I am Muthu from Nokia ( Fromerly Alcatel-lucent)
would like to know how to define Vendor ID in the radius Dictionary file.
The product we are using is ISAM 7360. The vendor id is 637
Please refer to the attachment. In the radius attribute i see only vendor id 800 and 3041 for alcatel. Would like to include the vendor ID 637 and use it for our testing . Please guide how to do it.
Thanks Cappalli will try that
I am unable to upload the file back to Clearpass The error is
" File contains invalid XML tags. Try export to see the valid XML tags"
Attached the file for reference can you point out anything i missed out
Its a 2 byte value defined in Hexadecimal. can i change that to integer and load it ?
After changing to Integer as well same issue
I think, there is a confusion between attribute ID vs attribute values. You need the correct attribute IDs to import the dictinory. I
see you have converted the hex values to decimel and added them as IDs. That will not work, I haven't seen IDs of 4 digits yet :)
For Ex: 0x06A1 >> 1697.Is "0x06A1" hex value need to be return with the attribute "A-ESAM-PoL-Fwd-ID"?
If yes, then find out the correct IDs for the below three attributes and then import the dictionary.
You need to use the type "Unsigned32" instead of "Integer".
If you want to return hex values, then use the type "OctetArray".
Let me try that and get back. In the mean time is there a way to define attributes length from the Clearpass GUI /CLI . here in this case looking for 2 bytes value to be defined
You do not need to define the attribute length, whatever the type you choose will take the 2 bytes value. Do test and let us know if you face any issue.
Thanks i am able to upload the file now. will test and get back for any help
Thanks once again
Now able to load the dictionary file. I proceeded with the testing, i am facing issue "Failed to classify request to service"
Attached the failure message and configuration done. can you please help.
if i need to post this issue in separate thread let me know that as well.
The service rules are incorrect.
Most of the below attributes are meant to be passed in the enforcement profiles. You need to use NAS-IP-address in the rules and not the Framed-IP-Address.
Basically, the service rules should match the incoming radius attributes in the authentication request to categorize the service.
Incoming attributes in the request:
Input RADIUS Attributes -Radius:IETF:Acct-Session-Id = 145:02:59:00003Radius:IETF:Calling-Station-Id = 0x1035000001 [.5...]Radius:IETF:NAS-Identifier = MyNASIDRadius:IETF:NAS-IP-Address = 135.x.x.xRadius:IETF:NAS-Port = 79825984Radius:IETF:NAS-Port-Id = eth 1/1/03/2/4/1/1Radius:IETF:NAS-Port-Type = 15Radius:IETF:User-Name = polclient1
Your service rule.
I strongly recommend you to refer the ClearPass user guide or browser the community for better understanding of Service creation.
You can start with the below service rules and proceed the testing.
Do let me know if you have any further queries.
i will try out that i. Before your reply i tried with attribute set as given below in clearpass server i see authentication has been successful but in our box ( ISAM 7360 the vlan attribute not passed successfuly and it has failed)
Name Operator Value 1. Connection Protocol EQUALS RADIUS2. Radius:IETF Service-Type EQUALS Framed-User (2)3. Radius:IETF Framed-IP-Address EQUALS x.x.x.x4. Radius:IETF Framed-IP-Netmask EQUALS x.x.x.x5. Radius:IETF Framed-MTU EQUALS 15006. Radius:IETF Tunnel-Type EQUALS VLAN (13)7. Radius:IETF Tunnel-Medium-Type EQUALS IEEE-802 (6)8. Radius:IETF Tunnel-Private-Group-Id EQUALS 1009. Radius:Alcatel-lucent A-ESAM-PoL-Fwd-ID EQUALS 23010. Radius:Alcatel-lucent A-ESAM-PoL-Vp-ID EQUALS 23011. Radius:Alcatel-lucent A-ESAM-PoL-Client-Type EQUALS 1
I believe, you had the service rule set to matches ANY. You need to pass the VLAN 100 in an enforcement profile.
