Security

Hi,

Our CPPM service ( 6.5.2, soon to be 6.5.3)  is configured to proxy accounting info to our Checkpoint firewall appliance. When processing authentication requests I've set CPPM up to send back the inner-tunnel User-Name in the Access-Accept packet so that all accounting records are associated with a real user. Our User-Names are of the form userid@our realm, e.g. fred@york.ac.uk.

 

The checkpoint appliance is trying to use the user-name attribute to access a corresponding AD account .... which fails because it acctually needs  the userid component.

 

Is there any way I can get CPPM to pass back another attribute that just contains the userid component?

 

My other option is to proxy accounting to a Freeradius server and get it to process the Accounting packets and proxy them off to checkpoint instead

A

If you go to acccess tracker and pick one of those authentication request then go the input tab > computed attributes do you see the userid ?

Yup,

computer attribute

 

Authentication:Username has the right username as that's what we auth against AD with

I take it I pick a radius attribute to add t o the accounting proxy and assign somethng to it ?

 

Alex,

 

Your on the right track here. Also, if you take a look at my CheckPoint + CPPM TechNote their is a section in their about using RADIUS Accounting, I also discuss how to open up sedning a fourth attribute via a CHKP HOTFIX you can use.

---

@alexsuoy wrote:

Yup,

computer attribute

 

Authentication:Username has the right username as that's what we auth against AD with

I take it I pick a radius attribute to add t o the accounting proxy and assign somethng to it ?

 

---

If that's the case create a radius enforcement profile with the following:

 

Note: Keep in mind that i made that value but you just need to copy the format from the computed attributes and added in between %{ }

Well.. thers good news and bad news ...

 

Good news is that on my FreeRadius box that I'm proxying accounting into to there is indeed a Filter-Id attribute present in each of the accounting packets.

 

Unfortunately the bad news is that it bears no resemblance to the actuall userid specified alsewhere in the accounting packet. Here's an accounting packet that has 2 Attributes added to it. The Operator-Id has the text string TestingTesting assigned. The FilterId has %{Authentication:Username} assigned which should be the username used to authenticate against AD ...... should be the same as the interal freeradius Striped-User-Name attrubute .... it isn't.

 

 

44.32.126.180 - Mon Oct  5 16:36:54 2015
        User-Name = "hn621@york.ac.uk"
        NAS-IP-Address = 144.32.64.18
        NAS-Port = 0
        NAS-Port-Type = Wireless-802.11
        Acct-Session-Id = "hn621@yo00E3B2036EC4-561296B3"
        Event-Timestamp = "Oct  5 2015 16:36:54 BST"
        Acct-Multi-Session-Id = "00E3B2036EC4-0005292336"
        Framed-IP-Address = 10.240.96.23
        Calling-Station-Id = "00-E3-B2-03-6E-C4"
        Called-Station-Id = "00-1A-1E-00-6F-D0"
        Class = 0xxxx
        Acct-Delay-Time = 0
        Aruba-Essid-Name = "eduroam"
        Aruba-Location-Id = "ceap3"
        Aruba-AP-Group = "Aruba-L2"
        Aruba-User-Role = "logon"
        Aruba-User-Vlan = 3848
        Aruba-Device-Type = "Android"
        Acct-Status-Type = Stop
        Acct-Input-Octets = 125177
        Acct-Output-Octets = 298626
        Acct-Input-Packets = 857
        Acct-Output-Packets = 755
        Acct-Terminate-Cause = NAS-Request
        Acct-Session-Time = 611
        NAS-Identifier = "aruba0"
        Filter-Id = "lm811"
        Operator-Name = "TestingTesting"
        Stripped-User-Name = "hn621"