One of the really irritating things about clearpass is how it copes with inner identity user-names
Instead of it being something you set up in what goes out in an Access-Accept packet, there is a general server setting
Use Inner Identity in Access-Accept Reply
under the RADIUS server..... and its got to be set for each cluster member. Why on earth would you weant to have some cluster members sending an inner identity and some not ?
<rant>
There's a shedload of attributes you hsve to set up for individual cluster members that really really should be set up as a global parameter
If you;ve got a cluster surely the idea is to make things simple. There can't be many parameters thaty need to be different once you start running a cluster
</rant>
Anyway, back to Inner identity User-Name
Not only is it enabling it tucked away somewhere in the config you don't see it at all when looking through auth requests in Access-Tracker. It doesn't exist
I proxy Accounting off to a FR server to store in a postgresql db and I'm seeing a lot of outer User names instead of . inner ones and need to check that they're actually getting out of clearpass.
How can I see whats getting sent out bearing ij mind this is a busy production serivice.
Guess I could proxy accounting to another FR server running in debug mode
Sigh!