Security

Reply
Frequent Contributor I

Aruba controller to send Radius Start/Stop notifications

Hi,

 

We have installed Fortigate 600C firewall. It needs Radius Start and Stop notifications to allow users to pass-thru who are already authenticated using 802.1x authentication against our NPS server.

I read on a forum on microsoft which says that we have to configure NAS in a way that it generates notifications. In our case our controllers 3400 are NAS.

 

My question is how we can set controllers to send Start-Accounting and Stop-Accounting notifications to Fortigate firewall having IP address of 192.168.100.254?

 

Following is the link where I read that NAS needs to be configured to send notifications:

 

http://social.technet.microsoft.com/Forums/windowsserver/en-US/c1fbccce-539f-4556-be97-2c36b83c5d2f/nps-not-forwarding-radius-startstop-notifications?forum=winserverNIS&prof=required

Guru Elite

Re: Aruba controller to send Radius Start/Stop notifications

Add the fortinet as a radius server in the controller. Then add it to a new server group.

In your AAA profile, under radius accounting, select the fortinet server group.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: Aruba controller to send Radius Start/Stop notifications

If there are two servers I need accounting messages/notifications to send
to, can I add multiple servers and will it be sent to multiple fortinet
firewalls?

Farzan Qureshi
------------------
Network Administrator & Helpdesk support
Rosmini College

--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin@rosmini.school.nz). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.
Guru Elite

Re: Aruba controller to send Radius Start/Stop notifications

You need AOS 6.4 or higher to send accounting data to multiple servers. If you are already on 6.4, check the Multiple RADIUS accounting servers check box in the AAA profile.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: Aruba controller to send Radius Start/Stop notifications

I am running 6.3.1.8. I will update the code version and will give it a go.

 

Thanks for your help.

Frequent Contributor I

Re: Aruba controller to send Radius Start/Stop notifications

One more quick question.

 

Just for testing I have done what you have suggested. I can see users are establishing on Fortinet firewall. However under username the mac address of the client appears. Is it something we need to change on our NPS or on Aruba controller? If should send the actual usernames of the clients, isn't it?

Frequent Contributor I

Re: Aruba controller to send Radius Start/Stop notifications

Any ideas please? I am getting devices mac addresses instead of usernames.

Re: Aruba controller to send Radius Start/Stop notifications

Are you doing user auth or computer auth with radius?
ACDX #419 | ACMP |
Frequent Contributor I

Re: Aruba controller to send Radius Start/Stop notifications

User auth. On controller usersIDs appear under username.

Farzan Qureshi
------------------
Network Administrator & Helpdesk support
Rosmini College

--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin@rosmini.school.nz). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.
Frequent Contributor I

Re: Aruba controller to send Radius Start/Stop notifications

Hi,

 

I have solved it. I have changed RSSO attribute to read Usern-Name instead of Calling-Station-Id on our Fortinet 600C firewall.

 

First I have set accounting server on Aruba controller 3400 under AAA profile.

 

And this is how I have done on Fortinet:

 

config user radius

get RSSO_Agent

edit RSSO_Agent

set rsso-endpoint-attribute User-Name

 

This may help others too.

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: