Security

last person joined: 15 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

how to define Vendor ID in clearpass for an enterprise

Jump to Best Answer

MuthuMar 16, 2018 05:27 AM

cappalliMar 16, 2018 09:54 AM

  • 1.  how to define Vendor ID in clearpass for an enterprise

    Posted Mar 16, 2018 04:50 AM

    Hi All

     

    I am Muthu from Nokia ( Fromerly Alcatel-lucent)

    would like to know how to define Vendor ID in the radius Dictionary file.

    The product we are using is ISAM 7360. The vendor id is 637

    Please refer to the attachment.  In the radius attribute i see only vendor id 800 and 3041 for alcatel. Would like to include the vendor ID 637 and use it for our testing . Please guide how to do it.

     

    Thanks,

    S.Muthukannan



  • 2.  RE: how to define Vendor ID in clearpass for an enterprise

    Posted Mar 16, 2018 04:54 AM
    Export an existing dictionary, modify, then reimport.


  • 3.  RE: how to define Vendor ID in clearpass for an enterprise

    Posted Mar 16, 2018 05:27 AM

    Thanks Cappalli will try that



  • 4.  RE: how to define Vendor ID in clearpass for an enterprise

    Posted Mar 16, 2018 06:17 AM
      |   view attached

    Hi Cappalli,

     

    I am unable to upload the file back to Clearpass The error is

    " File contains invalid XML tags. Try export to see the valid XML tags"

    Attached the file for reference can you point out anything i missed out

    Attachment(s)

    docx
    alcatel-637-id.xml.docx   12K 1 version


  • 5.  RE: how to define Vendor ID in clearpass for an enterprise

    Posted Mar 16, 2018 09:54 AM
    The ID needs to be an integer.


  • 6.  RE: how to define Vendor ID in clearpass for an enterprise

    Posted Mar 16, 2018 10:19 AM

    Its a 2 byte value  defined in Hexadecimal. can i change that to integer and load it ?



  • 7.  RE: how to define Vendor ID in clearpass for an enterprise

    Posted Mar 16, 2018 10:48 AM
      |   view attached

    After changing to Integer as well same issue

    Attachment(s)



  • 8.  RE: how to define Vendor ID in clearpass for an enterprise
    Best Answer

    Posted Mar 19, 2018 07:08 AM

    Hi Muthu,

     

    I think, there is a confusion between attribute ID vs attribute values. You need the correct attribute IDs to import the dictinory. I

    see you have converted the hex values to decimel and added them as IDs. That will not work, I haven't seen IDs of 4 digits yet :)

     

    For Ex: 0x06A1 >> 1697.

    Is "0x06A1" hex value need to be return with the attribute "A-ESAM-PoL-Fwd-ID"?

    If yes, then find out the correct IDs for the below three attributes and then import the dictionary. 

     

    A-ESAM-PoL-Fwd-ID
    A-ESAM-PoL-Vp-ID

    A-ESAM-PoL-Client-Type

     

    Notes:

    You need to use the type "Unsigned32" instead of "Integer".

    If you want to return hex values, then use the type "OctetArray".



  • 9.  RE: how to define Vendor ID in clearpass for an enterprise

    Posted Mar 19, 2018 07:16 AM

    Saravanan,

    Let me try that and get back. In the mean time is there a way to define attributes length from the Clearpass GUI /CLI . here in this case looking for 2 bytes value to be defined

     

    Thanks

    S.Muthukannan



  • 10.  RE: how to define Vendor ID in clearpass for an enterprise

    Posted Mar 19, 2018 07:24 AM

    You do not need to define the attribute length, whatever the type you choose will take the 2 bytes value. Do test and let us know if you face any issue.



  • 11.  RE: how to define Vendor ID in clearpass for an enterprise

    Posted Mar 19, 2018 08:12 AM

    Saravanan,

     

    Thanks i am able to upload the file now. will test and get back for any help

     

    Thanks once again

    S.Muthukannan



  • 12.  RE: how to define Vendor ID in clearpass for an enterprise

    Posted Mar 20, 2018 06:18 AM

    Hi Saravan,

     

    Now able to load the dictionary file. I proceeded with the testing, i am facing issue "Failed to classify request to service"

    Attached the failure message and configuration done. can you please help.

    if i need to post this issue in separate thread let me know that as well.

     

    Thanks,

    S.Muthukannan

    Attachment(s)

    zip
    aruba-cfg.zip   2K 1 version


  • 13.  RE: how to define Vendor ID in clearpass for an enterprise

    Posted Mar 20, 2018 08:25 AM

    Hi,

     

    The service rules are incorrect.

    Most of the below attributes are meant to be passed in the enforcement profiles. You need to use NAS-IP-address in the rules and not the Framed-IP-Address.

     

    Basically, the service rules should match the incoming radius attributes in the authentication request to categorize the service.

     

    Incoming attributes in the request:

    Input RADIUS Attributes -
    Radius:IETF:Acct-Session-Id = 145:02:59:00003
    Radius:IETF:Calling-Station-Id = 0x1035000001 [.5...]
    Radius:IETF:NAS-Identifier = MyNASID
    Radius:IETF:NAS-IP-Address = 135.x.x.x
    Radius:IETF:NAS-Port = 79825984
    Radius:IETF:NAS-Port-Id = eth 1/1/03/2/4/1/1
    Radius:IETF:NAS-Port-Type = 15
    Radius:IETF:User-Name = polclient1

     

    Your service rule.

    service_rule.pngI strongly recommend you to refer the ClearPass user guide or browser the community for better understanding of Service creation.

    You can start with the below service rules and proceed the testing.

    service_rule_start.png

     

    Do let me know if you have any further queries.



  • 14.  RE: how to define Vendor ID in clearpass for an enterprise

    Posted Mar 20, 2018 09:10 AM

    Hi Saravanan,

     

    i  will try out that i. Before your reply i tried with attribute set as given below in  clearpass server i see authentication has been successful but in our box ( ISAM 7360 the vlan attribute not passed successfuly and it has failed)

     Name  Operator  Value 
    1.  Connection Protocol EQUALS RADIUS
    2.  Radius:IETF Service-Type EQUALS Framed-User (2)
    3.  Radius:IETF Framed-IP-Address EQUALS x.x.x.x
    4.  Radius:IETF Framed-IP-Netmask EQUALS x.x.x.x
    5.  Radius:IETF Framed-MTU EQUALS 1500
    6.  Radius:IETF Tunnel-Type EQUALS VLAN (13)
    7.  Radius:IETF Tunnel-Medium-Type EQUALS IEEE-802 (6)
    8.  Radius:IETF Tunnel-Private-Group-Id EQUALS 100
    9.  Radius:Alcatel-lucent A-ESAM-PoL-Fwd-ID EQUALS 230
    10.  Radius:Alcatel-lucent A-ESAM-PoL-Vp-ID EQUALS 230
    11.  Radius:Alcatel-lucent A-ESAM-PoL-Client-Type EQUALS 1

     

    Thanks,

    S.Muthukannan



  • 15.  RE: how to define Vendor ID in clearpass for an enterprise

    Posted Mar 20, 2018 09:22 AM
      |   view attached

    I believe, you had the service rule set to matches ANY. You need to pass the VLAN 100 in an enforcement profile.

     

    You can import the attached sample service and check the enforcement policy/profile.

    Attachment(s)

    zip
    Service.xml.zip   2K 1 version


  • 16.  RE: how to define Vendor ID in clearpass for an enterprise

    Posted Mar 22, 2018 02:21 AM

    Hi Saravanan,

    Thanks a lot for  your help

    I loaded the file you have given and tested . It worked fine. Meaning the authentication was successful and the vlan 100 was assigned. ( Tunnel ID).

    Now i choosen only VSA attributes and trying to assign vlan which is failing. The issue i figure out from the radius response is the vlan to be assigned by radius to the user which is defined by the VSA A-ESAM-PoL-Fwd-ID whose value defined is 230 but the radius server is returning 0x323330 because of which authentication has failed. i have defined this attribute as Octet array ( note in Free radius defined the same as string) Attached the service, enforcement profile and policy. can you please let me know anything else to be changed.

    Thanks,
    S.Muthukannan

    Attachment(s)



  • 17.  RE: how to define Vendor ID in clearpass for an enterprise

    Posted Mar 22, 2018 06:02 AM

    Change the data type to string for A-ESAM-PoL-Fwd-ID in the dictionary and re-import it. Test the authentication after the import and test the result.



  • 18.  RE: how to define Vendor ID in clearpass for an enterprise

    Posted Mar 22, 2018 06:11 AM

    Saravanan,

     

    tried that as well , still same issue.  Suspect its not recongnising it as 2 bytes value not sure.

     

    Debug msg from our box states

    "Length of Alcatel Vendor sub attribute is more than Main attribute length"

    "Validation of the Attributes in the Received packet failed"

    This issue is not seen with Free radius

     

    i did not reboot the Aruba Clear pass  after setting the attribute to String

    i will try that as well.

     

    Thanks,

    S.Muthukannan.

     



  • 19.  RE: how to define Vendor ID in clearpass for an enterprise

    Posted Mar 22, 2018 06:25 AM

    Can you also try the type as integer (Unsigned32)?

     

    Restart the radius and policy services after importing the dictionary.

     

    Navigate to: Administration >> Server Manager >> Server Configuration >> <click on ClearPass server name> >> Services Control and stop/start the services.

     

    You can dump the packet capture from freeradius and check the radius Accept packet to understand the returned attribute and compare it with ClearPass radius accept (output).



  • 20.  RE: how to define Vendor ID in clearpass for an enterprise

    Posted Mar 22, 2018 08:29 AM

    Hi Saravan

    tried both the string and unsigned both the times ISAM fails it.

    But in the free radius with attribute defined as string it works fine.

    Surprisingly the radius message output of both the unsigned and string shows value as 230 from aruba which i am expecting but the encoding/formatting is creating the problem.

    very close to the solution but still eluding can you please help

    details from radius, the error message from the box when it fails for unsigned and string are given below

     

    Authentication successful when done from free radius server
    atribute set as string and hexadecimal
    user profile in free radius
    =====================
    polclient2  Cleartext-Password := "xxxxxxxxxx"
           Service-Type = Framed-User,
           Framed-IP-Address = 135.249.41.194,
           Framed-IP-Netmask = 255.255.255.0,
           Framed-MTU = 1500,
           A-ESAM-PoL-Fwd-ID = 230,
           A-ESAM-PoL-Vp-ID = 230,
           A-ESAM-PoL-Client-Type = 1,

    response From free radius server
    ===========================
    Sending Access-Accept of id 96 to 135.249.41.194 port 10000
            Service-Type = Framed-User
            Framed-IP-Address = 135.249.41.194
            Framed-IP-Netmask = 255.255.255.0
            Framed-MTU = 1500
            A-ESAM-PoL-Fwd-ID = "230"
            A-ESAM-PoL-Vp-ID = 230
            A-ESAM-PoL-Client-Type = 1
            EAP-Message = 0x03020004
            Message-Authenticator = 0x00000000000000000000000000000000
            User-Name = "polclient2"

    From ISAM box
    ============
    Received packet on the Authentication Port.
    Auth Server Address 87f92ffb
     Received ACCESS_ACCEPT.
    ATTRIBUTES in the Received Packet:-
    FRAMED_IP_ADDRESS:      -2013713982
    VSA dynamic sVlan=0, cVlan=230,forwarder Id: e6
    VSA dynamic user Vlan Id: 230


    when set as string and unsigned both the times authentication failed.
    when set as string fails with More than attribute length
    when set as unsigned failes with minimum length not matched

    when set as string in aruba dictionary
    ======================================

    From ISAM box
    =============
    Received packet on the Authentication Port.
    Auth Server Address 87f92b6f
    Length of Alcatel Vendor sub attribute is more than Main attribute length
    Validation of the Attributes in the Received packet failed

    when set as unsigned integer in aruba dictionary
    ========================================
    Received packet on the Authentication Port.
    Auth Server Address 87f92b6f
    Minimum length of Alcatel Vendor sub attribute is not valid
    Validation of the Attributes in the Received packet failed

     



  • 21.  RE: how to define Vendor ID in clearpass for an enterprise

    Posted Mar 23, 2018 03:13 AM

    Saravanan

    can you look into this and suggest way to define the attribute

     

    Thanks,

    S.Muthukannan



  • 22.  RE: how to define Vendor ID in clearpass for an enterprise

    Posted Mar 23, 2018 05:40 AM

    Hi, 

     

    Please open a TAC case for this.

    This needs investigation.



  • 23.  RE: how to define Vendor ID in clearpass for an enterprise

    Posted Mar 23, 2018 06:47 AM

    saravanan,

     

    will open a TAC case

     

    Thanks,

    S.Muthukannan



  • 24.  RE: how to define Vendor ID in clearpass for an enterprise

    Posted Mar 28, 2018 07:42 AM

    raised case 5328193205                                                                                                

    Thanks,

    S.Muthukannan



  • 25.  RE: how to define Vendor ID in clearpass for an enterprise

    Posted Aug 11, 2019 12:51 AM

    Hi there,

    Has this issue been resolved?

     

    Thanks



  • 26.  RE: how to define Vendor ID in clearpass for an enterprise

    Posted Aug 12, 2019 09:00 AM

    This has been resolved using Aruba clearpass Hotfix



  • 27.  RE: how to define Vendor ID in clearpass for an enterprise

    Posted Mar 16, 2018 06:28 AM

    Hi Cappalli,

     

    I am unable to upload the file back to Clearpass The error is

    " File contains invalid XML tags. Try export to see the valid XML tags"

    Attached the file for reference can you point out anything i missed out