Zdenek Rottenberg

Identity Awareness - RADIUS Accounting mode

Discussion created by Zdenek Rottenberg on Apr 16, 2018
Latest reply on Apr 24, 2018 by Dameon Welch-Abernathy

I performed testing of Identity Awareness in my lab (RADIUS Accounting mode only) and found some problems I am not able to explain. I would really appreciate any comments to the following:

 

- userAccountControl LDAP attribute is ignored by IA. If a user is locked out, it is allowed to access a network. Is this correct behaviour or I misconfigured something?

 

- the same thing happen when I tried to authorize user based on fw1user (objectClass) LDAP attributes.

 

- direct mapping of user/machine to group directly on CP firewall by issuing command 'pdp radius groups set -u 26 -a 1 -c 9 -d ","' does not work correctly in case several Vendor-Specific RADIUS AV pairs are included within RADIUS accounting-request. How can I correctly used the command to assign group membership if the following attributes comes to CP firewall within one accounting-request?

 

Cisco-AVPair = "ssid=ssid01"
Cisco-AVPair = "vlan-id=30"
Cisco-AVPair = "nas-location=unspecified"

 

I want to assign group membership based on the first AV pair.

Thank you very much for any comments.

 

In case somebody is interested, I included all my findings from the lab in attached document.

 

Best regards,

ZR

Attachments

Outcomes