Security

Hi All

 

Does anybody know when the accounting proxy packets are sent to the destination?

 

I have an issue that the destination does not appear to be getting notified in the event of a role change.

 

I have a Fortiauthenticator that I am targeting as an accounting proxy.

 

I have a user that connects in a device provisioning role and is assigned a provisioning role on the firewall as well. This works well. 

 

The issues I have is after the device has been provisioned by the MDM, they immediatly re-authenticate with a different user account that has a different firewall role. The controller sees the updated role, Clearpass sees the updated role and appears to send the new role to the Fortiauthenticator but Fortiauthenticator still sees the old role. In order for Forti-authenticator to see the new role I have to logon to the controller and manually kill the users session and re-authenticate the client. Once that has been done Fortiauthenticator sees the correct role and the user can access the required resources.

 

Does Clearpass update the Accounting proxies post-auth or as part of the authentication? The process I have is to write the firewall role to an enpoint attribute post auth. I have tried using the Tips:Role attribute but that does not appear to work either, I see the same behaviour.

 

Any assistance is appreciated.

 

Thanks

Hi,

 

If you have RADIUS acount configured on your controller and have the "enable proxy for accounting requests" selected, ClearPass should be sending them.

 

 

Have you checked under Live Monitoring > Accounting to see if the accounting details are being sent to CPPM??

 

 

I think the problem is that the controller role has not changed but the clearpass role has, hence the fortiauthenticator role should as well even though the user has disconnected then reconnected, because it has happened so quickly the user has maintained the session on the controller, the accounting packets are not sent.

 

If I kick the user using aaa user delete x.x.x.x then they re-connect the accounting packet is sent.

 

I am going to see if I change the role on the controller as well it will do what I want it to do. I have been reluctant to do this as I need a solution that is going to work across a variety of vendors including Cisco, Extreme etc. Will see how I go and get back to you. I may experiment with COA as well and use the previos status to trigger COA. Will keep testing.

 

Thanks

In the end I just used the shortest accounting update period possible.

This was the only way I could get it to work reliably. At worst the user will be in the wrong firewall role for 5 minutes which is the min time between accounting updates.

 

Thanks

 

 

Hi revans_au,

That was your solution? I have a similar issue with a customer which has an Aruba controller and then the minimum accounting interval is 5 min. However, in my lab I am testing with an IAP which has a minimum accounting interval of 1 min., therefore the accounting messages sent from ClearPass to the proxy target (FortiGate) are quicker. So it is weird that an IAP is better than a controller on this. Do you know if the frequency of the accounting messages sent from ClearPass to the proxy target only depend on the accouting interval set on the NAD? Or is it set on some ClearPass parameter?

Regards,
Julián

Hi,

 

Reviewing the topic I conclude that the frequency of the accounting messages sent from ClearPass to the proxy target depends on the accounting interval set on the NAD, since ClearPass only forwards the interim accounting updates it receives from the NAS to the external target.

In this regard, the IAP is better than the controller since the minimum interval in the IAP is 1 min. and the minimum interval in the controller is 5 min.

 

Regards,

Julián