Security

First, does anyone understand how Amigopod/Clearpass counts Licenses?  I'm not sure if its Active Sessions, Accounts or what?  can someone clarify how that works on this system?  Also, is there a way in the interface to obtain the current license usage?  If not I feel a feature request in my future.

Second..My bigger concern.  I'm getting conflicting reports from Amigopod/Clearpass, Airwave and my wireless controllers in regards to Active Sessions, or users, currently on our Amigopod/Clearpass protected wireless network, basically its out guest network currently.  Amigopod/Clearpass is reporting only 4-5 users (really random numbers at times).  Airwave and my Controllers are reporting well over 40 users of the system currently. 

A little about our environment.  Amigopod/Clearpass is running version 3.9.2.  Airwave is running 7.5.4.  My controllers are Cisco Based, 1-5508 and 2-4400 models running software 7.0.222.0.  The Amigopod/Clearpass VM has two interfaces, one public and one private.  The default route is the public interface with all Private traffic routed out the private interface.  The Controllers are all privatized. 

I followed the "Amigopod Cisco WLC Integration Guide-0.93b" from Aruba's site.  I only have one difference and that is in the number of accounting servers I am using.  The default authentication server for the network is the Private Amigopod/Clearpass interface.  The Account Servers for the network are, in order or priority: 1.  Amigopod/Clearpass Private, 2. Amigopod/Clearpass Public, 3. External FreeRadius Installation.   I placed both the private and public interface into the accounting servers because I could not figure out which one was responding properly so I included them both.  Not sure if that's a problem or not.  What I'm not sure of in regards to accounting is which server its sending the updates to, which is likely my Active Sessions Issue.  I was assuming it was sending to all of them, and my ACLs on the amigopod would reject the wrong interface and accept on the other, however, I'm not seeing these being logged into my FreeRadius server either, which makes me question if the problem is on the Cisco Side of things. 

Can someone sift through all this and offer some suggestions, please?  Kind of confused on this one.  Thanks for any help or advice!

The Amigopod platform is licensed based on the number of concurrent user sessions active at any given time. Amigopod monitors the number of positive authentication attempts and leverages RADIUS accounting to clean up sessions as they disconnect or get terminated based on expiry times.

The Active Sessions screen is a representation of the RADIUS accounting data being received from your Cisco controllers. That is, sessions where an Accounting-Start has been received but no corresponding Accounting-Stop. The icons in the left of the table will indicate whether the session is consider active or stale (no Accounting-Stop received from the controller).

Typically the Amigopod will get deployed with one interface that is Guest facing where all the login and self registration pages are available and the second interface is infrastructure and management facing. This is where the RADIUS traffic between your controllers and Amigopod would typically reside and potentially all of the administrator login traffic as well.

You should only need to have a single definition for your RADIUS Authentication and Accounting traffic for a single Amigopod install.

We have seen some strange accounting behaviour from the Cisco controllers (in particular around accounting being sent for SSID not configured explicitly to send accounting information) in previous version but I think 7.0.x release is reasonable. Interim accounting I believe was released in a later 7.2.x release which might also be of interest to you.

Hope this helps

Cam

Make sure that in your Cisco controller you have Calling-Station-Id format set to system MAC address instead of IP address. For ClearPass Guest, it looks at the "Active Sessions" which were created in the past 1 hour and counts those towards your license. If you have 50,000 active sessions and 10 were created in the past hour, then you are using 10 licenses. There is currently no way to view how many licenses you are consuming. Feel free to submit a feature request since that is something that would be very helpful.

Thank you both for the detailed responses.  I verified that I do have MAC as the Calling Station Id.  So, let me understand the licensing... I can have 40+ users on my guest network with accounts but if there are only 4-5 listed in Active Sessions, as that is the representation of the accouting, those are the only ones that are counted against my license?  Just want to make sure I understand this correctly.   I am definitely going to submit a feature request for the count.

As far as how the interfaces are setup on the Clearpass system, Its all management to the Private and the Guests are directed to the Public interface for registration and account creation.  All the authentication and accouting happens over the private networks on our systems.  I just verified with Packet Captures.  Does Accounting typically happen based Server Priority order or is it sent to all the servers listed in the chain?  I'm still confused on that portion.    How its handled on the Aruba Wireless System, priority or all?

As far as upgrading to newer code, I appreciate the suggestion, however we're unable to do so because they dropped support for our older Access Points in the 7.2 code.  We're currently moving to Aruba, PO's just went out this week for the new equipment, so we'll likely end up phasing these out within the next couple of years. 

For ClearPass Guest, if they are not showing up in active sessions, then they dont count towards your license. I dont know how accounting is handled on a Cisco device, but on Aruba, multiple accounting servers are treated as a failover type scenario. If the first accounting server doesnt ack the accounting request, then it assumes its down and moves on to the next listed accounting server.