New Contributor

Accounting Proxy - CPPM Class and Filter-ID Attributes - How to send Aruba-User-Group equivalent



Here is the situation.

I want to send in a way or another the equivalent of my "Radius:Aruba:Aruba-User-Role" trought the accounting proxy on my Fortigate.


The problem is, I cannot use an added Class Attribute sent to my IAP because Clearpass already sends a "built-in" class attribute and when it receive it back it breaks the optional accounting proxy service and we also lose the accounting tab in the access tracker.


The attribute Filter-ID, when added as a radius attribute and sent trought the IAP is not sent back as accounting to the Clearpass.

Another problem is that I want to use Clearpass to enable dot1x on my brocade switches too. The FilterID is used to push ACL number to apply on the authenticated port so I would have to use the broken Class Attribute. (Fortigate can only use 1 Specific Attribute to attach the User Group, so i'ts either Class or FIlter ID)


Adding an attribute directly trought the "Accouting proxy" Tab of the service is possible but I don't know how to send the variable which will equals the "Radius:Aruba:Aruba-User-Role".

The Technote suggest to send "%{Tips:Role}", unfortunalty I do not have a single role, I use multiple {Tips:Role} to build a more specific Enforcement Profile which contains the group I want to send.


I don't know how I could effectively work this issue.






Search Airheads
Showing results for 
Search instead for 
Did you mean: