RSSO accounting issue
I am currently using NPS as an authentication server for an 802.1X PEAP-MSHCAPv2 SSID and forwarding accounting to a Watchguard firewall for RSSO. Aruba APs and controller. I have a few possible issues which I'd like to discuss:
-On a packet capture I am only seeing interim accounting packets hitting the Watchguard with no start messages. Will the Watchguard be able to process this for RSSO with only interim update messages?
-Somewhere in the authentication flow a Class attribute is being added. I am then attempting to add Class as an added value in NPS which contains the user group value in order for the Watchguard to process. But both Class attributes are being forwarded to the Watchguard. How would the Watchguard handle being sent 2x Class attributes with only one containing the user group info. I am attempted to remove one of the Class attributes in NPS but this does not look possible.
-I have attempted to add Filter-Id into the accounting packet on NPS with the user group value (and change the Watchguard settings to be the same) but it does not seem to appear in the capture. However, when I add Class it appears immediately.
Comments
-The WatchGuard needs Start, Stop, and Interim-Update messages.
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/authentication/rsso_about.html#:~:text=accounting Start, Stop, and Interim-Update accounting messages
-I believe the firewall will take the first one. I would suggest only sending one if possible.
-If the attribute doesn't appear in your packet capture, the RADIUS server isn't sending it.
-James Carson
WatchGuard Customer Support
Thanks, James.
I believe the firewall will take the first one. I would suggest only sending one if possible.
-If you're referring to the Class attribute here? I currently do not have a mechanism to only send a single Class attribute as the secondary attribute shown in the pcap screenshot above is being added somewhere and I cannot remove it. However, the Class attribute which I have added in NPS is not being acknowledged by the Watchguard, despite it being first in the list. I am not receiving any accounting response from the Watchguard, in the pcap, which suggests it is not processing the Class attribute which I have added which contains the group attribute value?
James,
The question I need answering is if the Watchguard is capable of only processing a single Class attribute during an accounting-request or if it drops the packet entirely if there is more than one value?
What I am seeing at present is the WG ignoring the correct policy and matching on the default RSSO policy. The default includes the RADIUS-SSO-Users rule within it which users will match on if they do not have a user group affiliation. Suggesting that the Class attribute is not being processed by the WG and ignoring the Class attribute containing the group attribute.
Hi @AdamNewson
The firewall is expecting to see one attribute. If you supply multiple, it will generally use the first one (provided it matches a group in the firewall.)
If you're running into an issue with this, I would suggest opening a support case so that one of our technicians can assist.
-James Carson
WatchGuard Customer Support