Security

Hello,

 

Here is the situation.

I want to send in a way or another the equivalent of my "Radius:Aruba:Aruba-User-Role" trought the accounting proxy on my Fortigate.

 

The problem is, I cannot use an added Class Attribute sent to my IAP because Clearpass already sends a "built-in" class attribute and when it receive it back it breaks the optional accounting proxy service and we also lose the accounting tab in the access tracker.

 

The attribute Filter-ID, when added as a radius attribute and sent trought the IAP is not sent back as accounting to the Clearpass.

Another problem is that I want to use Clearpass to enable dot1x on my brocade switches too. The FilterID is used to push ACL number to apply on the authenticated port so I would have to use the broken Class Attribute. (Fortigate can only use 1 Specific Attribute to attach the User Group, so i'ts either Class or FIlter ID)

 

Adding an attribute directly trought the "Accouting proxy" Tab of the service is possible but I don't know how to send the variable which will equals the "Radius:Aruba:Aruba-User-Role".

The Technote suggest to send "%{Tips:Role}", unfortunalty I do not have a single role, I use multiple {Tips:Role} to build a more specific Enforcement Profile which contains the group I want to send.

 

I don't know how I could effectively work this issue.

 

 

 

 

 

Were you able to figure this out?  I'm looking for similar solutions with FortiGates.

No solution to this problem when I asked TAC.

The class attribute added by clearpass is the Accounting session ID.


You use the Class attribute in your enforcement profile and work with the broken accounting tab. Don't use the accounting proxy function. That's for the Aruba 802.1X Wireless service.



Isael Harvey-Berthelot

[cid:image004.png@01D34360.D0E5F850]
[cid:image005.png@01D34360.D0E5F850]

Instead of sending Class to the Fortigate send Filter-Id.

 

Under the Accounting Proxy Tab of the Service Profile Add teh follwoing RADIUS attributes

 

Type = Radius:IETF

Name = Filter-ID

Value = what the value is you want to send.

 

Then on the fortigate RSSO Agent user change the sso-attribute to Filter-ID

 

config user radius

    edit "RSSO_Agent"

        set sso-attribute Filter-Id

 

 

I have the same problem because I have several roles, but I solve it in the enforcement tad, depending of the rol I´m interesting on it  I do post authentication action to use Endpoint description that I use in the accounting proxy tab to send as Filter-ID.

 

1.- Create the Endpoint profile type Post_Authentication

 

2.- Use it on enforcement tab

 

3.- Sends on Accounting tab as %{Endpoint:Description}

 

It works for me.

 

Regards

Thanks for this great idea. I just tested it and realized that the post-auth endpoint update is done while the accounting is already sent to the fortigate.

 

I always receive the last connection endpoint attribute.

 

Exemple: A teacher logs in. Disconnect and a Student logs in. The student received the Teacher's accounting information.

The filterID sent by Clearpass is the old one (Teacher) and not the new one who just connected. 

 

If anyone logs in on the same endpoint the student group will be sent as it has been change by the last connection (post_auth).

 

A brand new device won't receive any group accounting since the filterID doesnt exist until post-auth operation

 

Do you have the same behavior?

 

 

Yes, I do.