Security

Reply
Occasional Contributor II
Posts: 12
Registered: ‎02-19-2014

Calling Station ID needs to be an IP address

I am trying to make things a little easier for our users by setting up Single Sign On. In order for it to work porperly our firewall needs to receive an IP address from the Calling Station ID attribute in the Radius start and stop messages.

 

I am using IAP-105's with and external Radius server, Server 2008R2. The Radius server is forwarding the start and stop messages but the Calling Station ID is a MAC address and not an IP address.

 

Is there a way to change it?

Guru Elite
Posts: 20,337
Registered: ‎03-29-2007

Re: Calling Station ID needs to be an IP address

The framed-ip-address attribute is typically assigned to the ip address of the user in radius accounting packets, according to the standard.  Find out if your firewall can use that attribute instead. http://tools.ietf.org/html/rfc2866



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 7,991
Registered: ‎09-08-2010

Re: Calling Station ID needs to be an IP address

Does it happen to be a Palo Alto firewall?


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 12
Registered: ‎02-19-2014

Re: Calling Station ID needs to be an IP address

The firewall is a Fortigate.

Guru Elite
Posts: 20,337
Registered: ‎03-29-2007

Re: Calling Station ID needs to be an IP address

http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%25205.0%2520Help/RADIUS-SSO.037.06.html

 

"For RADIUS SSO to work, FortiOS needs to know the user’s endpoint identifier (usually IP address) and RADIUS user group. There are default RADIUS attributes where FortiOS expects this information, but you can change these attributes in the config user radius CLI command."

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,405
Registered: ‎11-30-2011

Re: Calling Station ID needs to be an IP address

did you get this to work Todd?

Occasional Contributor II
Posts: 12
Registered: ‎02-19-2014

Re: Calling Station ID needs to be an IP address

Yes. I believe it was caused by the firewall looking at the wrong attribute in the RADIUS message.

Todd
Search Airheads
Showing results for 
Search instead for 
Did you mean: