Security

Reply
Super Contributor II

Clearpass using Radius Proxy Access Accept Attributes

For various reasons, I temporarily have to proxy off ethernet based Mac-auths to another (freeraidus) radius server for authentication. The FR server will return an access-accept packet with VLAN information present. What do I have to do at the Enforcement Profile level in my RADIUS proxy service to ensure that these attributes are passd back to the originating RAS device?

 

Rgds

Alex

 

Super Contributor II

Re: Clearpass using Radius Proxy Access Accept Attributes

Should point out that although my dev server is running 6.5 and there is a radius auth source available, my production setup is running 6.4.5, so I guess I need an answer for 6.4.5 while I play with 6.5

 

A

Super Contributor II

Re: Clearpass using Radius Proxy Access Accept Attributes

o.k

 

I've created a radius proxy auth source in CPPM 6.5 called UoY Radius Auth Source - 270315. This is so I can proxy off mac-auths to a FreeRadius server that returns a vlan (Tunnel-private-group-id) in the Access-Accept packet

Radius-auth-source.tiff


This is the service that's invoked
radius-proxy-service.png

I can see the mac auth going to the remote server and an access accept coming back with the right attributes in it.


radius-proxy-input.png
My enforcement policy is shown below

radius-proxy-enforcement policy.png

Initially I had the default profile set up [deny access profile] but any auths that came in used that profile, so something is wrong with my condition above.

and the enforcement profile is

radius-proxy-enforcement profile.png

All I get out in the Access-Accept packet sent to the switch is
radius-proxy-response-packets.png

What have i done wrong with my  calculated attributes %{Authorization…….} that they're not visible?

Super Contributor II

Re: Clearpass using Radius Proxy Access Accept Attributes

o.k. got the enforcement profile sorted and I'm now returning the correct radius attributes. Just need to sort out the enforcement policy where I select ther enforcement profile. I want to check that the Access-Accept from the remote RADIUS proxy has a Tunnel-Private-Group-Id attribute. How would I do that? If its not there I'll want to invoke another profile.

 

Guru Elite

Re: Clearpass using Radius Proxy Access Accept Attributes

Removed. Misread

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: