07-08-2015 08:31 AM
I'm playing with using ClearPass to support Radius CoA on our Comware7 switches. Problem is that for a dot1x auth on a switch port the switch only see the outer tunnel user-name, and in our case, it's got our realm in it ( @york.ac.uk)
However, in my enforcement profile I'm currently using Radius:IETF:User-Name which returns the inner-tunnel User-Name .... and thererfor the CoA request fails because email@example.com != @york.ac.uk
Can I get hold of the outer-tunnel User-Name in clearpass to pass back in the radius CoA?
07-08-2015 08:38 AM
07-08-2015 08:47 AM
07-08-2015 08:58 AM
nope, not unles I can do a substring on it. Full-Name has firstname.lastname@example.org. and User-Name has email@example.com.
This is part of the Radius CoA back to the switch which says I need
mac addres of the client
(cisco) command to execute
username of the user.
All the switch knows about is the outer tunnel User-Name, in our case @york.ac.uk. It's expecting
but its getting
So says that it can't find the session to act upon.
07-30-2015 08:32 AM
Given that FreeRadius can be configured to allow you to access both the inner and outer tunnel User-Name and that its used in clearpass, guess this would be an enhancement request to have access to the outer User-Name