Hi All
Does anybody know when the accounting proxy packets are sent to the destination?
I have an issue that the destination does not appear to be getting notified in the event of a role change.
I have a Fortiauthenticator that I am targeting as an accounting proxy.
I have a user that connects in a device provisioning role and is assigned a provisioning role on the firewall as well. This works well.
The issues I have is after the device has been provisioned by the MDM, they immediatly re-authenticate with a different user account that has a different firewall role. The controller sees the updated role, Clearpass sees the updated role and appears to send the new role to the Fortiauthenticator but Fortiauthenticator still sees the old role. In order for Forti-authenticator to see the new role I have to logon to the controller and manually kill the users session and re-authenticate the client. Once that has been done Fortiauthenticator sees the correct role and the user can access the required resources.
Does Clearpass update the Accounting proxies post-auth or as part of the authentication? The process I have is to write the firewall role to an enpoint attribute post auth. I have tried using the Tips:Role attribute but that does not appear to work either, I see the same behaviour.
Any assistance is appreciated.
Thanks