Security

Reply
Frequent Contributor II
Posts: 110
Registered: ‎01-25-2013

ClearPass Authentication Time issue

Hey all,

 

I've got a ClearPass client that is having issues with a couple of policies. Their goal is to limit the user on two fronts:

 

1. Throttle bandwidth determined on how long they've been connected (the longer they've been connected, the less bandwidth they have)

2. Throttle bandwidth determined on how much they've already consumed (the more they consume, the less bandwidth they have).

 

They've set up the policies and as far as I can tell they look ok, however I don't think the controller is actually getting the CoA RFC 3576 info correctly. They're experiencing two issues:

 

1. ClearPass doesn't actually register how long they've been authenticated until after they manually disconnect from the network, and then reconnect

2. Clients are not getting derivated to different roles based off of bandwidth consumption.

 

Does anyone want to take a stab at this? What should I look for?

 

Thanks in advance!

Guru Elite
Posts: 8,320
Registered: ‎09-08-2010

Re: ClearPass Authentication Time issue

Do you have radius interim accounting enabled?

Sent from Nine

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 110
Registered: ‎01-25-2013

Re: ClearPass Authentication Time issue

Hey Tim,

 

Yes, interim accounting is enabled.

MVP
Posts: 1,412
Registered: ‎11-30-2011

Re: ClearPass Authentication Time issue

do you see the accounting messages reach the CPPM and do you see the statistics go up?

Frequent Contributor II
Posts: 110
Registered: ‎01-25-2013

Re: ClearPass Authentication Time issue

[ Edited ]

Ah sorry boneyard, I didn't see this response until I logged in.

 

I don't have visibility into their system, but I can check to see if they're seeing accounting messages. How quickly do they refresh? I think I need to check and see if UDP 1813 is open statefully as well, since they might not be getting return auth from Radius.

 

I'll let you know what I find out.

MVP
Posts: 1,412
Registered: ‎11-30-2011

Re: ClearPass Authentication Time issue

i believe you also need to set Log Accounting Interim-Update Packets to TRUE, you find this under server config, Service Parameters > Radius server at the bottom.

Search Airheads
Showing results for 
Search instead for 
Did you mean: