Security

last person joined: 16 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

A10 networks thunder Radius dictionary file settings clearpass

This thread has been viewed 5 times

  • 1.  A10 networks thunder Radius dictionary file settings clearpass

    Posted Jun 21, 2016 11:23 AM

    Here is A10 Networks dictionary file i made to import into clearpass.

     

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
      <TipsHeader exportTime="Tue Jun 21 12:10:27 CEST 2016" version="6.6"/>
      <Dictionaries>
        <Vendor vendorEnabled="true" prefix="A10-Networks" name="Radius:A10-Networks" id="22610">
          <RadiusAttributes>
            <Attribute profile="in out" type="String" name="A10-App-Name" id="1"/>
            <Attribute profile="in out" type="Unsigned32" name="A10-Admin-Privilege" id="2"/>
            <Attribute profile="in out" type="String" name="A10-Admin-Partition" id="3"/>
            <Attribute profile="in out" type="String" name="A10-Admin-Access-Type" id="4"/>
            <Attribute profile="in out" type="String" name="A10-Admin-Role" id="5"/>
          </RadiusAttributes>
        </Vendor>
      </Dictionaries>
    </TipsContents>

     

    Kind regards Igor



  • 2.  RE: A10 networks thunder Radius dictionary file settings clearpass

    Posted Feb 19, 2018 03:30 PM

    Where did you find the documentation for this?



  • 3.  RE: A10 networks thunder Radius dictionary file settings clearpass

    Posted Oct 24, 2019 07:35 PM

    Just wanted to say thanks!  This dictionary has all of the RADIUS attributes we needed for our A10 and works great. 

     

    Note that ClearPass has a RADIUS limitation when using A10 appliances.  If you need to send back multiple A10-Admin-Partition RADIUS attributes, which the A10 appliance wants if you are assigning partition permissions dynamically via RADIUS, it wont work.  We were able to have ClearPass assign multiple enforcment profiles with the appropriate A10-Admin-Partition attributes, however ClearPass will only send back one A10-Admin-Partition attribute (as of 6.8.3).  Apparently there is no way to set the enforcement policy RADIUS reply to use a += value rather than an = value as required by the A10.  The only current solution is to use TACACS+ instead of RADIUS because you can put multiple partition values in the TACACS+ reply.

     

     

    More info from the A10 manual:

     

    To authorize an administrator for access to multiple partitions, use the following RADIUS syntax (not working in ClearPass):

    A10-Admin-Partition = "partition-name1”
    A10-Admin-Partition += " partition-name2”
    A10-Admin-Partition += " partition-name3”
    A10-Admin-Partition += " partition-name4”

     

    To authorize an administrator to access multiple partitions, use the following TACACS+ syntax (working in ClearPass):
    a10-partition = partition-name1,partition-name2,partition-name3,partition-name4