Security

Hi,

I am experimenting with the RADIUS Accounting Proxy feature in ClearPass to proxy accounting information to our Fortigate firewall, I also add the IETF Filter-Id attribute to send the user role. Everything works as expected with our Aruba controllers, but we still have another Wireless vendor network that we have to live with for a while and we need to proxy the accounting information with the added user-role the same way as we do with the Aruba controllers. The problem I ‘am having is that ClearPass does not proxy any accounting information coming from these third party controllers at all. I did a packet capture on the ClearPass server and the accounting data is getting there. The users get authenticated and everything looks OK in Access Tracker but I get this error in Accounting “Some other user deleted this record; please refresh your screen”. We have CPPM 6.5.4 and I used this tech notes as a reference: http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Method/attachment/Default.aspx?EntryId=18160

Any Ideas what’s going on?

Thanks,

Robert

Robert,

Hope my TechNote got your started. Please raise a support ticket and ask that I be included on the updates.....

I can track it and escalate to the specific engineer who wrote the proxy accounting code.

A packet capture coming from the other third party wireless [with an 1813 filter would also be nice].

Danny,

I opened a ticket and I asked that you be included in the updates.

About the error in accounting, I noticed this was happening when I use my Windows 10 domain joined computer, I don't get this error with my iPhone, but the accounting is not forwarded anyway.

Thanks,

Attachment(s)

Acct3rdParty.zip   455 B 1 version

Rob,

Thanks for doing that. Can you ping me the TAC Case# please?

Cheers.

Sure, here it is

Case number: 1808450

I chased this up and spoke to DEV, they told me the issue related to the fact that the NAS is NOT sending the Class Attribute in the radius-accounting. Hopefully the NAS can be configured to add this attribute.

Hi Danny,

Thanks for the update. You’re right, the class attribute is not sent in the radius-accounting, I haven’t noticed before. The bad news for me is that there is no way to configure this and there is no more update available on these controllers.

Do you know why this attribute is mandatory to proxy the accounting and it is not just sent as-is with the filter-id added by ClearPass?

Robert

Robert,

We use it internally in CPPM to allow us to track the session, I'm not down in the code but when we learn about a session we place it in a table we call Multi-Master-Cache [we call it battery internally] and this is a table that is real-time replicated across all other nodes in that cluster or zone if you have zones and used to track these sessions, but we need this attribute is what DEV told me. Now, the lack of this attribute is the root of the message you have been seeing in the Monitoring/Accounting logs.

HTH.

I have two outstanding suppor calles relting to proxying of accounting info to a 3rd party radius server ( Freeradius 2.2.9)

Issue 1

I add the Filter-Id attribute to the outgonig accounting packet containing the username associated with the session. Initially it didn't work. Now it works ..... sort of. A lot of the time it does have the username associatged with the auth session .... otheewise it has someone elses username or no filter-id attribute at all!

Issue 2

If I try rolling accounting proxying out over all my services, the polcy manager hangs and the radius module sends access-rejects to everyone.

Eventually a watchdog (?) restarts the policy manager and some auths work correctly ... then it hangs again ... and the loop goes round.

Managed to configure things so 1 service can proxy accounting packets by "tweaking" a policy manager thread setting, but thats only for 1 service doing accounting

A

Alex,

Please send me the TAC # please?

djump@hpe.com.

Cheers.