Security

Using Clearpass, I have configured a new Generic RADIUS Service that takes RADIUS calls from IPSEC/L2TP VPN users from a Cisco ASA 5510 8.2 firewall (only thing I have yet to move to Clearpass from NPS). Tests work great for authenication and authorization. Almost there.

 

I am having trouble knowing how exactly to approach passing the static IP address value stored in AD for some users. NPS has a little checkbox that passes back that value as the IETF-Framed-IP-Address I believe, but I am at a loss as to how to achieve this in Clearpass.

 

I think I need to make the Enforcement Profile pass it back, but I have no idea what to put in the value field of the profile. Can one of the brilliant airheads please advise?

 

 

Many thanks,

 

Aaron

 

Edit: Clarified the fact that RADIUS was for VPN users

Where is it stored in AD? Is it in a text field or are you using the dial-in static IP address option?

 

If it's the dial-in static IP address field, the data is stored in decimal and may be difficult to convert on the fly to return to the ASA.

 

 

 

If it's a more generic text attribute, we can return it verbatim.

It does seem to be an integer in AD. rats!

 

That would prove difficult to hand back over to the ASA in that format :)

 

Thanks for looking into this for me!

 

Aaron

Are you using the dial-in settings for anything other than the ASA (no traditional MS rras)?

You can easily create a custom AD attribute with type string then use a powershell script to copy the existing entries from dial-in.

You'd then be able to reference the value in ClearPass without any conversion and pass it via RADIUS.

No, we are only using that one field in the Dial-In Settings, and then only for the ASA's VPN.

 

Creating that custom AD attribute would certainly fit the bill, but I don't really use it but for a handful of people.

 

If an attribute were in a useful string state, how would I pass it back as a RADIUS attribute? If you don't want to explain it and want to point me to the right section in the documentation, that's cool too!

 

Thanks,

 

Aaron

You would use the parameterized string. Here is an example returning the the dial-in static IP value:

 

%{Authorization:<AD-Source-Name>:<Attribute-Name}

 

Here's an example for mine:

 

%{Authorization:AD_timcappalli-com:DialIn-StaticIP}

 

 

Since this is not a "typical" attribute for you to use in ClearPass from an AD source, you'll need to define it in your AD authentication source (that's why it has a more user friendly name).

 

On the attaributes tab of your AD source, click the "Authentication" filter, and add an attribute at the bottom. The "Name" is the exact attribute name in AD (easiest way to find all the attribiutes is to look at an account in ADSI Edit). "Alias Name" is what will be displayed in ClearPass as the attribute name. Choose string in this case.

 

This attribute will now be available for that AD authorization source in ClearPass.

 

 

Hi Tim, this looks like an old post but we are trying to do this now for our VPN setup with Clearpass and static IPs in AD.

 

In clearpass, I am able to see the dialin IP of the user coming from AD (following your instructions) however when it gets time to send it with the enforcement profile, Clearpass isn't sending it to our ASA.

 

I do however see it in the access tracker under the Authorization Attributes.

 

Also, I noticed that in our AD that the IP address are negative numbers, could this be the reason it isn't working?

 

Any ideas?

Do you see it on the output tab?

It is going into the correct enforcement profile but it isn't sending the radius attribute to the ASA.  I added a second attribute to see if that works (a banner) and that gets sent.

 

Hm, odd. Can you attached the Log export from the access tracker request? (or you can email it to me)

Hello,

I am using today ClearPass Policy Manager 6.7.10.109323.
I followed same steps and I got to the same point:
- I see the attribute on the Input \ Authorization:TPRO-AD:DialIn-StaticIP but shows nothing on the output and hence AnyConnect VPN Client doesn't receice the Dial-IN IP.

Any idea "about the next step"?

Thanks,
Florin.

I did check logs and it's written there:

[RequestHandler-1-0x7f7e069f4700 h=756 c=R00000015-01-5d48f595] ERROR Common.RadiusVendorAttrMap - Invalid value for Vendor=IETF Attribute=8 Value=186611383 Type=IPv4Address

Any advice?

Here's what I did:

 - decided to use an unused AD Attribute: extensionAttribute_no12

 - created a Powershell script to copy the STATIC IPv4 address to this String Type extensionAttribute_no12

 - replaced on the AD Source Attributes the thread suggestion msRADIUSFramedIPAddress extensionAttribute_no12

 

And it finally works.

 

Hey Alamay! Good question. I think you have to install VeePN. Because your VPN tells the search engine that you are, in fact, in that location and are making the same searches a local person would.