Security

last person joined: 20 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Cisco WLC + Clearpass with a specific Radius attribute

This thread has been viewed 8 times

  • 1.  Cisco WLC + Clearpass with a specific Radius attribute

    Posted Jun 05, 2014 06:22 PM

    All,

     

    This is driving me crazy, and I know it's a small thing. I'm working on a project integrating some Cisco WLCs with Clearpass and all of the WLCs, except one, are sending a RADIUS attribute to Clearpass.

     

    In Access Tracker, I'm receving a RADIUS attribute called:

     

    Connection : SSID : <SSID name>

     

    from 95% of the controllers. The other controller is not sending that RADIUS information, so I'm using the Called Station ID instead.

     

    I'd like to make the Clearpass config as uniform as possible without having to have a separate clause just for this one WLC. Any chance someone has run into this before and figured it out?


    Thanks for the help!

     

    -Mike



  • 2.  RE: Cisco WLC + Clearpass with a specific Radius attribute

    EMPLOYEE
    Posted Jun 05, 2014 06:26 PM

    Mike I think Connection : SSID is a computed attribute not a direct RADIUS response. Are you able to do a packet capture and see what looks different between the RADIUS requests?

    You can do a packet capture right from ClearPass now:
    Administration > Server Manager > Server Configuration then click on the server name and hit Collect Logs and uncheck everything but “Capture network packets”


    Sent from Surface Pro



  • 3.  RE: Cisco WLC + Clearpass with a specific Radius attribute

    Posted Jun 05, 2014 06:27 PM
    All WLCs running the same code ?


  • 4.  RE: Cisco WLC + Clearpass with a specific Radius attribute

    Posted Jun 05, 2014 06:28 PM

    You could use the  airspace WLAN ID number

     

    250760.jpg

     

    2014-06-05 22_15_46-ClearPass Policy Manager - Aruba Networks.png

     

    2014-06-05 22_17_31-ClearPass Policy Manager - Aruba Networks.png



    In access tracker > input , you should be able to get this information and use it in the service to distinguish each

     

     



  • 5.  RE: Cisco WLC + Clearpass with a specific Radius attribute

    Posted Jun 06, 2014 09:45 AM

    Hi All,

     

    Thanks for the replies! As of right now, they're all running the same code, 7.6.110.0. I haven't yet done a packet capture because I was hoping this would be a check box fix, haha. I'll give that a whirl next week when I'm on-site with the customer.

     

    Also, unfortunately, the WLAN indices are currently different across the various controllers. That's why it would be nice to use something like the Connection SSID.

     

    Thanks for all of the suggestions! 

     

    -Mike

     

     



  • 6.  RE: Cisco WLC + Clearpass with a specific Radius attribute

    Posted Jun 13, 2014 10:17 AM

    You could use belongs to and will WLAN ID 1 or 2

     

    2014-06-13 11_20_00-ClearPass Policy Manager - Aruba Networks.png



  • 7.  RE: Cisco WLC + Clearpass with a specific Radius attribute

    Posted Jul 10, 2017 11:52 AM
      |   view attached

    I know this is an old thread but as its the only one that describe my exact issue or even the only place that mentions Connection:SSID attribute I figured I would post my resolution for the next person.

     

    Change the MAC Delimiter on the Cisco WLC under RADIUS Authentication Servers to no delimiter.  Also make sure the SSID is being passed in the Called-Station-Id attribute

     

    I originally set the delimiter to Colon which probably gave clearpass issues when trying to differentiate the AP MAC from the SSID.