Security

Reply

Cisco WLC + Clearpass with a specific Radius attribute

All,

 

This is driving me crazy, and I know it's a small thing. I'm working on a project integrating some Cisco WLCs with Clearpass and all of the WLCs, except one, are sending a RADIUS attribute to Clearpass.

 

In Access Tracker, I'm receving a RADIUS attribute called:

 

Connection : SSID : <SSID name>

 

from 95% of the controllers. The other controller is not sending that RADIUS information, so I'm using the Called Station ID instead.

 

I'd like to make the Clearpass config as uniform as possible without having to have a separate clause just for this one WLC. Any chance someone has run into this before and figured it out?


Thanks for the help!

 

-Mike

Guru Elite

Re: Cisco WLC + Clearpass with a specific Radius attribute

Mike I think Connection : SSID is a computed attribute not a direct RADIUS response. Are you able to do a packet capture and see what looks different between the RADIUS requests?

You can do a packet capture right from ClearPass now:
Administration > Server Manager > Server Configuration then click on the server name and hit Collect Logs and uncheck everything but “Capture network packets”


Sent from Surface Pro


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Cisco WLC + Clearpass with a specific Radius attribute

All WLCs running the same code ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA

Re: Cisco WLC + Clearpass with a specific Radius attribute

You could use the  airspace WLAN ID number

 

250760.jpg

 

2014-06-05 22_15_46-ClearPass Policy Manager - Aruba Networks.png

 

2014-06-05 22_17_31-ClearPass Policy Manager - Aruba Networks.png



In access tracker > input , you should be able to get this information and use it in the service to distinguish each

 

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA

Re: Cisco WLC + Clearpass with a specific Radius attribute

Hi All,

 

Thanks for the replies! As of right now, they're all running the same code, 7.6.110.0. I haven't yet done a packet capture because I was hoping this would be a check box fix, haha. I'll give that a whirl next week when I'm on-site with the customer.

 

Also, unfortunately, the WLAN indices are currently different across the various controllers. That's why it would be nice to use something like the Connection SSID.

 

Thanks for all of the suggestions! 

 

-Mike

 

 

Re: Cisco WLC + Clearpass with a specific Radius attribute

You could use belongs to and will WLAN ID 1 or 2

 

2014-06-13 11_20_00-ClearPass Policy Manager - Aruba Networks.png

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
New Contributor

Re: Cisco WLC + Clearpass with a specific Radius attribute

I know this is an old thread but as its the only one that describe my exact issue or even the only place that mentions Connection:SSID attribute I figured I would post my resolution for the next person.

 

Change the MAC Delimiter on the Cisco WLC under RADIUS Authentication Servers to no delimiter.  Also make sure the SSID is being passed in the Called-Station-Id attribute

 

I originally set the delimiter to Colon which probably gave clearpass issues when trying to differentiate the AP MAC from the SSID.

 

 

|CWNA|CWSP|CWAP|CCNA RS, Voice, Wireless|
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: