Higher Education

I am struggling to get my Meraki APs to work with My SonicWall Radiu Accounting SSO feature.

 

This is because the initial Radius Accounting Start packet does not contain the Framed-IP-Address attribute.

 

Is it possible to use IP-Helpers on the vlan to forward DHCP requests to the CPPM so that the profiler capture endpoint IP address and then use that value to add the missing VSA in the radius proxy settings that then forward to the SonicWall.

 

I have been waiting 20 months for Meraki to reslve this rather annoying behavior.

 

I am desperate to deploy a smooth and functional 802.1x basd SSO solution.

> This is because the initial Radius Accounting Start packet does not contain the Framed-IP-Address attribute.

 

Of course it doesn't.  It shouldn't.  RADIUS sessions start before IP address configuration starts.

 

Does the Sonicwall not have any other mechanism by which to map IP addresses to MAC addresses other than RADIUS accounting?  If not, that's what you should be complaining about.

 

Bjulin - I understand your comment, but other vendors (like Aerohive) have provided solutions to overcome the limitations of the venerable RADIUS RFCS that make sure 3rd party devices are informed of the client IP address within seconds of their connection. As far as I understand, Aruba wireless controllers also have this capability?

I asked quite a specific question. Take it as read that I am already in deep discussion with Meraki.and SonicWall hence why I am now looking at CPPM for a possible solution / workaround.

We used CPPM's syslog output to map username to ip address when we were managing bandwidth at out Internet edge. There is a few minute delay before the messages are sent, though.

Thanks bosborne - I am trying to get the delay in updating the firewall to less than 15 seconds so the syslog route looks too high latency but good input.

Thank you.

Aruba APs will populate this field, but I do not believe they do so on the first Accounting packet; rather on subsequent ones... I have not bothered to look, though.

 

Note that there are some vendors where RADIUS Accounting sessions do not end when they should, so if a client moved from one NAS to another you can have conflicting Accounting packets arriving -- one from the NAS serving the client, and one from a stale session from the old NAS.

 

DHCP syslog really should not take very long to propagate, if you forward it directly from a good server.  If your DHCP server or syslog relay is some sort of Java monstrosity that delays logs for several seconds, maybe consider better servers in these roles.

 

We use a built-in DHCP packet sniffer on our NAC, but if it had a syslog receiver built-in, we would use that instead... it is the most simple and direct solution.

 

Thanks bjulin.. I have a Clear Pass Policy Manager acting as the Radius Accounting proxy between the NAS (which is the AP) and the firewall. I am new to ClearPass, but believe that the profiler can be configured to use DHCP snooping. If that is the case then the profiler would know the IP address of the end point.

The ClearPass radius accounting proxy can be configured to add or update vendor specific attributes such as the Farmed-IP- Address.

So my question is quite specific. Can the proxy use the address obtained by the profiler to populate the Framed-IP-Address VSA.
?

It's a long shot, but you could try the following:

- Set clearpass as one of the helper-addresses so that it can learn the client device's IP address.

- Enable interim-accounting in the WLAN infra. The device doesn't have an IP address when the accounting-start comes from the NAS, so ClearPass won't know about the IP address at this point. Therefore, it would only add the IP (in case this works) to subsequent accounting messages.

- Add the following additional field to the accounting traffic Radius:IETF - Framed-IP-Address - %{Authoritation:[Endpoint Attributes]:IP Address}

 

As I said before, this is a long shot, and the worst part is that I can't really test it. As somebody said before, as soon as I enable Radius Accounting in my Aruba WLAN it will send the framed-ip-address as part of the acct message.

 

So, keep in mind that even if this works, it can't be considered a supported solution (Meraki does strange stuff with the accounting). The supported soultion would be to use a WLAN infrastructure capable of something as basic as sending a "framed-ip-address".

 

 

Hi sperez, that sounds like the solution I was hunting for. Are there any guides on configuring CPPM to use DHCP snooping?

Is there any way you can configure RADIUS accounting proxy to delay proxy in the packet until the end point IP address is known through the snooping?

I can set up the IP helpers on the VLANs easily enough, it is just the CPPM I am new to.

Putting any cppm node as helper address results in clearpass profiling. You do need to go into system manager for the clearpass node and check the checkbox for endpoint profiling, but that's it.

Many thanks Ryan, If I have a cluster do I need to do that on both nodes?

Also did anyone know if it was possible to delay the forwarding on the RADIUS Accounting packets in the RADIUS proxy until the profiler knows the IP address of the endpoint?

Only one endpoint profiler needs to be enabled per zone in a cluster. Obviously if that one goes offline, you won't be profiling so weigh your risk appetite for profiling.

In terms of delaying the sending of radius accounting, policy manager is very flexible, but you'd likely have to get really creative on how to pull that off (assuming it's possible). You could do something likely initially setting the session timer to very short, which would force the endpoint to reauthenticate. The thought would be that at reauthentication, the IP would be learned - but you'd need to be sure to not send the short session timer at that point. And you'd have to reset so that next time around at initial connection, it uses the short timer.

This is really an area where aruba professional services would be worthwhile.

I have been working with an Aruba professional. Together we came up with the short session / normal session (which I affectionately call the Meraki Bounce Bodge). The problem with the short session solution is that it breaks the roaming logic of the SSO module on the SonicWall. It is so frustrating to be so close and yet so far.