Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass RADIUS Accounting with Sophos Firewall

This thread has been viewed 4 times

  • 1.  ClearPass RADIUS Accounting with Sophos Firewall

    Posted 14 days ago

    Hi, this is my first post on AirHeads. We have just moved from Meru/Fortinet to Aruba CX switches, Aruba APs, ClearPass and Central. All has gone well, but we are having an issue with RADIUS SSO on our Sophos XG Firewall.

    We are using a combination of AP 635 and AP 655 access points running AOS 10.4.1.1 (We found a major bug on later firmware preventing the reliable use of 2.4Ghz AOS-246235). The APs are all managed through Aruba Central and authentication is managed by ClearPass. The current wireless user sign in process is as follows:

    1) User's sign into the wireless network using 802.1x EAP TLS. They are authenticated against Active Directory via Clearpass and we verify the device exists in Intune using the ClearPass/Intune plugin.

    2) The SSID is configured to send RADIUS Accounting messages to ClearPass

    3) The Service that matches this SSID in ClearPass is configured to proxy Accounting messages to our Sophos XG Firewall. 

    4) Our Sophos XG Firewall uses the RADIUS Accounting data to SSO the users and provide appropriate web filtering.

    This is working perfectly, when a user signs in to the wireless network they immediately appear in the list of active users on the firewall and get the appropriate filtering. When they disconnect their are immediately removed from the list of active users. However, there is an issue when users roam from one access point to another.

    When a user moves from AP1 to AP2, AP1 sends a RADIUS stop accounting message to Sophos. Sophos isn't sophisticated enough to understand that the disconnection is only from the AP, and not from the network. the user is immediately signed out of the firewall, they remain connected to the wireless network but are unable to access the internet.

    As far as I can tell from the limited Sophos documentation, their implementation only pays attention to the Framed-IP address, and the Framed-User values.

    We have tried disabling OKC/802.1r to force a full authentication when the device reaches the next AP and we have tried enabling interim accounting, but the Sophos Firewall doesn't appear to support interim accouting messages.

    In the end we have implemented a clumbsy workaround where we delete the Acct-Status-Type of all accounting messages associated with this SSID in the accouting proxy section of the relevent ClearPass service and then replace it with an Acct-Status-Type of Start. With this configuration users can authenticate and roam the campus without being disconnected from the internet. However, their session never times out on the firewall.

    I did find that in AOS 8 there appears to be a setting to address this issue called "Roaming RADIUS Accounting Service" but this doesnt appear to have been implemented in AOS10, at least I can't find any reference to it.

    Has anyone else faced this issue? Is there some other way to stop the accouting stop messsages being sent for roams?

    Thanks

    Leon