Security

 View Only
  • 1.  Access Tracker Request Details

    Posted Jul 16, 2020 01:47 AM

    Hello Knowledge Seekers,

     

    What is the difference between these 2 IPs in requests details page?

     

    1. Input > Endpoint Attributes > IP Address

    2. Accounting  > Network Details > Framed IP Address

     

    How to decide which one is the IP address that user is using now?

     

    Some users don't have the Accounting tab at all, I'm kinda confused and all ears listen to your advice. 

     

    I'm kindly ask your help...

    Thanks in advance. 



  • 2.  RE: Access Tracker Request Details
    Best Answer

    Posted Jul 16, 2020 03:47 AM

    Historically the Endpoint IP address was learnt via SNMP polling of the infrastructure ARP tables.

    The Framed-IP-Address is learnt from the RADIUS Accounting - with ArubaAOS this comes in with the Start, most other equipment this comes in with the Interim. However, this is all dependent on the NAS ability to learn the device's IP - most NAS have the ability to track the DHCP exchange, static IP addresses are usually more problematic.

    In about ClearPass v6.6 I believe they made the Endpoint's IP address = the Framed-IP-Address.

    If the RADIUS Accounting is not enabled, or the Start/Interim are not enable, or the NAS is not learning the device's IP address then the Framed-IP-Address is not populated: You are dependent on the SNMP poll which by default occurs every hour - it can be tuned down to every 10 minutes...

    The knock-on consequence of not getting the Framed-IP-Adddress is that upper-layer integration (post-auth profiles) that are reliant on this IP address (eg injecting into a firewall) will not occur.



  • 3.  RE: Access Tracker Request Details

    Posted Jul 16, 2020 04:16 AM

    To add to that if you have Accounting information, I'd take the accounting as most actual.

     

    I could in my testing not find discrepancies between the two. Did you find it?

     

    As Derin mentioned, both should be good and the one in the endpoint should work even if you don't have the IP address accounting enabled.



  • 4.  RE: Access Tracker Request Details

    Posted Jul 16, 2020 04:42 AM
      |   view attached

    Hey Herman,

     

    I came across this situation when one of our directors had a connection problem.

     

    I was surprised to see these two IPs different from each others, so I wanted to ask what are the difference between them. Derin perfectly explained it above, but then why I saw those values different

     

    In addition, the user values I added as an attachment were taken in exactly the same time. 

     

    Could you kindly help me with that ?



  • 5.  RE: Access Tracker Request Details

    Posted Jul 16, 2020 04:44 AM

    There certainly used to be issues if the NAS was doing NAT. Invariably the Endpoint IP would report the NATed IP, whereas the Framed-IP-Address reported the real-IP address... I haven't looked a this recently



  • 6.  RE: Access Tracker Request Details

    Posted Jul 16, 2020 04:47 AM

    I'm concerned that these are reporting different values. Could you raise this to TAC?



  • 7.  RE: Access Tracker Request Details

    Posted Jul 16, 2020 05:02 AM

    We have many regions where we use the same SSID and wireless structure. In some regions, users can get IP from different IP range even if they are connected to the same SSID. I guess that there was such a problem as the relevant user switched between regions and connect the same SSID. 



  • 8.  RE: Access Tracker Request Details

    Posted Jul 16, 2020 04:44 AM

    Hey Derin,

     

    Thank you for your amazing, clear explanation. 

     

    Now, I'll try to sync these two values by changing some characteristics as you explain above. 

     

    Kind Regards,