Security

 View Only

  • 1.  Multiple values for an Attribute in Enforcement Profile

    Posted Oct 17, 2018 03:41 PM

    1st post. Go easy on me :)

    We are using ClearPass Policy Manager with Radius Authentication for our ADC made by a10 networks. For free radius the setup looks like this:

    A10-Admin-Partition = "test1",

    A10-Admin-Partition += "test2",

     

    When we try and build this in clearpass the operator is fixed with an "=" only. I have tried a custom dictionary with no luck, and if we pass two '=" lines with clearpass the first entry is the only one that is excepted. Tried with "test1" and "test2" as 1 value and still no luck. Has anyone had any luck with passing multiple values for 1 attribute?

     

     

     



  • 2.  RE: Multiple values for an Attribute in Enforcement Profile

    Posted Oct 17, 2018 03:58 PM
    Did you try just returning two separate enforcement profiles?


  • 3.  RE: Multiple values for an Attribute in Enforcement Profile

    Posted Oct 17, 2018 04:02 PM

    Yes, Does not work. But thanks for the tip. It really wants that += operator rather than =.



  • 4.  RE: Multiple values for an Attribute in Enforcement Profile

    Posted Oct 17, 2018 04:15 PM
    Multiple enforcement profiles should work. Please open a TAC case.


  • 5.  RE: Multiple values for an Attribute in Enforcement Profile

    Posted Oct 17, 2018 04:43 PM

    Opened, waiting on second level support. 1st level was no much help, thought I would show up here and see if anyone else has had success in the past.

    Thanks again for the tip!

     



  • 6.  RE: Multiple values for an Attribute in Enforcement Profile

    Posted May 21, 2019 03:43 PM

    Was there any resolution to this case?  I am encountering the same issue.  Thank you.



  • 7.  RE: Multiple values for an Attribute in Enforcement Profile

    Posted Oct 24, 2019 08:06 PM

    Just wanted to reply that I recently went through this same situation and currently there is no way to do this as of CPPM 6.8.3.  If you need to send back multiple values for the same RADIUS attribute, which the A10 appliance wants in order to assign partition authorization via RADIUS, it wont work. 

     

    We were able to have ClearPass assign multiple enforcement profiles with the appropriate A10-Admin-Partition attributes, however it will only send back one of the attribute-value pairs in the RADIUS reply.  While the CPPM roles and enforcement profiles were assigned appropriately, if you have multiple enforcement profiles sending back different values for the same attribute ClearPass will just overwrite the value and only send back one value for the attribute rather than stacking the values.  Apparently there is no way to set the RADIUS reply to use a += value and stack the attributes as required by the A10.  

     

    More info from the A10 manual:

    To authorize an administrator for access to multiple partitions, use the following RADIUS syntax:

    A10-Admin-Partition = "partition-name1”
    A10-Admin-Partition += " partition-name2”
    A10-Admin-Partition += " partition-name3”
    A10-Admin-Partition += " partition-name4”

     

     

     



Related Content