearPass Virtual Appliances

141

142

143

144

145

146

147

148

149

150

Dell Networking W-ClearPass Policy Manager 6.4 | User Guide Authentication and Authorization | 127

Chapter 7

Authentication and Authorization

As a first step in Service-based processing, Policy Manager uses an authentication method to authenticate the

user or device against an authentication source. After the user or device is authenticated, Policy Manager

fetches attributes for Role Mapping policies from the authorization sources associated with this authentication

source. For more information, see:

l Authentication and Authorization Architecture and Flow on page 127

l Configuring Authentication Components on page 128

l Adding and Modifying Authentication Methods on page 130

l Adding and Modifying Authentication Sources on page 154

Authentication and Authorization Architecture and Flow

Policy Manager divides the architecture of authentication and authorization into the following three

components:

l Authentication Method

l Authentication Source

l Authorization Source

Authentication Method

Policy Manager initiates the authentication handshake by sending available methods in priority order until the

client accepts a method or until the client rejects the last method (with NAKs) with the following possible

outcomes:

n Successful negotiation returns a method, which is used to authenticate the client against the

Authentication Source.

n Where no method is specified (for example, for unmanageable devices), Policy Manager passes the

request to the next configured policy component for this service.

n Policy Manager rejects the connection.

An authentication method is configurable only for some service types (Refer to Policy Manager Service Types on

page 98). All 802.1X services (wired and wireless) have an associated authentication method. An authentication

method (of type MAC_AUTH) can be associated with MAC authentication service type.

Authentication Source

In Policy Manager, an authentication source is the identity store (Active Directory, LDAP directory, SQL DB,

token server) against which users and devices are authenticated. Policy Manager first tests whether the

connecting entity - device or user - is present in the ordered list of configured authentication sources. Policy

Manager looks for the device or user by executing the first filter associated with the authentication source.

After the device or user is found, Policy Manager then authenticates this entity against this authentication

source. The flow is outlined below:

On successful authentication, Policy Manager moves on to the next stage of policy evaluation, which collects

role mapping attributes from the authorization sources.