Wireless Access

 View Only
last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Expand all | Collapse all

Aruba Controller - RADIUS accounting

This thread has been viewed 17 times
  • 1.  Aruba Controller - RADIUS accounting

    Posted Jun 05, 2024 12:01 PM

    Is there a mechanism of controlling which accounting packets are being sent to a RADIUS server (NPS) on an Aruba controller? 

    I am attempting to RSSO clients on a WatchGuard firewall using the Class attribute sent within the RADIUS accounting packet. At the moment I am adding the Class attribute on NPS which includes a string value which is used to map to a group attribute within the WatchGuard to RSSO client sessions. 

    I am sending the accounting packets from the Aruba controller to NPS which then forwarding the accounting onto the WatchGuard, including the added Class attribute. 

    However, in the capture below I am seeing two Class attributes being sent to the WatchGuard and I am getting no accounting-response. I am currently under the impression that the WatchGuard cannot process two Class attributes, only one of which contains the group attribute information. The other Class attribute is probably being added by either the AP or the controller. Is there any way of manipulating this on the Aruba controller? I cannot strip RADIUS attributes on NPS in the same way you can on ClearPass. So I am left with two Class attributes. The first Class attribute listed below corresponds to the value 'WG-BYOD' which is the one the WatchGuard requires. The second one is sent by default but currently have no way of removing it.

    It is also not possible to use any other attribute e.g. Filter-Id, as this is not forwarded as part of the accounting packet. This only appears in the access-accept but not included in the subsequent accounting packet. Therefore, it seems I must use Class. However, I am now in the position of forwarding this twice in the same accounting packet. Which I believe is preventing the WatchGuard acknowledging it.  

  • 2.  RE: Aruba Controller - RADIUS accounting

    Posted Jun 06, 2024 09:56 AM

    No, you're aren't going to be able to modify the accounting packets in the controller like that.

    Carson Hulcher, ACEX#110

  • 3.  RE: Aruba Controller - RADIUS accounting

    Posted Jun 13, 2024 07:23 AM

    Thanks. Is it possible if multiple Class attributes are referenced in the accounting-request AVP's this could cause an issue with a firewall processing the RSSO request? As I am attempting to use the RADIUS attribute Class to define group attributes on the WatchGuard firewall for RSSO, but the request skips the intended policy containing the group reference, sent in the Class AVP. 

  • 4.  RE: Aruba Controller - RADIUS accounting

    Posted Jun 13, 2024 09:39 AM

    That would be dependent on how the firewall handles the attribute when multiple values are received, which in this case appears to be either to honor only one or to just drop entirely.

    Carson Hulcher, ACEX#110