Super Contributor II

Inner Identity visibility

One of the really irritating things about clearpass is how it copes with inner identity user-names


Instead of it being something you set up in what goes out in an Access-Accept packet, there is a general server setting 


Use Inner Identity in Access-Accept Reply


under the RADIUS server..... and its got to be set for each cluster member. Why on earth would you weant to have some cluster members sending an inner identity and some not ?


There's a shedload of attributes you hsve to set up for individual cluster members that really really should be set up as a global parameter


If you;ve got a cluster surely the idea is to make things simple. There can't be many parameters thaty need to be different once you start running a cluster



Anyway, back to Inner identity User-Name

Not only is it enabling it tucked away somewhere in the config you don't see it at all when looking through auth requests in Access-Tracker. It doesn't exist


I proxy Accounting off to a FR server to store in a postgresql  db and I'm seeing a lot of outer User names instead of . inner ones and need to check that they're actually getting out of clearpass.

How can I see whats getting sent out bearing ij mind this is a busy production serivice. 


Guess I could proxy accounting to another FR server running in debug mode



Guru Elite

Re: Inner Identity visibility

Add this to your enforcement profile:

Screenshot 2018-02-28 at 06.05.00.png

You will not have to enable the "Use Inner Identity in Access-Accept Reply" parameter. 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: