Security

last person joined: 15 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass Authentication Time issue

  • 1.  ClearPass Authentication Time issue

    Posted Dec 16, 2015 03:11 PM

    Hey all,

     

    I've got a ClearPass client that is having issues with a couple of policies. Their goal is to limit the user on two fronts:

     

    1. Throttle bandwidth determined on how long they've been connected (the longer they've been connected, the less bandwidth they have)

    2. Throttle bandwidth determined on how much they've already consumed (the more they consume, the less bandwidth they have).

     

    They've set up the policies and as far as I can tell they look ok, however I don't think the controller is actually getting the CoA RFC 3576 info correctly. They're experiencing two issues:

     

    1. ClearPass doesn't actually register how long they've been authenticated until after they manually disconnect from the network, and then reconnect

    2. Clients are not getting derivated to different roles based off of bandwidth consumption.

     

    Does anyone want to take a stab at this? What should I look for?

     

    Thanks in advance!



  • 2.  RE: ClearPass Authentication Time issue

    Posted Dec 16, 2015 03:13 PM
    Do you have radius interim accounting enabled?

    Sent from Nine


  • 3.  RE: ClearPass Authentication Time issue

    Posted Dec 16, 2015 03:16 PM

    Hey Tim,

     

    Yes, interim accounting is enabled.



  • 4.  RE: ClearPass Authentication Time issue

    Posted Dec 26, 2015 09:56 AM

    do you see the accounting messages reach the CPPM and do you see the statistics go up?



  • 5.  RE: ClearPass Authentication Time issue

    Posted Jan 18, 2016 05:19 PM

    Ah sorry boneyard, I didn't see this response until I logged in.

     

    I don't have visibility into their system, but I can check to see if they're seeing accounting messages. How quickly do they refresh? I think I need to check and see if UDP 1813 is open statefully as well, since they might not be getting return auth from Radius.

     

    I'll let you know what I find out.



  • 6.  RE: ClearPass Authentication Time issue

    Posted Jan 19, 2016 02:11 PM

    i believe you also need to set Log Accounting Interim-Update Packets to TRUE, you find this under server config, Service Parameters > Radius server at the bottom.