11-26-2014 09:09 PM - edited 11-26-2014 09:29 PM
Using Clearpass, I have configured a new Generic RADIUS Service that takes RADIUS calls from IPSEC/L2TP VPN users from a Cisco ASA 5510 8.2 firewall (only thing I have yet to move to Clearpass from NPS). Tests work great for authenication and authorization. Almost there.
I am having trouble knowing how exactly to approach passing the static IP address value stored in AD for some users. NPS has a little checkbox that passes back that value as the IETF-Framed-IP-Address I believe, but I am at a loss as to how to achieve this in Clearpass.
I think I need to make the Enforcement Profile pass it back, but I have no idea what to put in the value field of the profile. Can one of the brilliant airheads please advise?
Edit: Clarified the fact that RADIUS was for VPN users
Solved! Go to Solution.
11-26-2014 10:05 PM - edited 11-26-2014 10:22 PM
Where is it stored in AD? Is it in a text field or are you using the dial-in static IP address option?
If it's the dial-in static IP address field, the data is stored in decimal and may be difficult to convert on the fly to return to the ASA.
If it's a more generic text attribute, we can return it verbatim.
11-27-2014 09:18 AM
You can easily create a custom AD attribute with type string then use a powershell script to copy the existing entries from dial-in.
You'd then be able to reference the value in ClearPass without any conversion and pass it via RADIUS.
11-27-2014 09:25 AM
No, we are only using that one field in the Dial-In Settings, and then only for the ASA's VPN.
Creating that custom AD attribute would certainly fit the bill, but I don't really use it but for a handful of people.
If an attribute were in a useful string state, how would I pass it back as a RADIUS attribute? If you don't want to explain it and want to point me to the right section in the documentation, that's cool too!
11-27-2014 09:48 AM
You would use the parameterized string. Here is an example returning the the dial-in static IP value:
Here's an example for mine:
Since this is not a "typical" attribute for you to use in ClearPass from an AD source, you'll need to define it in your AD authentication source (that's why it has a more user friendly name).
On the attaributes tab of your AD source, click the "Authentication" filter, and add an attribute at the bottom. The "Name" is the exact attribute name in AD (easiest way to find all the attribiutes is to look at an account in ADSI Edit). "Alias Name" is what will be displayed in ClearPass as the attribute name. Choose string in this case.
This attribute will now be available for that AD authorization source in ClearPass.