Higher Education

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.

Can I use DHCP Snooping to poplate missing Framed-IP-Attribute in the Radius Accounting Proxy??

I am struggling to get my Meraki APs to work with My SonicWall Radiu Accounting SSO feature.

 

This is because the initial Radius Accounting Start packet does not contain the Framed-IP-Address attribute.

 

Is it possible to use IP-Helpers on the vlan to forward DHCP requests to the CPPM so that the profiler capture endpoint IP address and then use that value to add the missing VSA in the radius proxy settings that then forward to the SonicWall.

 

I have been waiting 20 months for Meraki to reslve this rather annoying behavior.

 

I am desperate to deploy a smooth and functional 802.1x basd SSO solution.

12 REPLIES
Super Contributor I

Re: Can I use DHCP Snooping to poplate missing Framed-IP-Attribute in the Radius Accounting Proxy??

> This is because the initial Radius Accounting Start packet does not contain the Framed-IP-Address attribute.

 

Of course it doesn't.  It shouldn't.  RADIUS sessions start before IP address configuration starts.

 

Does the Sonicwall not have any other mechanism by which to map IP addresses to MAC addresses other than RADIUS accounting?  If not, that's what you should be complaining about.

 

Frequent Contributor I

Re: Can I use DHCP Snooping to poplate missing Framed-IP-Attribute in the Radius Accounting Proxy??

We used CPPM's syslog output to map username to ip address when we were managing bandwidth at out Internet edge. There is a few minute delay before the messages are sent, though.

Bruce Osborne - Wireless Engineer
ACCP, ACMP

Re: Can I use DHCP Snooping to poplate missing Framed-IP-Attribute in the Radius Accounting Proxy??

Bjulin - I understand your comment, but other vendors (like Aerohive) have provided solutions to overcome the limitations of the venerable RADIUS RFCS that make sure 3rd party devices are informed of the client IP address within seconds of their connection. As far as I understand, Aruba wireless controllers also have this capability?

I asked quite a specific question. Take it as read that I am already in deep discussion with Meraki.and SonicWall hence why I am now looking at CPPM for a possible solution / workaround.

Re: Can I use DHCP Snooping to poplate missing Framed-IP-Attribute in the Radius Accounting Proxy??

Thanks bosborne - I am trying to get the delay in updating the firewall to less than 15 seconds so the syslog route looks too high latency but good input.

Thank you.
Super Contributor I

Re: Can I use DHCP Snooping to poplate missing Framed-IP-Attribute in the Radius Accounting Proxy??

Aruba APs will populate this field, but I do not believe they do so on the first Accounting packet; rather on subsequent ones... I have not bothered to look, though.

 

Note that there are some vendors where RADIUS Accounting sessions do not end when they should, so if a client moved from one NAS to another you can have conflicting Accounting packets arriving -- one from the NAS serving the client, and one from a stale session from the old NAS.

 

DHCP syslog really should not take very long to propagate, if you forward it directly from a good server.  If your DHCP server or syslog relay is some sort of Java monstrosity that delays logs for several seconds, maybe consider better servers in these roles.

 

We use a built-in DHCP packet sniffer on our NAC, but if it had a syslog receiver built-in, we would use that instead... it is the most simple and direct solution.

 

Re: Can I use DHCP Snooping to poplate missing Framed-IP-Attribute in the Radius Accounting Proxy??

Thanks bjulin.. I have a Clear Pass Policy Manager acting as the Radius Accounting proxy between the NAS (which is the AP) and the firewall. I am new to ClearPass, but believe that the profiler can be configured to use DHCP snooping. If that is the case then the profiler would know the IP address of the end point.

The ClearPass radius accounting proxy can be configured to add or update vendor specific attributes such as the Farmed-IP- Address.

So my question is quite specific. Can the proxy use the address obtained by the profiler to populate the Framed-IP-Address VSA.
?
Moderator

Re: Can I use DHCP Snooping to poplate missing Framed-IP-Attribute in the Radius Accounting Proxy??

It's a long shot, but you could try the following:

- Set clearpass as one of the helper-addresses so that it can learn the client device's IP address.

- Enable interim-accounting in the WLAN infra. The device doesn't have an IP address when the accounting-start comes from the NAS, so ClearPass won't know about the IP address at this point. Therefore, it would only add the IP (in case this works) to subsequent accounting messages.

- Add the following additional field to the accounting traffic Radius:IETF - Framed-IP-Address - %{Authoritation:[Endpoint Attributes]:IP Address}

Screen Shot 2017-08-05 at 09.06.04.png

 

As I said before, this is a long shot, and the worst part is that I can't really test it. As somebody said before, as soon as I enable Radius Accounting in my Aruba WLAN it will send the framed-ip-address as part of the acct message.

 

So, keep in mind that even if this works, it can't be considered a supported solution (Meraki does strange stuff with the accounting). The supported soultion would be to use a WLAN infrastructure capable of something as basic as sending a "framed-ip-address".

 

 

Samuel Pérez
ACMP, ACCP, ACDX#100

---

If I answerd your question, please click on "Accept as Solution".
If you find this post useful, give me kudos for it ;)
Highlighted

Re: Can I use DHCP Snooping to poplate missing Framed-IP-Attribute in the Radius Accounting Proxy??

Hi sperez, that sounds like the solution I was hunting for. Are there any guides on configuring CPPM to use DHCP snooping?

Is there any way you can configure RADIUS accounting proxy to delay proxy in the packet until the end point IP address is known through the snooping?

I can set up the IP helpers on the VLANs easily enough, it is just the CPPM I am new to.
MVP

Re: Can I use DHCP Snooping to poplate missing Framed-IP-Attribute in the Radius Accounting Proxy??

Putting any cppm node as helper address results in clearpass profiling. You do need to go into system manager for the clearpass node and check the checkbox for endpoint profiling, but that's it.
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: