Security

Reply
Super Contributor I
Posts: 303
Registered: ‎02-07-2013

Clearpass using Radius Proxy Access Accept Attributes

For various reasons, I temporarily have to proxy off ethernet based Mac-auths to another (freeraidus) radius server for authentication. The FR server will return an access-accept packet with VLAN information present. What do I have to do at the Enforcement Profile level in my RADIUS proxy service to ensure that these attributes are passd back to the originating RAS device?

 

Rgds

Alex

 

Super Contributor I
Posts: 303
Registered: ‎02-07-2013

Re: Clearpass using Radius Proxy Access Accept Attributes

Should point out that although my dev server is running 6.5 and there is a radius auth source available, my production setup is running 6.4.5, so I guess I need an answer for 6.4.5 while I play with 6.5

 

A

Super Contributor I
Posts: 303
Registered: ‎02-07-2013

Re: Clearpass using Radius Proxy Access Accept Attributes

o.k

 

I've created a radius proxy auth source in CPPM 6.5 called UoY Radius Auth Source - 270315. This is so I can proxy off mac-auths to a FreeRadius server that returns a vlan (Tunnel-private-group-id) in the Access-Accept packet

Radius-auth-source.tiff


This is the service that's invoked
radius-proxy-service.png

I can see the mac auth going to the remote server and an access accept coming back with the right attributes in it.


radius-proxy-input.png
My enforcement policy is shown below

radius-proxy-enforcement policy.png

Initially I had the default profile set up [deny access profile] but any auths that came in used that profile, so something is wrong with my condition above.

and the enforcement profile is

radius-proxy-enforcement profile.png

All I get out in the Access-Accept packet sent to the switch is
radius-proxy-response-packets.png

What have i done wrong with my  calculated attributes %{Authorization…….} that they're not visible?

Super Contributor I
Posts: 303
Registered: ‎02-07-2013

Re: Clearpass using Radius Proxy Access Accept Attributes

o.k. got the enforcement profile sorted and I'm now returning the correct radius attributes. Just need to sort out the enforcement policy where I select ther enforcement profile. I want to check that the Access-Accept from the remote RADIUS proxy has a Tunnel-Private-Group-Id attribute. How would I do that? If its not there I'll want to invoke another profile.

 

Guru Elite
Posts: 8,643
Registered: ‎09-08-2010

Re: Clearpass using Radius Proxy Access Accept Attributes

[ Edited ]
Removed. Misread

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: