Security

Hi,

I'm playing with using ClearPass to support Radius CoA on our Comware7 switches.  Problem is that for a dot1x auth on a switch port the switch only see the outer tunnel user-name, and in our case, it's got our realm in it ( @york.ac.uk)

 

However, in my enforcement profile I'm currently using Radius:IETF:User-Name which returns the inner-tunnel User-Name .... and thererfor the CoA request fails because fred@york.ac.uk != @york.ac.uk

 

Can I get hold of the outer-tunnel User-Name in clearpass to pass back in the radius CoA?

Rgds

A

 

 

When you look under computer attributes, does Authentication:Full-Username
show the inner identity?

Hup shows inner identity  .... but I need the outer one ... :-((

 

Right, but you need to be sending the inner-identity back, correct? (The
FQUN?)



So you can use %{Authentication:Full-Username}

nope, not unles I can do a substring on it. Full-Name has userid@york.ac.uk. and User-Name  has userid@york.ac.uk.

 

This is part of the Radius CoA back to the switch which says I need

mac addres of the client

(cisco) command to execute

username of the user.

 

All the switch knows about is the outer tunnel User-Name, in our case @york.ac.uk. It's expecting

 

User-Name=@york.ac.uk

Calling-Station-Id=aa-bb-cc-dd-ee-ff

cisco-avipair="........"

but its getting

 

User-Name=userid@york.ac.uk

Calling-Station-Id=aa-bb-cc-dd-ee-ff

cisco-avipair="........"

 

So says that it can't find the session to act upon.

 

Given that FreeRadius can be configured to allow you to access both the inner and outer tunnel User-Name and that its used in clearpass, guess this would be an enhancement request to have access to the outer User-Name