Security

This community is currently in a read-only state due to a maintenance window. For more info click here
Reply
Highlighted
Contributor I

Clearpass RADIUS attribute filtering

We are a UK university part of eduroam and we are looking to perform RADIUS attribute filtering for attributes sent back in RADIUS messages from other organisations. E.g. if a VSA is sent specifiying a role that is unknown to our wireless. 

I can see plenty of guides of how to do this in freeradius but it isn't obvious how this would be done in Clearpass.

 

Thanks

Ross

Highlighted

Re: Clearpass RADIUS attribute filtering

On the "Proxy Targets" tab of your RADIUS Proxy Service there's a section for excluding RADIUS attributes in replies from your RADIUS proxies.


Cheers
James
----------------------------------------------------------------------
--------------------------@whereisjrw--------------------------
---------------------------------blog-------------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
----------------------------------------------------------------------
----------------------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Highlighted
Contributor I

Re: Clearpass RADIUS attribute filtering

Hi James

Thanks for the response but how would these be done in reverse. Is there a way to filter on tx rather than rx.

We have some Cisco wireless that connects through our Clearpass and then out to our national proxies. We authenticate our users via and clearpass and need to proxy out the visitors, the Cisco wireless adds lots of extra attributes that we don't want to send out in the requests.

Highlighted

Re: Clearpass RADIUS attribute filtering

As far a I'm aware, it is not possible to add, remove or alter VSA sent to a RADIUS proxy target server in ClearPass. ClearPass just proxies the RADIUS request that it recieves without altering it but can strip out any attributes that return.

 

I don't know if there's anything you can do on your Cisco kit to limit what is sent?


Cheers
James
----------------------------------------------------------------------
--------------------------@whereisjrw--------------------------
---------------------------------blog-------------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
----------------------------------------------------------------------
----------------------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Highlighted
Contributor I

Re: Clearpass RADIUS attribute filtering

Unfortunately we don't have access to the Cisco controller, it is a hospital that publishes our SSID that we authenticate the users for.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: