Hello,

I am trying to set up radius authentication between ocserv and ClearPass. Authentication is working, but ClearPass is not sending authorization attributes with access-accept.

Per ocserv docs openconnect/ocserv groupconfig is set to true. The radius request coming from ocserv includes the service-type attribute set to 8, authenticate-only. Clearpass is returning access-accept, but nothing else from the enforcement profile. My assumption right now is that ClearPass is not including the authorization attributes from the enforcement profile in access-accept because it is responding to a service-type 8 request.

I am currently setting up an attempted work around, but it is not going well. Create a proxy service that catches the initial authentication request and changes the service-type before forwarding it to itself (127.0.0.2). Have another service configured to listen for requests from 127.0.0.2 and hopefully respond with the authorization attributes. There is the possibility that the proxy service will still strip the attributes, and I would hate to get this working to find that to be the case.

Does anyone know if my assumption is wrong, or if a ClearPass service can be configured to ignore service-type 8 and return authorization attributes?

------------------------------
Thank you for your time,

Ronald Patrick
------------------------------
ClearPass can respond with attributes regardless the Service-Type set in the request.

Can you share your service configuration and Access Tracker information?
If you mention 'access-accept, nothing else', do you get that information from Access Tracker? Or from your radius client? Or from a network capture?

There is a mode for your service called Monitor mode, which runs through the full processing of your service, but in the end, just returns Access-Accept. You can recognize that in the service list that the normally green circle on the right of your service is orange:

If there is not the expected match, work back from there to understand why the service is not matched or the wrong enforcement is selected.

Your Aruba partner or Aruba Support should be able to assist you if you can't work this out or find it yourself.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message Original Message:
Sent: Dec 08, 2020 06:55 PM
From: Ronald Patrick
Subject: ClearPass Ignore Service-Type

Hello,

I am trying to set up radius authentication between ocserv and ClearPass. Authentication is working, but ClearPass is not sending authorization attributes with access-accept.

Per ocserv docs openconnect/ocserv groupconfig is set to true. The radius request coming from ocserv includes the service-type attribute set to 8, authenticate-only. Clearpass is returning access-accept, but nothing else from the enforcement profile. My assumption right now is that ClearPass is not including the authorization attributes from the enforcement profile in access-accept because it is responding to a service-type 8 request.

I am currently setting up an attempted work around, but it is not going well. Create a proxy service that catches the initial authentication request and changes the service-type before forwarding it to itself (127.0.0.2). Have another service configured to listen for requests from 127.0.0.2 and hopefully respond with the authorization attributes. There is the possibility that the proxy service will still strip the attributes, and I would hate to get this working to find that to be the case.

Does anyone know if my assumption is wrong, or if a ClearPass service can be configured to ignore service-type 8 and return authorization attributes?

------------------------------
Thank you for your time,

Ronald Patrick
------------------------------
Thank you for your reply. Good to know that my assumption was wrong and clearpass should be responding with attributes.

I found the error in the Network>Devices configuration on clearpass. Clearpass recorded the requests coming from 10.219.1.30, when it should have been coming from 10.219.1.31. Once I added .30 the everything worked. Strange though that it was replying to an unconfigured NAD.



------------------------------
Ronald Patrick
------------------------------

Original Message Original Message:
Sent: Dec 09, 2020 04:08 AM
From: Herman Robers
Subject: ClearPass Ignore Service-Type

ClearPass can respond with attributes regardless the Service-Type set in the request.

Can you share your service configuration and Access Tracker information?
If you mention 'access-accept, nothing else', do you get that information from Access Tracker? Or from your radius client? Or from a network capture?

There is a mode for your service called Monitor mode, which runs through the full processing of your service, but in the end, just returns Access-Accept. You can recognize that in the service list that the normally green circle on the right of your service is orange:

Otherwise, take the standard (high-level) approach to finetune your service:
- Make sure you match the right service
- Make sure you see the right enforcement profile selected

If there is not the expected match, work back from there to understand why the service is not matched or the wrong enforcement is selected.

Your Aruba partner or Aruba Support should be able to assist you if you can't work this out or find it yourself.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Dec 08, 2020 06:55 PM
From: Ronald Patrick
Subject: ClearPass Ignore Service-Type

Hello,

I am trying to set up radius authentication between ocserv and ClearPass. Authentication is working, but ClearPass is not sending authorization attributes with access-accept.

Per ocserv docs openconnect/ocserv groupconfig is set to true. The radius request coming from ocserv includes the service-type attribute set to 8, authenticate-only. Clearpass is returning access-accept, but nothing else from the enforcement profile. My assumption right now is that ClearPass is not including the authorization attributes from the enforcement profile in access-accept because it is responding to a service-type 8 request.

I am currently setting up an attempted work around, but it is not going well. Create a proxy service that catches the initial authentication request and changes the service-type before forwarding it to itself (127.0.0.2). Have another service configured to listen for requests from 127.0.0.2 and hopefully respond with the authorization attributes. There is the possibility that the proxy service will still strip the attributes, and I would hate to get this working to find that to be the case.

Does anyone know if my assumption is wrong, or if a ClearPass service can be configured to ignore service-type 8 and return authorization attributes?

------------------------------
Thank you for your time,

Ronald Patrick
------------------------------