Security

I'm replicating a local radius authentication with Clearpass as I do on Cisco ACS - and I have observed that with ACS the IETF:User-Name attribute is always returned in the access-accept packet.

However with Clearpass this is omitted.

Is this a global setting? If not how do I return the IETF:User-Name value as part of my enforcement profile?

ClearPass returns User-Name attribute in Access Accept packets for EAP based authentications and not for other authentication types.

You can configure your enforcement as below to return the User-Name attribute.

To add onto this:

I've seen cases where Aruba controllers showed no user in the controller user tables for a subset of EAP-TTLS authenticated devices. I speculate that this is caused when a device is reauthenticated using TLS session resumption. Adding an enforcement profile that always returns the username similar to shown in the post above resolved this for us and is probably a good idea in general.

Most 802.1x supplicants have the ability for the user to return an anonymous username where they can enter anything.  The enforcement policy will override that.