Security

Reply
Occasional Contributor II

CPPM: Using non-default NAS-Port-Type in Service Definitions

The title pretty much sums it up. I have a device that has a NAS-Port-Type with the value 251658240. However, when creating a new service definition, I can only choose between predefined values (0 to 36). 

 

So, in my service definition, how can i filter for Radius:IETF:NAS-Port-Type EQUALS 251658240?

 

Please see the attached screenshots for further clarification!

 

Thanks

Tom

Guru Elite

Re: CPPM: Using non-default NAS-Port-Type in Service Definitions

Sorry, but this is not possible. These are IETF standard attributes and what that vendor is using is not valid. You won't be able to use that in a service rule.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: CPPM: Using non-default NAS-Port-Type in Service Definitions

Sigh. Any other options? Ideas?

Guru Elite

Re: CPPM: Using non-default NAS-Port-Type in Service Definitions

I guess my question would be, why do you need to filter on it?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: CPPM: Using non-default NAS-Port-Type in Service Definitions

I'm using radius auth for SSH-ing to the devices in question, and I authenticate IPSEC VPN Tunnels using Radius terminating on these devices.

The only difference in the request (SSH or IPSEC Tunnel) is whether NAS-Port-Type is present or not. If it is present, it most certainly is a Radius request for an IPSEC VPN user, but just to double check I wanted to check for the correct NAS-Port-Type (251658240).

 

If it's not possible at all I'll just stick with NAS-Port-Type IS PRESENT as a check condition.

Guru Elite

Re: CPPM: Using non-default NAS-Port-Type in Service Definitions

I think that is your only option. I would also reach out to said vendor and ask why they're not using standard NAS-Port-Type values and if you can change it.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: CPPM: Using non-default NAS-Port-Type in Service Definitions

The vendor in question is Juniper. Don’t think i’ll be lucky, but i’ll give it a try anyways

Re: CPPM: Using non-default NAS-Port-Type in Service Definitions

What could work is to edit the RADIUS dictionary and add in the value that you want:

- Go to Administration » Dictionaries » RADIUS

- Find the IETF dictionary, and open it

- Export

- Open the XML file in a text editor

- Find the NAS-Port-Type, and add your attribute:

 

... begin of file removed from this exhibit...
<Attribute profile="in out" type="Unsigned32" name="NAS-Port-Type" id="61"> <ValidValues> <ValidValue enumOrdinal="0" value="Async"/> <ValidValue enumOrdinal="1" value="Sync"/> ... lines removed but leave lines in... <ValidValue enumOrdinal="35" value="xPON"/> <ValidValue enumOrdinal="36" value="Wireless-XGP"/> <ValidValue enumOrdinal="251658240" value="Juniper-VPN"/> </ValidValues> </Attribute>
... remainder removed but leave lines in...

- Add the entry with number and value that you want; leave the rest of the file untouched.

- Save

- Import

- And you can now select the attribute in the service rule:

2017-10-13 16_15_30-ClearPass Policy Manager - Aruba Networks.png

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Guru Elite

Re: CPPM: Using non-default NAS-Port-Type in Service Definitions

Editing the IETF dictionary is not recommended.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: CPPM: Using non-default NAS-Port-Type in Service Definitions

Works like a charm. Thanks!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: