Security

We are a UK university part of eduroam and we are looking to perform RADIUS attribute filtering for attributes sent back in RADIUS messages from other organisations. E.g. if a VSA is sent specifiying a role that is unknown to our wireless. 

I can see plenty of guides of how to do this in freeradius but it isn't obvious how this would be done in Clearpass.

Thanks

Ross

On the "Proxy Targets" tab of your RADIUS Proxy Service there's a section for excluding RADIUS attributes in replies from your RADIUS proxies.

Hi James

Thanks for the response but how would these be done in reverse. Is there a way to filter on tx rather than rx.

We have some Cisco wireless that connects through our Clearpass and then out to our national proxies. We authenticate our users via and clearpass and need to proxy out the visitors, the Cisco wireless adds lots of extra attributes that we don't want to send out in the requests.

As far a I'm aware, it is not possible to add, remove or alter VSA sent to a RADIUS proxy target server in ClearPass. ClearPass just proxies the RADIUS request that it recieves without altering it but can strip out any attributes that return.

I don't know if there's anything you can do on your Cisco kit to limit what is sent?

Unfortunately we don't have access to the Cisco controller, it is a hospital that publishes our SSID that we authenticate the users for.