Occasional Contributor II

Accounting Proxy

Hi All


Does anybody know when the accounting proxy packets are sent to the destination?


I have an issue that the destination does not appear to be getting notified in the event of a role change.


I have a Fortiauthenticator that I am targeting as an accounting proxy.


I have a user that connects in a device provisioning role and is assigned a provisioning role on the firewall as well. This works well. 


The issues I have is after the device has been provisioned by the MDM, they immediatly re-authenticate with a different user account that has a different firewall role. The controller sees the updated role, Clearpass sees the updated role and appears to send the new role to the Fortiauthenticator but Fortiauthenticator still sees the old role. In order for Forti-authenticator to see the new role I have to logon to the controller and manually kill the users session and re-authenticate the client. Once that has been done Fortiauthenticator sees the correct role and the user can access the required resources.


Does Clearpass update the Accounting proxies post-auth or as part of the authentication? The process I have is to write the firewall role to an enpoint attribute post auth. I have tried using the Tips:Role attribute but that does not appear to work either, I see the same behaviour.


Any assistance is appreciated.



Re: Accounting Proxy



If you have RADIUS acount configured on your controller and have the "enable proxy for accounting requests" selected, ClearPass should be sending them.

rad proxy accounting.jpg



Have you checked under Live Monitoring > Accounting to see if the accounting details are being sent to CPPM??



ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Occasional Contributor II

Re: Accounting Proxy

I think the problem is that the controller role has not changed but the clearpass role has, hence the fortiauthenticator role should as well even though the user has disconnected then reconnected, because it has happened so quickly the user has maintained the session on the controller, the accounting packets are not sent.


If I kick the user using aaa user delete x.x.x.x then they re-connect the accounting packet is sent.


I am going to see if I change the role on the controller as well it will do what I want it to do. I have been reluctant to do this as I need a solution that is going to work across a variety of vendors including Cisco, Extreme etc. Will see how I go and get back to you. I may experiment with COA as well and use the previos status to trigger COA. Will keep testing.



Occasional Contributor II

Re: Accounting Proxy

In the end I just used the shortest accounting update period possible.

This was the only way I could get it to work reliably. At worst the user will be in the wrong firewall role for 5 minutes which is the min time between accounting updates.





Search Airheads
Showing results for 
Search instead for 
Did you mean: