09-24-2014 06:06 PM
We have configured Accounting server under AAA profiles. On the Accounting server (fortigate firewall) we receive several messages stating RADIUS start or interim-update packet received with missing or invalid profile specified
Because of this reason some of the users are not put under the correct role on our Fortigate firewall. This happens every now and then for users and each time for different user. We are running code version 18.104.22.168
We have to delete that particular user on aruba controller and when that user authenticates again the accounting messages sent properly and the user allocated correct role.
Solved! Go to Solution.
09-27-2014 06:31 AM
my advise, contact TAC.
you might get lucky and someone has encountered it before but if you want a certain answer open a ticket with TAC. please so report the answer from TAC back here.
be prepared to capture traffic from the ClearPass or at the Fortigate to determine if info is really missing. it could very well be there is a traffic issue in between which causes some packets to get lost. that is a downside of doing FSSO base on RADIUS like this.
10-05-2014 01:18 PM
I have read the release notes for ArubaOS 22.214.171.124 and it is stated:
Symptom: When previously idle clients reconnected to the network, a configured CLASS attribute was
missing from the accounting messages sent from the RADIUS server. This issue is resolved with the
introduction of the delete-keycache parameter in the 802.1X authentication profile. When this
parameter is enabled, it deletes the user keycache when the client's user entries get deleted. This
forces the client to complete a full 802.1X authentication process when the client reconnects after an
idle timeout, so the CLASS attributes will again be sent by the RADIUS servers.
Scenario: This issue occurred in a deployment using RADIUS accounting, where the RADIUS server
pushed CLASS attributes in the access-accept messages for 802.1X authentication. When an idle user
timed out from the network, ArubaOS deleted the CLASS attribute for the user along with rest of the
I have updated to 126.96.36.199.
I have enabled delete-keycache under Dot1x profile and will monitor it. Our school is close for another week and I will test it once school re-open.