Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass Comware7 accounting info

This thread has been viewed 2 times

  • 1.  ClearPass Comware7 accounting info

    Posted Oct 09, 2018 09:19 AM

    I've just noticed that although ClearPass shows RADIUS accounting info from our Comeare switches, the one thing it dosn't show are any Utilisation figures other than the session time

     

     I'm farily sure this points to a misconfiguration of our ComWare 5130 switches but on the offchance someone out there has ComWare/ClearPass combo can you see Utilisation I/O octets/packtes in ClearPass accounting info?

    Rgds

    A



  • 2.  RE: ClearPass Comware7 accounting info

    EMPLOYEE
    Posted Oct 15, 2018 08:41 AM

    I'm not a CW7 expert, and don't have a switch to test it for you.

     

    Did you follow the Solution Guide for Wired Policy Enforcement, more specific the accounting-on enable on radius and the dhcp snooping enable for IP visibility?

     

    Do you see in/out octets data for finished sessions? It could be that the switch just posts that info at the end of the session, and dhcp snooping tends to help to send the data more often.

     

    Aruba TAC should be able to troubleshoot with you as well.



  • 3.  RE: ClearPass Comware7 accounting info

    Posted Oct 15, 2018 08:51 AM

    Yes followed the wired guide. 

    Yes accounting-on is enabled

    We also specify interim accounting ( as you are supposed to) with clearpass. Everything else works from auths to reauths - you can see the appropriate sesssion ids for each reauth.... you just don't get any data. An HP contact has tried this for comware 5 devices and gets the same clearpass response i.e. not accounting info. He;s about to try it with comware 7

     

    No the switch doesn't post anything to clearpass, although .....

    comware 7 has an "attribute translate" command wher you can map internal H3C attributes to those recognisable on another system. It *could* be that the switch is using the H3C equivalents of the accounting in/out octgets/packets and clearpass isn't using them

    A



  • 4.  RE: ClearPass Comware7 accounting info

    EMPLOYEE
    Posted Oct 15, 2018 02:12 PM

    I have tested this on a Comware 5 device (5500EI), and on a Comware 7 device (5900). From a functionality perspective, the 5900 should have the same accounting functionality as the 5130. Here is what I see on the 5900 when I debug the Radius packets.

     

    *Jan 1 02:50:39:160 2011 HP RADIUS/7/PACKET:
    User-Name="dc4a3ed02939"
    NAS-Identifier="HP"
    NAS-Port=16781313
    NAS-Port-Type=Ethernet
    NAS-IP-Address=192.168.0.253
    Calling-Station-Id="DC-4A-3E-D0-29-39"
    Called-Station-Id="2C-23-3A-4A-EE-88"
    Acct-Session-Id="000000042011-01-01:02:41:38-00000033081"
    Acct-Session-Time=541
    Class=0x25db1485d01c404f873b5b08b1d115c2d00b0000000000005230303030323936302d30312d35626334643331380000000000000000000000
    Acct-Authentic=RADIUS
    Acct-Status-Type=Interim-Update
    Acct-Delay-Time=0
    Event-Timestamp="Jan 1 2011 02:50:39 UTC"
    *Jan 1 02:50:39:161 2011 HP RADIUS/7/EVENT:
    Sent request packet successfully.

     

    The accounting update does not contain the utilisation information. This is what I see on the 5500:

     

    *Apr 26 13:18:49:668 2000 HP RDS/7/DEBUG:
    [1 User-name ] [14] [dc4a3ed02939]
    [32 NAS-Identifier ] [4 ] [HP]
    [5 NAS-Port ] [6 ] [16781313]
    [87 NAS_Port_Id ] [34] [slot=1;subslot=0;port=1;vlanid=1]
    [61 NAS-Port-Type ] [6 ] [15]
    [31 Caller-ID ] [19] [44432D34412D33452D44302D32392D3339]
    *Apr 26 13:18:49:669 2000 HP RDS/7/DEBUG:
    [40 Acct-Status-Type ] [6 ] [3]
    [45 Acct-Authentic ] [6 ] [1]
    [44 Acct-Session-Id ] [17] [10003261315a010]
    [4 NAS-IP-Address ] [6 ] [192.168.0.252]
    [55 Event-Timestamp ] [6 ] [956755129]
    [25 Class ] [58] [25DB1485D01C404F873B5B08B1D115C2D00B0000000000005230303030323936322D30312D35626334643561390000000000000000000000]
    *Apr 26 13:18:49:670 2000 HP RDS/7/DEBUG:
    [HP-26 Connect_ID ] [6 ] [53249]
    [HP-1 Input_Peak_Rate ] [6 ] [0]
    [HP-2 Input_Average_Rate ] [6 ] [0]
    [HP-4 Output_Peak_Rate ] [6 ] [0]
    [HP-5 Output_Average_Rate ] [6 ] [0]
    [HP-22 Priority ] [6 ] [0]
    *Apr 26 13:18:49:671 2000 HP RDS/7/DEBUG:
    [46 Acct-Session-Time ] [6 ] [180]
    [41 Acct-Delay-Time ] [6 ] [0]
    [42 Acct-Input-Octets ] [6 ] [12055]
    [47 Acct-Input-Packets ] [6 ] [22]
    [43 Acct-Output-Octets ] [6 ] [110060]
    [48 Acct-Output-Packets ] [6 ] [25]
    *Apr 26 13:18:49:672 2000 HP RDS/7/DEBUG:
    [52 Acct_Input_Gigawords ] [6 ] [0]
    [53 Acct_Output_Gigawords ] [6 ] [0]
    *Apr 26 13:18:49:673 2000 HP RDS/7/DEBUG:

     

    Much more information and also the utilisation info. This is also shown in ClearPass.

    5500.JPG

    And there are no updates for the 5900, only the initial Accounting start entry. And the accounting start packet does not contain any utilisation information either. 

    This means that it seems that utilisation accounting is not supported on Comware 7, but it is on Comware 5.

     

    You can easily test this yourself by enabling debugging on the switch (Comware 7), in user-mode:

     

    terminal debug

    terminal monitor

    debug radius all

     

    The configuration is straight forward and there is not much you can configure on accounting other than the time interval for the accounting updates.

     

    Hope this helps answering your question.