Security

Reply

Re: how to define Vendor ID in clearpass for an enterprise

You do not need to define the attribute length, whatever the type you choose will take the 2 bytes value. Do test and let us know if you face any issue.


Thank you,
Saravanan Rajagopal

**Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the post.

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor I

Re: how to define Vendor ID in clearpass for an enterprise

Saravanan,

 

Thanks i am able to upload the file now. will test and get back for any help

 

Thanks once again

S.Muthukannan

Contributor I

Re: how to define Vendor ID in clearpass for an enterprise

Hi Saravan,

 

Now able to load the dictionary file. I proceeded with the testing, i am facing issue "Failed to classify request to service"

Attached the failure message and configuration done. can you please help.

if i need to post this issue in separate thread let me know that as well.

 

Thanks,

S.Muthukannan

Re: how to define Vendor ID in clearpass for an enterprise

Hi,

 

The service rules are incorrect.

Most of the below attributes are meant to be passed in the enforcement profiles. You need to use NAS-IP-address in the rules and not the Framed-IP-Address.

 

Basically, the service rules should match the incoming radius attributes in the authentication request to categorize the service.

 

Incoming attributes in the request:

Input RADIUS Attributes -
Radius:IETF:Acct-Session-Id = 145:02:59:00003
Radius:IETF:Calling-Station-Id = 0x1035000001 [.5...]
Radius:IETF:NAS-Identifier = MyNASID
Radius:IETF:NAS-IP-Address = 135.x.x.x
Radius:IETF:NAS-Port = 79825984
Radius:IETF:NAS-Port-Id = eth 1/1/03/2/4/1/1
Radius:IETF:NAS-Port-Type = 15
Radius:IETF:User-Name = polclient1

 

Your service rule.

service_rule.pngI strongly recommend you to refer the ClearPass user guide or browser the community for better understanding of Service creation.

You can start with the below service rules and proceed the testing.

service_rule_start.png

 

Do let me know if you have any further queries.


Thank you,
Saravanan Rajagopal

**Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the post.

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor I

Re: how to define Vendor ID in clearpass for an enterprise

Hi Saravanan,

 

i  will try out that i. Before your reply i tried with attribute set as given below in  clearpass server i see authentication has been successful but in our box ( ISAM 7360 the vlan attribute not passed successfuly and it has failed)

 Name  Operator  Value 
1.  Connection Protocol EQUALS RADIUS
2.  Radius:IETF Service-Type EQUALS Framed-User (2)
3.  Radius:IETF Framed-IP-Address EQUALS x.x.x.x
4.  Radius:IETF Framed-IP-Netmask EQUALS x.x.x.x
5.  Radius:IETF Framed-MTU EQUALS 1500
6.  Radius:IETF Tunnel-Type EQUALS VLAN (13)
7.  Radius:IETF Tunnel-Medium-Type EQUALS IEEE-802 (6)
8.  Radius:IETF Tunnel-Private-Group-Id EQUALS 100
9.  Radius:Alcatel-lucent A-ESAM-PoL-Fwd-ID EQUALS 230
10.  Radius:Alcatel-lucent A-ESAM-PoL-Vp-ID EQUALS 230
11.  Radius:Alcatel-lucent A-ESAM-PoL-Client-Type EQUALS 1

 

Thanks,

S.Muthukannan

Re: how to define Vendor ID in clearpass for an enterprise

I believe, you had the service rule set to matches ANY. You need to pass the VLAN 100 in an enforcement profile.

 

You can import the attached sample service and check the enforcement policy/profile.


Thank you,
Saravanan Rajagopal

**Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the post.

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor I

Re: how to define Vendor ID in clearpass for an enterprise

Hi Saravanan,

Thanks a lot for  your help

I loaded the file you have given and tested . It worked fine. Meaning the authentication was successful and the vlan 100 was assigned. ( Tunnel ID).

Now i choosen only VSA attributes and trying to assign vlan which is failing. The issue i figure out from the radius response is the vlan to be assigned by radius to the user which is defined by the VSA A-ESAM-PoL-Fwd-ID whose value defined is 230 but the radius server is returning 0x323330 because of which authentication has failed. i have defined this attribute as Octet array ( note in Free radius defined the same as string) Attached the service, enforcement profile and policy. can you please let me know anything else to be changed.

Thanks,
S.Muthukannan

Re: how to define Vendor ID in clearpass for an enterprise

Change the data type to string for A-ESAM-PoL-Fwd-ID in the dictionary and re-import it. Test the authentication after the import and test the result.


Thank you,
Saravanan Rajagopal

**Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the post.

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor I

Re: how to define Vendor ID in clearpass for an enterprise

Saravanan,

 

tried that as well , still same issue.  Suspect its not recongnising it as 2 bytes value not sure.

 

Debug msg from our box states

"Length of Alcatel Vendor sub attribute is more than Main attribute length"

"Validation of the Attributes in the Received packet failed"

This issue is not seen with Free radius

 

i did not reboot the Aruba Clear pass  after setting the attribute to String

i will try that as well.

 

Thanks,

S.Muthukannan.

 

Re: how to define Vendor ID in clearpass for an enterprise

Can you also try the type as integer (Unsigned32)?

 

Restart the radius and policy services after importing the dictionary.

 

Navigate to: Administration >> Server Manager >> Server Configuration >> <click on ClearPass server name> >> Services Control and stop/start the services.

 

You can dump the packet capture from freeradius and check the radius Accept packet to understand the returned attribute and compare it with ClearPass radius accept (output).


Thank you,
Saravanan Rajagopal

**Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the post.

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: