Security

last person joined: an hour ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).

Radius Attribute from CPPM is not observed on IAP.

  • 1.  Radius Attribute from CPPM is not observed on IAP.

    Posted Aug 26, 2020 12:50 AM

    I just need your help.

    My goal is to send an “Aruba-User-Role” of radius from CPPM to IAP.

    I made sure that “monitor mode” is “Disable” on CPPM and “all” was sent in “Radius:Aruba:Aruba-User-Role” on “Output” of CPPM. However, IAP does not recognize “Radius:Aruba:Aruba-User-Role”.

    I did not capture and verify the Radius packets.

     

    Environment:

     

    • CPPM - 6.9.130064

    •  

      IAP - ArubaOS (MODEL: 515), Version 8.6.0.4

    • Client - Win10

    Service:

     

    • Service “iap-web-onclick Guest Access” is set to “Web Login”.
    • In “Web Login”, “Page Redirect” is set as “Anonymous – Do not require a username and password”.
    • The name of the “anonymous user” is “anonymous”.

    aruba1.png

     

    Policy:

    • Since I created an “anonymous” user in “Guest User Repository” beforehand, “Role Name” is set to “[Guest]”.

    aruba2.png

     

    Enforcement policy:

    • Condition No1 was created from “Service Templates - Guest Access - Web Login”.

    aruba3.png

     

     

    Enforcement policy:

    • Radius:IETF” is set to “anonymous”.

    aruba4.png

     

    Here is the Output:

    • Radius:Aruba:Aruba-User-Role” output can be seen.

    aruba5.png

     

    Configuring “Roles” on IAP:

     

    • I added “all” to “Roles”.
    • SSID is set to “iap-web-oneclick”.

    aruba6.png

    Configuring “Access Rules” on IAP:

     

    • By default, “Role” becomes “iap-web-oneclick” after passing web-oneclick.
    • But I've set up “Radius:Aruba:Aruba-User-Role” to return “all”.

    aruba7.png

     

    Status of the IAP “clients” after passing web-oneclick:

    • The default role “iap-web-oneclick” is shown. I expect “all” here.

    aruba8.png