Security

Reply
Super Contributor I
Posts: 289
Registered: ‎02-07-2013

Access to clearpass inner-tunnel User-Name attribute

When authenticating users via our  FreeRadius service, I've got acces to the EAP inner-tunnel User-Name attribute, so I can check that its a valid format e.g.<userid>@york.ac.uk, or block  access for individual users. With the eduroam network, the correct way to configure your client machine is to have your "realm" as the outer User-Name ( @york.ac.k in our case) and use your real userid in the inner-tunnel. The outer User-Name is therefor only "routing" information if you are at a remote site so you don;t need to have the user component bit before the "@".

 

While you should be able to use the chargeable-user-identity to disconnect offending users at remote sites, sometimes its good to control access using the inner-tunnel User-Name.

 

Can't see any way of generating Roles or setting up enforcement policies based upon inner-tunnel User-Name attribute. Is this possible?

 

 

Rgds

A

 

Guru Elite
Posts: 8,000
Registered: ‎09-08-2010

Re: Access to clearpass inner-tunnel User-Name attribute

[ Edited ]

You were able to see the inner identity for visiting users? That doesn't seem right.

 

Radius:IETF:User-Name should give you the inner identity for your local users.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Super Contributor I
Posts: 289
Registered: ‎02-07-2013

Re: Access to clearpass inner-tunnel User-Name attribute

No not visiting users, you can't see that, for our users either on site or auths coming in from external sites
A

Sent from my iPhone 6 plus
Search Airheads
Showing results for 
Search instead for 
Did you mean: