Security

last person joined: 7 minutes ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass RADIUS attribute filtering

  • 1.  Clearpass RADIUS attribute filtering

    Posted Feb 19, 2020 05:08 AM

    We are a UK university part of eduroam and we are looking to perform RADIUS attribute filtering for attributes sent back in RADIUS messages from other organisations. E.g. if a VSA is sent specifiying a role that is unknown to our wireless. 

    I can see plenty of guides of how to do this in freeradius but it isn't obvious how this would be done in Clearpass.

     

    Thanks

    Ross



  • 2.  RE: Clearpass RADIUS attribute filtering

    Posted Feb 19, 2020 09:44 AM

    On the "Proxy Targets" tab of your RADIUS Proxy Service there's a section for excluding RADIUS attributes in replies from your RADIUS proxies.



  • 3.  RE: Clearpass RADIUS attribute filtering

    Posted Feb 20, 2020 11:37 AM

    Hi James

    Thanks for the response but how would these be done in reverse. Is there a way to filter on tx rather than rx.

    We have some Cisco wireless that connects through our Clearpass and then out to our national proxies. We authenticate our users via and clearpass and need to proxy out the visitors, the Cisco wireless adds lots of extra attributes that we don't want to send out in the requests.



  • 4.  RE: Clearpass RADIUS attribute filtering

    Posted Feb 21, 2020 04:30 AM

    As far a I'm aware, it is not possible to add, remove or alter VSA sent to a RADIUS proxy target server in ClearPass. ClearPass just proxies the RADIUS request that it recieves without altering it but can strip out any attributes that return.

     

    I don't know if there's anything you can do on your Cisco kit to limit what is sent?



  • 5.  RE: Clearpass RADIUS attribute filtering

    Posted Feb 21, 2020 06:30 AM

    Unfortunately we don't have access to the Cisco controller, it is a hospital that publishes our SSID that we authenticate the users for.