Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Access to clearpass inner-tunnel User-Name attribute

This thread has been viewed 0 times

  • 1.  Access to clearpass inner-tunnel User-Name attribute

    Posted Jun 08, 2015 11:35 AM

    When authenticating users via our  FreeRadius service, I've got acces to the EAP inner-tunnel User-Name attribute, so I can check that its a valid format e.g.<userid>@york.ac.uk, or block  access for individual users. With the eduroam network, the correct way to configure your client machine is to have your "realm" as the outer User-Name ( @york.ac.k in our case) and use your real userid in the inner-tunnel. The outer User-Name is therefor only "routing" information if you are at a remote site so you don;t need to have the user component bit before the "@".

     

    While you should be able to use the chargeable-user-identity to disconnect offending users at remote sites, sometimes its good to control access using the inner-tunnel User-Name.

     

    Can't see any way of generating Roles or setting up enforcement policies based upon inner-tunnel User-Name attribute. Is this possible?

     

     

    Rgds

    A

     



  • 2.  RE: Access to clearpass inner-tunnel User-Name attribute

    EMPLOYEE
    Posted Jun 08, 2015 07:36 PM

    You were able to see the inner identity for visiting users? That doesn't seem right.

     

    Radius:IETF:User-Name should give you the inner identity for your local users.



  • 3.  RE: Access to clearpass inner-tunnel User-Name attribute

    Posted Jun 09, 2015 03:21 AM
    No not visiting users, you can't see that, for our users either on site or auths coming in from external sites
    A

    Sent from my iPhone 6 plus