PDA

View Full Version : RADIUS Accounting with Aruba Wireless



pat13b
2014-03-13, 11:18
Hello,

Anyone using Aruba wireless and IA with Check Point?

Once the clients initially register their cert, the authentication is done between the Aruba and client and not AD, so we are trying to pull RADIUS from the controller in order to identify these users.

Is the Check Point considered the RADIUS Server? and the Aruba Controller the Client?

We configured RADIUS on the controller and in the IA section of Check Point.

We put: (Vendor specific 26)
Device Name = 31
User Name = 1
IP Address = 8

I see nothing in the logs related to RADIUS.

The controller setting is pointing to the IP address of the interface of the Check Point. I put a rule to allow this above the stealth rule.
Not even sure I need to do this.

Any help here would be appreciated.

Thanks
-pat

PhoneBoy
2014-03-13, 19:02
You have to configure the RADIUS server Aruba uses to send RADIUS Accounting messages to the gateway.

pat13b
2014-03-13, 19:16
Thanks very much for the response.

Maybe I'm putting too much thought into this. Other than the configuration on the identity awareness / Radius Accounting section, do I need to define a RADIUS server under Servers on smartdashboard?

I put his Aruba controller running Radius into the Radius Accounting section and thats should be it right? other than getting the attributes to match up.

-pat

pat13b
2014-03-20, 07:34
Aruba claims this CANNOT be done. I find it hard to believe that their controller cannot spit out RADIUS accounting.

Anyone actually have this working or tried to get it to work in their network?

-pat

AKKO_CP
2015-05-01, 21:46
Aruba claims this CANNOT be done. I find it hard to believe that their controller cannot spit out RADIUS accounting.

Anyone actually have this working or tried to get it to work in their network?

-pat

Hi Pat,

I see this discussion was continued here in part, have you found a solution to your problem since?
https://www.cpug.org/forums/showthread.php/19654-R77-RADIUS-accounting

No doubt you've seen sk103579 and now the most recent development in this integration being: sk104958, refer also:
https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=17063

Until now it's ClearPass or other intermediate RADIUS server / proxy that needed to upstream the accounting messages it receives start/stop/interim(update) to the Check Point gateway. We've been chasing down a similar issue which makes the identity mapping intermittent / unreliable and believe it's relating to Aruba's accounting behaviour in doing so came across this thread: http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Radius-accounting-anomolies/td-p/144741/

The bellow thread also provides some good insight into some related challenges that can be faced on the Wireless side relating to identity mapping:
https://community.aerohive.com/aerohive/topics/use_the_framed_ip_address_avp_containing_a_clients _ip_address_correctly_in_radius_accounting

Cheers

pat13b
2015-05-05, 10:20
Hi Pat,

I see this discussion was continued here in part, have you found a solution to your problem since?
https://www.cpug.org/forums/showthread.php/19654-R77-RADIUS-accounting

No doubt you've seen sk103579 and now the most recent development in this integration being: sk104958, refer also:
https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=17063

Until now it's ClearPass or other intermediate RADIUS server / proxy that needed to upstream the accounting messages it receives start/stop/interim(update) to the Check Point gateway. We've been chasing down a similar issue which makes the identity mapping intermittent / unreliable and believe it's relating to Aruba's accounting behaviour in doing so came across this thread: http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Radius-accounting-anomolies/td-p/144741/

The bellow thread also provides some good insight into some related challenges that can be faced on the Wireless side relating to identity mapping:
https://community.aerohive.com/aerohive/topics/use_the_framed_ip_address_avp_containing_a_clients _ip_address_correctly_in_radius_accounting

Cheers

Thanks for the info. I have seen some of this. I don't think Check Point and Aruba have a very good working relationship. At least this is what we see from a Customer perspective.
We were suppose to see a fix to this in Dec 2014 timeframe but never heard back from either of them.
We ended up getting away from Cert authentication and instead did 802.1x. This worked out well for us on the wireless devices with accounts within AD. Now we see identiities in Check Point.

-pat

pat13b
2015-05-05, 10:26
Thanks for the info. I have seen some of this. I don't think Check Point and Aruba have a very good working relationship. At least this is what we see from a Customer perspective.
We were suppose to see a fix to this in Dec 2014 timeframe but never heard back from either of them.
We ended up getting away from Cert authentication and instead did 802.1x. This worked out well for us on the wireless devices with accounts within AD. Now we see identiities in Check Point.

-pat

I did NOT see sk104958 !!! This does look promising...So they did get together on this. We just weren't updated I guess.

Thanks for the info !!!

-pat