You can import the attached sample service and check the enforcement policy/profile.
Thanks a lot for your help
I loaded the file you have given and tested . It worked fine. Meaning the authentication was successful and the vlan 100 was assigned. ( Tunnel ID).
Now i choosen only VSA attributes and trying to assign vlan which is failing. The issue i figure out from the radius response is the vlan to be assigned by radius to the user which is defined by the VSA A-ESAM-PoL-Fwd-ID whose value defined is 230 but the radius server is returning 0x323330 because of which authentication has failed. i have defined this attribute as Octet array ( note in Free radius defined the same as string) Attached the service, enforcement profile and policy. can you please let me know anything else to be changed.
Change the data type to string for A-ESAM-PoL-Fwd-ID in the dictionary and re-import it. Test the authentication after the import and test the result.
tried that as well , still same issue. Suspect its not recongnising it as 2 bytes value not sure.
Debug msg from our box states
"Length of Alcatel Vendor sub attribute is more than Main attribute length"
"Validation of the Attributes in the Received packet failed"
This issue is not seen with Free radius
i did not reboot the Aruba Clear pass after setting the attribute to String
i will try that as well.
Can you also try the type as integer (Unsigned32)?
Restart the radius and policy services after importing the dictionary.
Navigate to: Administration >> Server Manager >> Server Configuration >> <click on ClearPass server name> >> Services Control and stop/start the services.
You can dump the packet capture from freeradius and check the radius Accept packet to understand the returned attribute and compare it with ClearPass radius accept (output).
tried both the string and unsigned both the times ISAM fails it.
But in the free radius with attribute defined as string it works fine.
Surprisingly the radius message output of both the unsigned and string shows value as 230 from aruba which i am expecting but the encoding/formatting is creating the problem.
very close to the solution but still eluding can you please help
details from radius, the error message from the box when it fails for unsigned and string are given below
Authentication successful when done from free radius serveratribute set as string and hexadecimaluser profile in free radius=====================polclient2 Cleartext-Password := "xxxxxxxxxx" Service-Type = Framed-User, Framed-IP-Address = 126.96.36.199, Framed-IP-Netmask = 255.255.255.0, Framed-MTU = 1500, A-ESAM-PoL-Fwd-ID = 230, A-ESAM-PoL-Vp-ID = 230, A-ESAM-PoL-Client-Type = 1,
response From free radius server===========================Sending Access-Accept of id 96 to 188.8.131.52 port 10000 Service-Type = Framed-User Framed-IP-Address = 184.108.40.206 Framed-IP-Netmask = 255.255.255.0 Framed-MTU = 1500 A-ESAM-PoL-Fwd-ID = "230" A-ESAM-PoL-Vp-ID = 230 A-ESAM-PoL-Client-Type = 1 EAP-Message = 0x03020004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "polclient2"
From ISAM box============Received packet on the Authentication Port.Auth Server Address 87f92ffb Received ACCESS_ACCEPT.ATTRIBUTES in the Received Packet:-FRAMED_IP_ADDRESS: -2013713982VSA dynamic sVlan=0, cVlan=230,forwarder Id: e6VSA dynamic user Vlan Id: 230
when set as string and unsigned both the times authentication failed.when set as string fails with More than attribute lengthwhen set as unsigned failes with minimum length not matched
when set as string in aruba dictionary======================================
From ISAM box=============Received packet on the Authentication Port.Auth Server Address 87f92b6fLength of Alcatel Vendor sub attribute is more than Main attribute lengthValidation of the Attributes in the Received packet failed
when set as unsigned integer in aruba dictionary========================================Received packet on the Authentication Port.Auth Server Address 87f92b6fMinimum length of Alcatel Vendor sub attribute is not validValidation of the Attributes in the Received packet failed
can you look into this and suggest way to define the attribute
Please open a TAC case for this.
This needs investigation.
will open a TAC case
raised case 5328193205
Has this issue been resolved?
This has been resolved using Aruba clearpass Hotfix
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.