Security

Reply
Valued Contributor I

Inner Identity visibility

One of the really irritating things about clearpass is how it copes with inner identity user-names

 

Instead of it being something you set up in what goes out in an Access-Accept packet, there is a general server setting 

 

Use Inner Identity in Access-Accept Reply

 

under the RADIUS server..... and its got to be set for each cluster member. Why on earth would you weant to have some cluster members sending an inner identity and some not ?

<rant>

There's a shedload of attributes you hsve to set up for individual cluster members that really really should be set up as a global parameter

 

If you;ve got a cluster surely the idea is to make things simple. There can't be many parameters thaty need to be different once you start running a cluster

</rant>

 

Anyway, back to Inner identity User-Name

Not only is it enabling it tucked away somewhere in the config you don't see it at all when looking through auth requests in Access-Tracker. It doesn't exist

 

I proxy Accounting off to a FR server to store in a postgresql  db and I'm seeing a lot of outer User names instead of . inner ones and need to check that they're actually getting out of clearpass.

How can I see whats getting sent out bearing ij mind this is a busy production serivice. 

 

Guess I could proxy accounting to another FR server running in debug mode

 

Sigh!

Guru Elite

Re: Inner Identity visibility

Add this to your enforcement profile:

Screenshot 2018-02-28 at 06.05.00.png

You will not have to enable the "Use Inner Identity in Access-Accept Reply" parameter. 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: