Wireless Access

Is there a mechanism of controlling which accounting packets are being sent to a RADIUS server (NPS) on an Aruba controller? 

I am attempting to RSSO clients on a WatchGuard firewall using the Class attribute sent within the RADIUS accounting packet. At the moment I am adding the Class attribute on NPS which includes a string value which is used to map to a group attribute within the WatchGuard to RSSO client sessions. 

I am sending the accounting packets from the Aruba controller to NPS which then forwarding the accounting onto the WatchGuard, including the added Class attribute. 

However, in the capture below I am seeing two Class attributes being sent to the WatchGuard and I am getting no accounting-response. I am currently under the impression that the WatchGuard cannot process two Class attributes, only one of which contains the group attribute information. The other Class attribute is probably being added by either the AP or the controller. Is there any way of manipulating this on the Aruba controller? I cannot strip RADIUS attributes on NPS in the same way you can on ClearPass. So I am left with two Class attributes. The first Class attribute listed below corresponds to the value 'WG-BYOD' which is the one the WatchGuard requires. The second one is sent by default but currently have no way of removing it.

It is also not possible to use any other attribute e.g. Filter-Id, as this is not forwarded as part of the accounting packet. This only appears in the access-accept but not included in the subsequent accounting packet. Therefore, it seems I must use Class. However, I am now in the position of forwarding this twice in the same accounting packet. Which I believe is preventing the WatchGuard acknowledging it.  

No, you're aren't going to be able to modify the accounting packets in the controller like that.

Is there a mechanism of controlling which accounting packets are being sent to a RADIUS server (NPS) on an Aruba controller? 

I am attempting to RSSO clients on a WatchGuard firewall using the Class attribute sent within the RADIUS accounting packet. At the moment I am adding the Class attribute on NPS which includes a string value which is used to map to a group attribute within the WatchGuard to RSSO client sessions. 

I am sending the accounting packets from the Aruba controller to NPS which then forwarding the accounting onto the WatchGuard, including the added Class attribute. 

However, in the capture below I am seeing two Class attributes being sent to the WatchGuard and I am getting no accounting-response. I am currently under the impression that the WatchGuard cannot process two Class attributes, only one of which contains the group attribute information. The other Class attribute is probably being added by either the AP or the controller. Is there any way of manipulating this on the Aruba controller? I cannot strip RADIUS attributes on NPS in the same way you can on ClearPass. So I am left with two Class attributes. The first Class attribute listed below corresponds to the value 'WG-BYOD' which is the one the WatchGuard requires. The second one is sent by default but currently have no way of removing it.

It is also not possible to use any other attribute e.g. Filter-Id, as this is not forwarded as part of the accounting packet. This only appears in the access-accept but not included in the subsequent accounting packet. Therefore, it seems I must use Class. However, I am now in the position of forwarding this twice in the same accounting packet. Which I believe is preventing the WatchGuard acknowledging it.  

Thanks. Is it possible if multiple Class attributes are referenced in the accounting-request AVP's this could cause an issue with a firewall processing the RSSO request? As I am attempting to use the RADIUS attribute Class to define group attributes on the WatchGuard firewall for RSSO, but the request skips the intended policy containing the group reference, sent in the Class AVP. 

No, you're aren't going to be able to modify the accounting packets in the controller like that.

Is there a mechanism of controlling which accounting packets are being sent to a RADIUS server (NPS) on an Aruba controller? 

I am attempting to RSSO clients on a WatchGuard firewall using the Class attribute sent within the RADIUS accounting packet. At the moment I am adding the Class attribute on NPS which includes a string value which is used to map to a group attribute within the WatchGuard to RSSO client sessions. 

I am sending the accounting packets from the Aruba controller to NPS which then forwarding the accounting onto the WatchGuard, including the added Class attribute. 

However, in the capture below I am seeing two Class attributes being sent to the WatchGuard and I am getting no accounting-response. I am currently under the impression that the WatchGuard cannot process two Class attributes, only one of which contains the group attribute information. The other Class attribute is probably being added by either the AP or the controller. Is there any way of manipulating this on the Aruba controller? I cannot strip RADIUS attributes on NPS in the same way you can on ClearPass. So I am left with two Class attributes. The first Class attribute listed below corresponds to the value 'WG-BYOD' which is the one the WatchGuard requires. The second one is sent by default but currently have no way of removing it.

It is also not possible to use any other attribute e.g. Filter-Id, as this is not forwarded as part of the accounting packet. This only appears in the access-accept but not included in the subsequent accounting packet. Therefore, it seems I must use Class. However, I am now in the position of forwarding this twice in the same accounting packet. Which I believe is preventing the WatchGuard acknowledging it.