Security

last person joined: 5 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Obtaining outer tunnel User-Name value to return in Radius CoA

  • 1.  Obtaining outer tunnel User-Name value to return in Radius CoA

    Posted Jul 08, 2015 11:31 AM

    Hi,

    I'm playing with using ClearPass to support Radius CoA on our Comware7 switches.  Problem is that for a dot1x auth on a switch port the switch only see the outer tunnel user-name, and in our case, it's got our realm in it ( @york.ac.uk)

     

    However, in my enforcement profile I'm currently using Radius:IETF:User-Name which returns the inner-tunnel User-Name .... and thererfor the CoA request fails because fred@york.ac.uk != @york.ac.uk

     

    Can I get hold of the outer-tunnel User-Name in clearpass to pass back in the radius CoA?

    Rgds

    A

     

     



  • 2.  RE: Obtaining outer tunnel User-Name value to return in Radius CoA

    Posted Jul 08, 2015 11:39 AM
    When you look under computer attributes, does Authentication:Full-Username
    show the inner identity?


  • 3.  RE: Obtaining outer tunnel User-Name value to return in Radius CoA

    Posted Jul 08, 2015 11:46 AM

    Hup shows inner identity  .... but I need the outer one ... :-((

     



  • 4.  RE: Obtaining outer tunnel User-Name value to return in Radius CoA

    Posted Jul 08, 2015 11:48 AM
    Right, but you need to be sending the inner-identity back, correct? (The
    FQUN?)



    So you can use %{Authentication:Full-Username}


  • 5.  RE: Obtaining outer tunnel User-Name value to return in Radius CoA

    Posted Jul 08, 2015 11:59 AM

    nope, not unles I can do a substring on it. Full-Name has userid@york.ac.uk. and User-Name  has userid@york.ac.uk.

     

    This is part of the Radius CoA back to the switch which says I need

    mac addres of the client

    (cisco) command to execute

    username of the user.

     

    All the switch knows about is the outer tunnel User-Name, in our case @york.ac.uk. It's expecting

     

    User-Name=@york.ac.uk

    Calling-Station-Id=aa-bb-cc-dd-ee-ff

    cisco-avipair="........"

    but its getting

     

    User-Name=userid@york.ac.uk

    Calling-Station-Id=aa-bb-cc-dd-ee-ff

    cisco-avipair="........"

     

    So says that it can't find the session to act upon.

     



  • 6.  RE: Obtaining outer tunnel User-Name value to return in Radius CoA

    Posted Jul 30, 2015 11:32 AM

    Given that FreeRadius can be configured to allow you to access both the inner and outer tunnel User-Name and that its used in clearpass, guess this would be an enhancement request to have access to the outer User-Name