CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 7 of 7

Thread: RADIUS Accounting with Aruba Wireless

  1. #1
    Join Date
    2007-05-25
    Posts
    207
    Rep Power
    13

    Default RADIUS Accounting with Aruba Wireless

    Hello,

    Anyone using Aruba wireless and IA with Check Point?

    Once the clients initially register their cert, the authentication is done between the Aruba and client and not AD, so we are trying to pull RADIUS from the controller in order to identify these users.

    Is the Check Point considered the RADIUS Server? and the Aruba Controller the Client?

    We configured RADIUS on the controller and in the IA section of Check Point.

    We put: (Vendor specific 26)
    Device Name = 31
    User Name = 1
    IP Address = 8

    I see nothing in the logs related to RADIUS.

    The controller setting is pointing to the IP address of the interface of the Check Point. I put a rule to allow this above the stealth rule.
    Not even sure I need to do this.

    Any help here would be appreciated.

    Thanks
    -pat

  2. #2
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: RADIUS Accounting with Aruba Wireless

    You have to configure the RADIUS server Aruba uses to send RADIUS Accounting messages to the gateway.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  3. #3
    Join Date
    2007-05-25
    Posts
    207
    Rep Power
    13

    Default Re: RADIUS Accounting with Aruba Wireless

    Thanks very much for the response.

    Maybe I'm putting too much thought into this. Other than the configuration on the identity awareness / Radius Accounting section, do I need to define a RADIUS server under Servers on smartdashboard?

    I put his Aruba controller running Radius into the Radius Accounting section and thats should be it right? other than getting the attributes to match up.

    -pat

  4. #4
    Join Date
    2007-05-25
    Posts
    207
    Rep Power
    13

    Default Re: RADIUS Accounting with Aruba Wireless

    Aruba claims this CANNOT be done. I find it hard to believe that their controller cannot spit out RADIUS accounting.

    Anyone actually have this working or tried to get it to work in their network?

    -pat

  5. #5
    Join Date
    2011-11-20
    Posts
    31
    Rep Power
    0

    Default Re: RADIUS Accounting with Aruba Wireless

    Quote Originally Posted by pat13b View Post
    Aruba claims this CANNOT be done. I find it hard to believe that their controller cannot spit out RADIUS accounting.

    Anyone actually have this working or tried to get it to work in their network?

    -pat
    Hi Pat,

    I see this discussion was continued here in part, have you found a solution to your problem since?
    https://www.cpug.org/forums/showthre...IUS-accounting

    No doubt you've seen sk103579 and now the most recent development in this integration being: sk104958, refer also:
    https://support.arubanetworks.com/Do...?EntryId=17063

    Until now it's ClearPass or other intermediate RADIUS server / proxy that needed to upstream the accounting messages it receives start/stop/interim(update) to the Check Point gateway. We've been chasing down a similar issue which makes the identity mapping intermittent / unreliable and believe it's relating to Aruba's accounting behaviour in doing so came across this thread: http://community.arubanetworks.com/t...s/td-p/144741/

    The bellow thread also provides some good insight into some related challenges that can be faced on the Wireless side relating to identity mapping:
    https://community.aerohive.com/aeroh...ius_accounting

    Cheers
    Last edited by AKKO_CP; 2015-05-01 at 23:27.

  6. #6
    Join Date
    2007-05-25
    Posts
    207
    Rep Power
    13

    Default Re: RADIUS Accounting with Aruba Wireless

    Quote Originally Posted by AKKO_CP View Post
    Hi Pat,

    I see this discussion was continued here in part, have you found a solution to your problem since?
    https://www.cpug.org/forums/showthre...IUS-accounting

    No doubt you've seen sk103579 and now the most recent development in this integration being: sk104958, refer also:
    https://support.arubanetworks.com/Do...?EntryId=17063

    Until now it's ClearPass or other intermediate RADIUS server / proxy that needed to upstream the accounting messages it receives start/stop/interim(update) to the Check Point gateway. We've been chasing down a similar issue which makes the identity mapping intermittent / unreliable and believe it's relating to Aruba's accounting behaviour in doing so came across this thread: http://community.arubanetworks.com/t...s/td-p/144741/

    The bellow thread also provides some good insight into some related challenges that can be faced on the Wireless side relating to identity mapping:
    https://community.aerohive.com/aeroh...ius_accounting

    Cheers
    Thanks for the info. I have seen some of this. I don't think Check Point and Aruba have a very good working relationship. At least this is what we see from a Customer perspective.
    We were suppose to see a fix to this in Dec 2014 timeframe but never heard back from either of them.
    We ended up getting away from Cert authentication and instead did 802.1x. This worked out well for us on the wireless devices with accounts within AD. Now we see identiities in Check Point.

    -pat

  7. #7
    Join Date
    2007-05-25
    Posts
    207
    Rep Power
    13

    Default Re: RADIUS Accounting with Aruba Wireless

    Quote Originally Posted by pat13b View Post
    Thanks for the info. I have seen some of this. I don't think Check Point and Aruba have a very good working relationship. At least this is what we see from a Customer perspective.
    We were suppose to see a fix to this in Dec 2014 timeframe but never heard back from either of them.
    We ended up getting away from Cert authentication and instead did 802.1x. This worked out well for us on the wireless devices with accounts within AD. Now we see identiities in Check Point.

    -pat
    I did NOT see sk104958 !!! This does look promising...So they did get together on this. We just weren't updated I guess.

    Thanks for the info !!!

    -pat

Similar Threads

  1. R77 RADIUS accounting
    By BruceR in forum Identity Awareness Blade
    Replies: 17
    Last Post: 2015-01-26, 06:20
  2. How much bigger with Accounting logs?
    By thefunkygibbon in forum SmartView Tracker
    Replies: 7
    Last Post: 2011-02-15, 12:15
  3. Does Checkpoint NGX Support Radius Accounting ?
    By Wutkung in forum Authentication
    Replies: 2
    Last Post: 2006-06-23, 00:45
  4. Floodgate-1 QoS accounting
    By silverblade in forum SmartDashboard
    Replies: 0
    Last Post: 2006-06-19, 02:29
  5. different between accounting and log
    By stephan411 in forum SmartView Tracker
    Replies: 1
    Last Post: 2006-06-02, 05:45

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •