Primary (K-12) Education

We would really like to be able to use our sonicwalls SSO options that use the accounting logs from our radius authentication, but there is no way to do this without our aruba gear actually sending the Framed IP address attribute.  Is there any way to get this to happen?

Our setup is as follows:

Aruba AP -> Radius (NPS) -> forward accounting (start/stop) to Sonicwall.

Unfortunatly this does not work because the Aruba gear only sends the username information and mac address of the client, but not the IP...

Thanks,

Dan

I am wondering if this will work, it appears I can also use the "calling station ID" as well.  And I see this option in the radius config:

Use IP address for calling station ID

I will try this out and see if that will give me the results I need!

Well someone responded, but then I guess removed their message...

Hi, you can have the controller pass the accounting directly to the sonicwall and that should be it. I have it up and running myself.

---  So can someone explain how to do this?

I did change the settings to send the IP instead of the mac address in the caller id setting, but I still only see the mac address - it appears this change had no impact...

I am very interested if we could simply send the accounting records directly from the aruba controller, but for the life of me I can not figure out how to do this...

danstl,

I am only guessing here based on what you mentioned and the Article Here:  https://support.software.dell.com/kb/sw11075

On the Aruba Controller, in  the AAA profile, there is an option for a Radius Accounting Server Group.  You need to (1) Create the Sonicwall as a Radius Server in the Aruba Controller  and make sure you enable the "Use IP address for calling station ID" checkbox. (2) Create a Server Group and Add the Sonicwall Radius Server to that Group (3) Add that Server Group you just created to the AAA profile as a "Radius Accounting Server Group"

This should work if you are using the Captive Portal to authenticate users, because the ip address of the user is known so the "framed-ip-address" attribute should be populated during authentication.  It is possible that it will not work on initial authentication using 802.1x, however, because in 802.1x, the user gets their ip address AFTER they authenticate successfully...

Yeah I got it working.  It actually works really quickly upon login, (I also turned on interim accounting).  But you are correct initially they are shown as an unknown user, but within 30 seconds they show the correct user and group information.

We are really doing this more for visibility then anything else as we do all of our filtering/etc based on VLAN.  But it is nice that we can also extend some user level controls down to our firewall.

danstl,

If this is fixed, please mark it solved.

Well I would mark it as fixed if I knew how :)  Where is the "fixed" option?

-Dan

Very good question....hmmm..