Security

Hey all,

I've got a ClearPass client that is having issues with a couple of policies. Their goal is to limit the user on two fronts:

1. Throttle bandwidth determined on how long they've been connected (the longer they've been connected, the less bandwidth they have)

2. Throttle bandwidth determined on how much they've already consumed (the more they consume, the less bandwidth they have).

They've set up the policies and as far as I can tell they look ok, however I don't think the controller is actually getting the CoA RFC 3576 info correctly. They're experiencing two issues:

1. ClearPass doesn't actually register how long they've been authenticated until after they manually disconnect from the network, and then reconnect

2. Clients are not getting derivated to different roles based off of bandwidth consumption.

Does anyone want to take a stab at this? What should I look for?

Thanks in advance!

Hey Tim,

Yes, interim accounting is enabled.

do you see the accounting messages reach the CPPM and do you see the statistics go up?

Ah sorry boneyard, I didn't see this response until I logged in.

I don't have visibility into their system, but I can check to see if they're seeing accounting messages. How quickly do they refresh? I think I need to check and see if UDP 1813 is open statefully as well, since they might not be getting return auth from Radius.

I'll let you know what I find out.

i believe you also need to set Log Accounting Interim-Update Packets to TRUE, you find this under server config, Service Parameters > Radius server at the bottom.