Aha ok I have that now, thanks. I have set up the mapping as you suggested, Accounting messages should now get the 'Guest Accounting' role and then in my enforcement policy I can match on that role. However I'm not too sure how my enforcement profile should be set up to then proxy those messages to the FreeRADIUS servers. I see there's a 'Session Notification Enforcement' option, is that the one? But I can't see how to make that forward on the accounting messages.
We actually already use the session notification enforcement method to notify our FortiManager of start/stops for the 'special' guest user arrangements that we already have in place - though for that we don't have to do anything special to 'catch' accounting messages, we just have a login/logout enforcement profile as part of the User authentication enforcement policy for Guest. The 'special' guest users are identified by their username suffix and given a different role to standard guest users, then that role is matched on in the Enforcement policy and the 'log-in/log-out' profile is used. But of course this isn't actually proxying the accounting messages, just using an API call to update FortiManager. I guess some logic in the background is identifying whether it is a login, or a logout, action.
Original Message:
Sent: Apr 15, 2025 08:29 AM
From: shpat
Subject: Accounting advice
Check under Mapping Rules: 
------------------------------
Shpat | ACEP | ACMP | ACCP | ACDP
Just an Aruba enthusiast and contributor by cases
If you find my comment helpful, KUDOS are appreciated.
Original Message:
Sent: Apr 15, 2025 06:22 AM
From: cauliflower
Subject: Accounting advice
This sounds ideal, but when I try to set up an enforcement policy rule to match on the RADIUS:Acct-Status-Type I can't see any option that fits, the RADIUS attributes don't seem to be available at all :(
Original Message:
Sent: Apr 14, 2025 10:59 AM
From: shpat
Subject: Accounting advice
You are correct that ClearPass processes the first matching service, so you can't have one service for Guest and another for just accounting - the second one will never match. So the solution is not to create a new service, but instead to modify the existing Guest service by injecting logic to proxy the accounting packets while still processing them locally.
I don't have the testing environment for now, but what i can think of as a logic is to modify your Guest Service in Clearpass and then to edit Enforcement Policy and add a new Rule with Radius:Acct. You can create a rule that only applies when Radius:Acct-Status-Type is Start or Stop.
Additional as an option you can say Connection:SSID = "Guest SSID"
Then, you can define a Proxy Target (in this case FreeRadius Group) as an enforcement action, and attach that to the enforcement policy. So you will go to Proxy Targets and create a RADIUS Accounting Proxy Target which will point to your FreeRADIUS. Then the Enforcement Policy would be with condition: RADIUS:Acct-Status-Type = Start (and/or Stop) -> with action: RADIUS Accounting Proxy to FreeRADIUS.
In this case, Clearpass will process the accouning message locally (for Fortinet and Insight) and forward a copy to FreeRADIUS as an Accounting Packet.
------------------------------
Shpat | ACEP | ACMP | ACCP | ACDP
Just an Aruba enthusiast and contributor by cases
If you find my comment helpful, KUDOS are appreciated.
Original Message:
Sent: Apr 14, 2025 10:33 AM
From: cauliflower
Subject: Accounting advice
Thank you, this is useful.
Our current config is that on AOS the server group in use for accounting has all 4 ClearPass servers listed individually. Load balancing is turned on on that server group. It sounds like you're saying that enabling Multiple accounting servers (and adding our FreeRADIUS servers to this group) would be problematic as AOS would send accounting to all servers in that group which ClearPass would struggle with?
I like the idea of have a separate rule for guest to proxy accounting packets while also processing them on ClearPass. So are you saying we would keep our guest service as it is and create a completely new service to proxy just accounting? But surely only the 1st service match would actually be processed, so this could not work as the accounting proxy service would never be matched on? Or am I misunderstanding your suggestion?
I looked at adding a new enforcement policy rule to our existing guest service to proxy on accounting requests - I can't see how to achieve that either. But it's the kind of solution would be good.
Guy
Original Message:
Sent: Apr 14, 2025 12:40 AM
From: shpat
Subject: Accounting advice
Hi Guy,
I will give my thoughts on this:
Option 1: If you have 4 Clearpass Nodes in a Cluster and configured with a Virtual IP and all NADs will be pointing at it, you will get the accounting traffic on all the nodes. ClearPass doesn't automatically deduplicate RADIUS accounting packets. If all 4 receive the same packet, this could confuse Insight, profiling, session tracking, and especially guest session logic - even more so with your Fortinet integration relying on accurate state tracking. It would likely break session consistency or create race conditions if Fortinet responds based on accounting packets received from different nodes. Don't do this unless you're load balancing in a way that ensures only one ClearPass node processes a given client - which AOS doesn't do with accounting.
Since you already use ClearPass to proxy accounting for eduroam and IoT, extending this for Guest sounds like the best approach. Initially, do not disable accounting on the Guest service in ClearPass, or the Fortinet integration might be having issues. Instead, add a separate Accounting Forwarding rule or Service level proxy policy for just the Guest accounting, so that accounting packets are sent to both FortiManager and FreeRadus.
------------------------------
Shpat | ACEP | ACMP | ACCP | ACDP
Just an Aruba enthusiast and contributor by cases
If you find my comment helpful, KUDOS are appreciated.
Original Message:
Sent: Apr 11, 2025 10:39 AM
From: cauliflower
Subject: Accounting advice
Hello,
Bit of a mix of AOS and ClearPass in this question
AOS 8.10.0.16 (2 clusters plus backup clusters)
2 x Conductor + standby conductor
ClearPass 6.12.4 (4 subscribers, Pub and standby Pub)
We currently send auths for our largest service (eduroam) to ClearPass, but ClearPass just proxies them, as well as Accounting messages, to our FreeRADIUS servers (for various reasons)
We also authenticate our IoT and Guest services on ClearPass itself (ie these are not proxied - but accounting messages for IoT _are_ proxied to FR). Guest is run on ClearPass and uses a captive portal.
We want to get accounting messages for Guest to the FreeRADIUS servers. But our guest service is slightly complicated by the fact that it utilises an integration with Fortinet (FortiManager) to treat some guest users differently. This integration relies on accounting messages being sent between ClearPass and FortiManager, so accounting messages must also come to ClearPass.
What we want to achieve is ideally sending accounting messages to both the ClearPass boxes and our FreeRADIUS servers without interrupting the Fortinet integration that exists on Guest that utilises accounting messages. I'm assuming that if we proxy the accounting messages for Guest from ClearPass then this would break the FortiManager arrangement.
I noticed that on AOS it is possible to turn on Multiple Server Accounting, which would be ideal except for I assume this would mean accounting messages would be sent to all of the servers in the specified accounting server group - this would include the 4 ClearPass boxes as well as our 2 FreeRADIUS servers. What effect would sending accounting messages to all 4 ClearPass servers have? Would that be problematic?
Another option might be to work out a way of sending accounting messages from ClearPass to the FreeRADIUS servers. At the moment we do this for eduroam and IoT by proxying accounting at the individual service level. But if we set up a syslog export filter for accounting messages instead would that then send all accounting messages (for all services) from ClearPass to FreeRADIUS without breaking the FortiManager arrangement? (Then could we also turn off accounting proxy in the individual services?)
I hope some of that makes sense!
Thanks,
Guy