I'm playing with using ClearPass to support Radius CoA on our Comware7 switches. Problem is that for a dot1x auth on a switch port the switch only see the outer tunnel user-name, and in our case, it's got our realm in it ( @york.ac.uk)
However, in my enforcement profile I'm currently using Radius:IETF:User-Name which returns the inner-tunnel User-Name .... and thererfor the CoA request fails because email@example.com != @york.ac.uk
Can I get hold of the outer-tunnel User-Name in clearpass to pass back in the radius CoA?
Hup shows inner identity .... but I need the outer one ... :-((
nope, not unles I can do a substring on it. Full-Name has firstname.lastname@example.org. and User-Name has email@example.com.
This is part of the Radius CoA back to the switch which says I need
mac addres of the client
(cisco) command to execute
username of the user.
All the switch knows about is the outer tunnel User-Name, in our case @york.ac.uk. It's expecting
but its getting
So says that it can't find the session to act upon.
Given that FreeRadius can be configured to allow you to access both the inner and outer tunnel User-Name and that its used in clearpass, guess this would be an enhancement request to have access to the outer User-Name
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.