Security

I am trying to make things a little easier for our users by setting up Single Sign On. In order for it to work porperly our firewall needs to receive an IP address from the Calling Station ID attribute in the Radius start and stop messages.

I am using IAP-105's with and external Radius server, Server 2008R2. The Radius server is forwarding the start and stop messages but the Calling Station ID is a MAC address and not an IP address.

Is there a way to change it?

The framed-ip-address attribute is typically assigned to the ip address of the user in radius accounting packets, according to the standard.  Find out if your firewall can use that attribute instead. http://tools.ietf.org/html/rfc2866

Does it happen to be a Palo Alto firewall?

The firewall is a Fortigate.

http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%25205.0%2520Help/RADIUS-SSO.037.06.html

"For RADIUS SSO to work, FortiOS needs to know the user’s endpoint identifier (usually IP address) and RADIUS user group. There are default RADIUS attributes where FortiOS expects this information, but you can change these attributes in the config user radius CLI command."

did you get this to work Todd?